Business today is conducted more and more digitally. While the mythical paperless workplace is no more a reality than the Jetsons’ flying cars, vast amounts of information are stored, processed and transmitted through information technology systems, and that information is stored, transmitted and used in an ever increasing number of places – virtual as well as physical – around the electronically linked world. And as our tablets, smartphones and remote access systems allow us to work from anywhere, sensitive business and personal data are carried in our briefcases and our pockets, locations that lack the conventional security we take for granted in our offices.
This mobile electronic information is inherently vulnerable to loss, theft and unauthorized use. The loss of physical assets has predicable financial consequences. The loss of electronic information, on the other hand, exposes the most confidential and sensitive information your business collects and uses, adding to financial consequences the potential of legal liability, serious harm to individuals whose private information is compromised and the loss of confidentiality of your most valuable trade secrets. Stated simply, sound cybersecurity is not an option – it is critical to your business success.
The good news is that lessons learned the hard way by businesses around the world provide a practical education from which we all can benefit. Here are five lessons we can profitably apply to our own operations:
- Cybersecurity is not just an IT problem. While cybersecurity focuses on systems and functions managed by our IT departments, maintaining the security and integrity of digital information cannot be accomplished by your IT professionals alone. Every business unit and operating department processes and stores sensitive information on a daily basis. Your IT systems are capable of systematic security measures, and almost all businesses have implemented firewalls, access controls, penetration testing, encryption and other IT-managed protections. But while these measures are necessary, they are hardly sufficient. Information stored on the most secure system can be compromised by sloppy data hygiene, ranging from misplaced laptops or smartphones, to indiscriminate emails, to sharing sensitive information with outside vendors and service providers. The most secure IT systems can be penetrated by anyone who can access them, especially those authorized to access them. Sensitizing all your employees to the risks created by insecure data practices and regularly training them on company policies and best practices is critical to effective cybersecurity.
- You can outsource a function; you can’t outsource the liability. No company can perform every necessary business function itself. In fact, the successful business determines which functions and processes are within its core competency and which are better performed by service and system providers. Business process outsourcing, cloud computing and shared back office operations are just some of the ways today’s business enterprises gain efficiency by engaging third parties to perform critical functions. With this efficiency comes cybersecurity risk. The best information security measures carried out inside your own systems will prove insufficient if they are not matched with at least the same level of security applied by those with whom you share your information. Robust security protection must be built into every stage of the service procurement process. Building in data security expectations should begin at the very earliest stage of the service procurement process, whether that is the RFQ, the RFP or procurement due diligence. Your services contracts should contain adequate and objective data security standards, clear requirements for your vendor to notify you if data it manages is lost or compromised, and suitable remedies (including appropriate indemnification) for security breaches. In many jurisdictions, specific laws impose these practices as a legal obligation. For example, if you have operations in or regularly process information from Massachusetts, the legally required data security plan must include ample protection for personal information entrusted to third party vendors.
- Borders still matter. It may seem counterintuitive that traditional physical borders matter in the digital world, but they do. In fact, they matter more in direct relationship to where information can be accessed, used and communicated. National and regional laws (like those of the European Union) impose sometimes unique cybersecurity requirements. These can apply when the information is stored or processed within that jurisdiction, or if you are processing and accessing information of residents of those nations and regions, even if you have no facilities or operations in those countries. Be sure you know whose information you are processing and where you are doing it so you can accurately inventory whose cybersecurity laws apply.
- The more you store, the greater the risk. While the cost of electronic storage continues to decrease, the temptation to store everything just because it might be useful later is not a best practice. Every piece of digital information multiplies every time it is used, incorporated in a file or document, emailed or shared. And digital information persists until truly deleted (and not just transferred to a trash file). Each instance of electronic information is another opportunity for loss or theft, and becomes another piece of information available for discovery in litigation. Thoughtful data retention practices (and not just a document retention policy left on the shelf) are a real business imperative.
- Plan for data breaches before they occur. Despite your best efforts, the loss, theft or improper use of electronic information is, if not inevitable, almost impossible to completely prevent. Understanding this reality provides the best reason to carefully plan your response to a data breach before it happens. Because there likely are clear legal obligations to investigate and, where appropriate, requirements to publicly disclose data breaches, you should have a clearly articulated and well communicated data breach response plan that informs your employees what to do if they suspect a possible breach, who will (and who will not) investigate the breach and what steps will be taken to contain the breach. The serious liabilities that can result from a data breach are best managed and mitigated by planning ahead. One more thing: As cyber risk insurance becomes more available and more affordable, it should be considered when planning or updating your corporate risk management portfolio.