In recent years, cyberattacks have been steadily increasing in sophistication, frequency and magnitude – with the media reporting, what appears to be, a major cyberattack on an almost weekly basis. Hackers are targeting organizations from all industries, including not-for-profits and charities, by using techniques ranging from Advanced Persistent Threats (“APT”) to sophisticated spear phishing campaigns.
In such an environment, how should organizations prepare for the unexpected? While the challenge is significant, it is not insurmountable. The impact of a cyberattack on an organization can be significant (e.g., litigation, reputational harm, cost of remediation, etc.). In many instances, an organization can lose the trust of its internal and external stakeholders if it comes to light that it had not put sufficient time, resources and energy into preparing for a cyberattack. On the other hand, organizations that invest in planning for the likely eventuality of a cyberattack are much better positioned to deal effectively with and limit any negative consequence.
There are several steps management can take to prepare an organization to withstand a cyberattack. Although these measures will not entirely eliminate the possibility of a cyberattack, they will certainly mitigate the negative consequences of an attack and also demonstrate that management had acted diligently.
Know Where You Stand.
In order to prepare adequately for potential cyber threats, map out your organization’s networks and IT systems, including: (i) a clear understanding of what the key operational functions are; (ii) where the organization’s critical data resides; and (iii) how this data is protected. Consider encrypting or tokenizing all critical data and limit your employees’ network privileges to only those data required for them to carry out their duties.
Build a Cyber Monitoring Team.
Communication and coordination between different departments are critical to effectively countering cyber threats. Consider building a team consisting of knowledgeable managers and professionals (internal and external) who will meet regularly to asses threat levels, discuss how to address gaps and make recommendations to management on how to protect the organization’s digital assets. The team should not be limited to, or be the sole responsibility of, your IT department, or IT consultant in the case of smaller organizations — rather, the team should also include legal and management executives. Care should be taken in putting together the team by ensuring that the right people are around the table and that the team’s mandate and deliverables are clear.
Audit and Test Security Measures.
Each security measure implemented by the organization should be audited and tested on a regular basis. Results of these audits should be regularly reported to management to ensure that the leadership team is aware of any potential cyber threats, understands the organization’s cyber-risk profile, assesses the effectiveness of current defences and is able to take necessary remedial steps. If necessary and appropriate, consider engaging external counsel with cybersecurity expertise and/or third party security experts to conduct audits or suggest remedial measures.
Educate and Train Staff, Then Repeat.
Training staff is a critical element of cybersecurity (if not one of the most critical). Staff needs to understand the importance of protecting the information held by the organization. To do so, they will need a basic grounding of potential cyber risks and how to make good judgments online when faced with cyber threats, such as spear phishing.
Staff need to know and understand the policies and best practices you expect them to follow in the workplace (e.g., how to avoid cyber threats, such as spear phishing, or how to secure data when traveling to offsite conferences or meetings). These policies should be drafted in simple and practical terms.
Since cyber threats are constantly evolving, ensure regular staff training, including refresher workshops.
Be Aware of Supply Chain Risks.
Address potential vendor and supply chain risk by restricting access to your network to only what is necessary. Organizations should consider requiring vendors to provide notice of suspected breaches, third-party security audits and adequate indemnification. Organizations will also want vendors to ensure that they (and their employees) follow proper cyber hygiene.
Insurance is a key part of risk management and can offer organizations significant protection in the case of unplanned events. Organizations should review their existing insurance coverage in the case of a cyberattack. If it is deficient, consider investing in cyber-risk insurance that would cover network breaches, data loss and potential litigation costs. That said, cyber-risk insurance is not a complete solution as it will only cover a fraction of the cost related to a cyberattack. Also, premiums will often depend on whether the organization has implemented effective cyber-risk mitigation measures.
Have a Plan.
Organizations must prepare for the eventuality that they will, at some point, be the victim of a successful cyberattack with their network and data being compromised. The key to handling an attack effectively is preparation. Organizations should map out key legal and other issues that will need to be addressed in the case of a cyberattack (e.g., notification of regulators or security agencies, solicitor-client privilege, escalation of communications to senior management, business continuity plan, public relations strategy, etc.).
Many of these steps will need to be customized to the organization’s activities and day-to-day operations. It is critical for organizations implementing cybersecurity measures (both from a governance/compliance and technical standpoint) to engage external third-party experts (e.g., external legal counsel, consultants, and other advisors with specific cybersecurity expertise) to assist them in designing and implementing the measures discussed above. The fact is, organizations that spend time and effort prior to a cyberattack will be extremely well positioned to mitigate the fallout of a cyberattack.