By Jack Zoesch and Matthew Massey
Cybersecurity is vitally important to organizations large and small. Cyberattacks and data leaks can grab headlines, destroy client confidence, and expose a company to civil and criminal liability. Below are five things every business should know about cybersecurity protection.
- Assume you are a target.
Companies increasingly rely on digital technology for the storage and transmittal of private information about clients, business partners, and other constituencies. As this reliance has increased, so too has the frequency of cybersecurity incidents.
Most are familiar with attacks on large institutions such as Target or Allscripts. What many do not realize, however, is that small businesses are just as vulnerable as larger companies, if not more vulnerable. According to the 2019 Verizon Data Breach Investigations Report, 43% of all attacks targeted small businesses.
- Know your responsibilities.
The second step is to know industry-specific legal requirements for data security measures.
At the domestic level, companies must stay on top of both state and federal requirements. These requirements can be varied and complex. For example, government contractors who do business with the Department of Defense (DoD) should become familiar with requirements such as FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and their applicability to various contractual settings.
Numerous state laws also impose cybersecurity requirements. In June 2018, California passed AB-375, the California Consumer Privacy Act (CCPA), which requires the implementation of child protection safety standards, opt-in/opt-out provisions, and methods for submitted data access requests. Similarly, states including Vermont (H.764), Ohio (2018 SB 220), and Colorado (HB 1128) all recently passed legislation that bolsters their data privacy and security regulations.
At the international level, companies may face an entirely separate set of data security standards. The European Union’s General Data Protection Regulation (GDPR) sets privacy laws for companies that retain or process data of European Union citizens. Fines for violating the GDPR can be as high as the greater of €20 million or 4% of the company’s annual global revenues.
- Recognize the financial costs of a breach.
The third step is to recognize how a data breach can affect your bottom line. A 2018 report by the Ponemon Institute found that the average total cost of a data breach is $3.86 million. This represents a one-year cost increase of 6.4% from the prior year.
That same study looked at the influence of security automation and the use of internet of things (IoT) devices. The study found:
- The average cost of a breach for organizations that fully deploys security automation is $2.88 million.
- Without automation, the estimated cost of a breach is $4.43 million.
- A mega breach of 1 million records yields an average total cost of $40 million.
- A mega breach of 50 million records yields an average total cost of $350 million.
By recognizing the steep financial costs of a breach as dictated by their type of industry and structure, organizations can determine how to best allocate resources towards risk mitigation.
- Educate your employees and institute safety programs.
The fourth step is to neutralize security threats from both internal and external parties. Some basic solutions include:
- Message filters to scan incoming communications for malware.
- Data and email encryption that requires a decryption key.
- Firewalls to help thwart unwanted intrusions and prevent employees from accessing malicious sites.
- Regular scans of computers and servers to ensure that malware is not actively running on any machine.
- Periodic backups so that data restoration is possible should a breach occur.
- Build and maintain an incident response team.
The final step is to have an incident response team (IRT) in place. The IRT will typically consist of legal counsel, public relations personnel, risk management and insurance professionals, and information technology experts.
Identifying your IRT is vital because of the importance of expediency in containing the fallout from a breach. The Ponemon Institute found that companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve.
The IRT should be briefed on industry-specific requirements following a breach. For example, DFARS 252.204-7012(c) requires that a DoD contractor must timely report cyber incidents pursuant to when it discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein. Similarly, a medical provider covered by the Health Insurance Portability and Accountability Act (HIPAA) must notify the U.S. Department of Health & Human Services if it discovers a breach of unsecured protected health information under 25 C.F.R. § 164.408.
Although these are just a few examples of the many considerations and potential pitfalls of the modern business world, by maintaining awareness of these issues, you can help your business mitigate the risk of cyber-attacks and the costly fallout they often cause.
Jack R. Zoesch is Manager of the firm’s Government Contracts Practice Group. His practice also includes complex business litigation and intellectual property protection and enforcement.
Matthew P. Massey is an Associate who practices in the areas of white collar criminal defense, government investigations, and commercial litigation. He is a former Assistant United States Attorney who prosecuted criminal cases in Washington, D.C. on behalf of the Department of Justice.