Cybersecurity and Data Protection: What Businesses Need to Know
As companies continue to navigate the new challenges of cybersecurity, approaching their security strategies with a sense of urgency will separate those who are equipped to reduce overall risk and those who will remain vulnerable to the increasing attacks we face today.
This is especially true as organizations continue with full-time or hybrid-model of remote work, where threat actors are becoming more sophisticated with their ability to infiltrate networks and compromise data.
In this Attorney Q&A video, McAfee & Taft attorney and cybersecurity expert Joshua Snavely discusses what companies should be focusing on, including cyber strategy, governance, risk and compliance, crisis management and incident response.
Q: What issues should companies focus on?
Joshua Snavely: So as I look to begin advising clients in McAfee, I would put the work into three different categories. So first and foremost is about strategy, right? Helping businesses understand how to deploy security, privacy, and technology strategy. So much of our world right now is sort of torn back and forth between incidents and ransomware, and these international events, right? And it’s really important for companies to be able to focus on what’s our strategy, how do we incorporate security, privacy, technology, strategy across the organization for too long?
We’ve had a divide between the C-suite, technology, operations. Security and privacy are about business issues. They’re not technology issues. They have a technology component, but understanding how to protect your business is really about building a strategy to understand what could impact it, what could create downtime, what could cause people to go offline. We’re all more familiar with that, as a result of the pandemic and the impacts that outside events can have. And cyber is no different, it has to be a part of every business, and their strategy to ensure that operations and revenue continue. So that’s one frame.
The second lane, I would say for companies to be focused on, would be in governance, risk and compliance. So every business, depending on the industry, in which they sit has compliance obligations. Some might, if you’re in healthcare, it might be HIPAA. If you’re in financial services, that might be the GBLA. Every business has to understand not only how they comply with those laws, but how they structure their company in a way that they can create governance mechanisms and risk assessment. In addition, now we have sort of multi layers of regulation and compliance, so that could be an Oklahoma Breach Statute, right? So it’s not only industry that you might be in it, also maybe where you’re doing business. So you may need to know the laws of Texas and what happens if you have an incident. So really understanding how to comply with those laws and to build your company structure and decision-making is an important component.
And the third area, I would say, which we see in the papers and on the news almost every day is really that crisis management and incident response. So a company or an organization has an issue, right? Where they prepared for it, how did they respond? What are their obligations to tell regulators or their customers, their clients, various alphabet soup government agencies that might get involved. So not only does the role of the lawyer in this space require to prepare clients for those types of incidents and to communicate through them, but also to be responsive once they happen. And I think it’s really important for all businesses to begin to think about this area from a perspective of resilience. Unfortunately, we have to be right 100% of the time. And the actors in this space who want to do us harm or access our information can hurt us by only being right, or be able to access that one time. And so it’s really important for companies, organizations to think about this in a layered approach, and how they’re going to be resilient. So something might happen, but you’re gonna be able to get back up, and running that day or the next day, be able to protect the information of your clients, and be able to move through those types of incidents.
Q: What is cyber diversity?
Snavely: Cyber diversity is important that the people on your team who are helping shape policy, helping shape trainings, have to come from a broad set of backgrounds from all different industry groups, disciplines. This is a cyber security privacy, or an interdisciplinary effort. They have to involve multiple business lines across an organization. And so what’s really important is that the people shaping policy, shaping our response, shaping how an organization thinks about these issues have to come from all backgrounds, genders, races, because that’s what’s gonna inform us to better prepare for an incident, and to know how to respond when one happens.
Q: Why is cyber diversity important?
Snavely: Every organization comes in different shapes, and sizes, and staffing levels. Some businesses may have one IT person or none. In some cases they’re outsourcing that. And so both in how those teams are constructed, and in how the relationship between your internal and external teams are built, they’re not only needs to be diversity in those teams, right? And I’m talking to every level, and the goal here is really to drive diverse thought. How do we think about these problems in a way that’s going to help us mitigate every type of incident? Really requires us to have imaginations, right? About how these things could happen in our organizations. And so much of the role of the C-suite is understanding how to both build that kind of team internally, or how do you outsource that in some cases to the right level of teams that can help supplement your security posture, provide the right kind of guidance, but also be able to bring to the table, the kind of group that’s gonna help you solve those problems..
Captioning/transcript provided by Rev.