In our previous article, we looked at the phenomenon of cyber-crime and its vast impact on businesses, an impact growing more expansive and becoming exponentially more costly. In this follow-up, we take a look at nine practical steps businesses of all sizes may take to address the issue, as well as a list of 10 best practices that might make sense to consider following. To learn more about our capabilities in this area, please click this link. If you're interested in exploring how the firm might be able to help you in any of these areas, feel free to reach out to Karen Monroe.
Practical steps for businesses
- Realize that cybersecurity is not just an IT issue
- Consider modifying force majeure (an extraordinary event out of the control of the parties) clauses in contracts to include cyberattacks
- Consider risk sharing for cyber-attacks as appropriate; for example, will some of the responsibility be moved to software designers and cloud providers?
- Check your insurance coverage: In a recent New York case involving an insurance company and its customer, the court ruled in favor of the insurance company concluding that the company's business insurance did not include cyberattacks when the cyberattack was by third-party hackers. There are now insurance policies specifically designed to insure against cyber-risks.
- Consider sharing information with trusted vendors and suppliers, as appropriate. Analyze where the most serious damage could occur and work together on cybersecurity issues. Don't forget about subcontractors and others in the supply chain
- Implement policies for staff, contractors, and all others in the supply chain and be sure those policies and procedures are followed, and compliance is monitored.
- Remember that a company's own employees are its greatest risk whether accidentally or intentionally. For example, a disgruntled employee, contractor or vendor could be a threat.
- Consider how to handle breach management. It will happen to you, how will you react when it does? Create a response team including management, public relations, legal and IT teams
- Implement company policies on the use of mobile devices and public Wi-Fi access and monitor compliance with penalties for failure to comply
Click here to view image.
10 Best Practices
- Do not click on website ads, go directly to vendor website.
- Confirm that links in emails are legitimate; if there is any question, check with the sender by sending a new email, not just replying.
- Avoid ".exe" file attachments unless you requested them.
- Do not open zip files unless you requested them or you have been notified in advance that they are being sent.
- If a message or request seems strange, it probably is. Check independently with the sender by sending a separate email, not just replying to the one you received; or better yet, call them.
- Be aware of social engineering techniques. Unknown third parties now try to initiate business relationships and gain confidence only to execute a fraud or attack.
- Train employees to protect sensitive information by mandating the use of passwords, and having restrictions on access to sensitive data.
- Confirm and validate that appropriate firewall protections are in place and antivirus technology is updated regularly.
- Backup everything frequently.
- Avoid system changes during busy times of the year.