Posted In: Cybersecurity & Data Privacy
By Craig S. Horbus & Nicole M. Thorn on October 1, 2021
October 1, 2021 Update: The original content of this blog was published in Brouse McDowell’s Corporate TIPS blog “Corporate TIPS Blog: Our Top Five Cybersecurity Tips for 2020” on December 18, 2019.
Disruptive Innovation—two words that should remain top-of-mind as you plan your company’s cybersecurity for the next year. In the business technology world, namely in data privacy and security, we have been all over the map between the United States and the European Union. In the U.S., we’ve had to contend with the nuances of the California Consumer Protection Act (CCPA) along with a plethora of new state-based regulations being enacted. Abroad, the focus has been on the reach of the EU’s General Data Protection Regulation (GDPR). It is safe to say that between Facebook, Google, and other social media platforms’ data privacy concerns and credit card theft, nearly everyone has data privacy and security on their radar. Thanks to innovation, many new products and solutions create a DIY environment with simple user interfaces. However, smarter, more sophisticated cybercriminal organizations are beating us at this game, and so we have to get more creative and more disruptive to responsibly manage our business data.
Here are some helpful tips to consider in your organization’s cybersecurity plans:
- Don’t Bury Your Head in the Sand. Many companies believe that CCPA, GDPR and other global data privacy regulations do not apply to them because they do not do business in California, a particular region, or overseas. However, before your business makes that claim, be sure to check with your IT and legal counsel to ensure that is true. Website traffic, even if unintended for certain data subjects located in other areas such as California or EU citizens, can subject you to these laws.
- Data Mapping. Work with your IT personnel to perform a general assessment on your data. It may seem tedious and moot, but without knowing where your data mapping is today, you cannot ensure you are as protected as you need to be. Answer questions such as, which applications store data, where are servers stored, who controls the data, where does your data come from and go to.
- Cybersecurity Vulnerability Testing Measures for Your Organization. There are multiple cybersecurity incidents that can occur within a business or organization at any given time. Many of these incidents can happen without anyone knowing even if there is an IT team in place. However, it is possible to prepare for and avoid many cybersecurity incidents through proactive security testing. Adequate cybersecurity in a company usually requires certain tests with outside employees or consultants that will analyze the company’s website or network to uncover vulnerabilities using various methods. These vulnerability tests are important to fully protect client data and company information that is to remain confidential and safe from cybercriminals. We’ve outlined a few helpful tips regarding cyber-risk evaluations and cybersecurity best practices below.
- Vulnerability Scans. Vulnerability scanners can be used to assess a company’s systems to check for weaknesses. These weak points are exploited by cybercriminals to gain access and steal or copy company data. Vulnerability scanners also compare services and applications that run within the computer system against a database of already known weaknesses.
- Penetration Testing. Penetration testing involves experts who are hired by an organization to intentionally attack the organization’s network to review and assess its cybersecurity. This process is conducted in a controlled manner and allows a company to determine what types of malicious attacks may occur because of the apparent weaknesses.
- Program Update Checks. Maintaining outdated software can allow cyber criminals to penetrate an organization’s systems more easily. Therefore, businesses should keep all software updated to the latest release to ensure that it receives the latest security patches.
- Consult with Experienced Professionals. An organization should align itself with experienced legal counsel to assist with possible cybersecurity liability issues and to facilitate the organization’s relationships with experts who conduct security tests on its network.
- Assemble Your Team. Identify and gather a team of key people including IT professionals, legal counsel, public relations, accounting, and other top-level management. Schedule regular meetings and make sure each team member understands their role in your company’s cybersecurity plan.
- Educate Your Employees. Oftentimes security breaches occur by well-meaning employees trying to do their jobs. Teach your employees how to spot a phishing email and how to respond. Test them periodically to ensure appropriate responses and use those opportunities to educate.
- Create an Incident Response Plan. Everyone needs a plan. At the least, have a list of your key support team members readily available that includes legal, IT, financial institutions, top level executives, and others — and preferably not on your servers which may be locked down. Once an incident is in process the last thing executives need to spend time figuring out is the plan. Have your playbook already prepared by competent legal counsel.
- Cyber Risk Insurance. This goes without saying. Have adequate cyber risk insurance in place – have your applications and existing policies reviewed annually by legal counsel and ensure you are aware of coverage limitations. Too many times we are faced with denial of coverage issues due to misinformation on policies in place.
As a result of cybersecurity threats becoming more prevalent, we have seen a growing trend of enhanced consumer privacy regulations to follow. The momentum for comprehensive privacy legislation is at an all-time high, and we can expect even more privacy and cybersecurity regulations to be enacted each year. This means that it is now extremely important to responsibly manage your business data and become compliant with privacy regulations by adopting adequate cybersecurity plans.
How Brouse Can Help
To maintain proper cybersecurity protocols in place, organizations routinely contract with third-parties to conduct vulnerability scans, penetration tests and other cybersecurity processes. These contractual engagements should never be established without legal counsel that can review or draft the associated agreements, consider any legal implications, and provide advice to protect the organization’s legal interests. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to establish and maintain relationships with cybersecurity experts and ultimately improve your organization’s network security. We also provide proactive solutions for companies to defend against cyberattacks and become compliant with today’s regulations. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2021 Brouse McDowell. All rights reserved.