Ways to Mitigate Cybersecurity Risk

In this latest installment of our Q&A video series focused on “What You Need to Know About Data Privacy and Cybersecurity,” McAfee & Taft attorneys Sasha Beling and Will Holland discuss ways businesses can mitigate their risk.


Q: Why should organizations make cybersecurity and data privacy issues a priority?

Will Holland: Most companies, if not all companies now largely rely on computers and computer systems and their confidential data is stored in online or in computer systems. And so that creates vulnerabilities if you are not appropriately making sure that your systems are secure, even the most secure systems can be subject to a cyber attack and potentially have a data breach. And so you really wanna make sure that you’re thinking about those on the front end because if you have a cyber incident or a data breach, it can be extremely costly, both in potentially shutting down your access to your computer systems which can prevent you from working. But also if your data is accessed by a third party, there are all kinds of issues that run with that, you’re gonna have to notify your customers. You’re potentially gonna have to pay for any settlements with customers, any changes that you need to make based on regulators requiring them, you’re gonna have potentially reputational damages. So this is one of those things that it’s kind of a unnecessary evil that you need to put the resources in it on the front end to make sure your systems are as secure as possible.

Why do some organizations “backburner” cybersecurity and data privacy issues?

Sasha Beling:  Well, it depends on the type of organization. There’s some organizations that may not have a lot of data or collect a lot of data and realize that they could be a target or that they think that they don’t have enough data that would make them a valuable target. And that’s not necessarily the case. What we’re seeing in some instances is that bad actors are targeting the smaller business or the smaller vendors because they know that some organizations either don’t have the financial resources or don’t have the support staff or workforce resources to make cybersecurity data privacy a priority. And that they might be a little bit behind on the measures and procedures in place to protect their systems and so they become the targets to get to the bigger fish from some of these bad actors. And because of that, and because of these trends, cybersecurity data privacy is important for organizations of all sizes, and whether they are supporting big vendor or if they’re a nonprofit or a school or other for-profit businesses.

Q: What can an organization do to mitigate risk?

HollandSo, the first thing I would say is you wanna really consider what policies and procedures are appropriate for you. So with that you need to figure out, okay, what laws apply to me? What do they require of us? What are we signing in our contracts that we’ll do and tailor your policies to make sure that they’re appropriate for the requirements that you have to comply with? The second thing I would say is you need to plan for a cyber attack, plan for having a data breach, because it’s kind of not a matter of if but when, all companies even smaller companies that may think that they can fly under the radar are subject to these attacks. And so you need to be ready to deal with them. You need to make sure that the employees who are responsible for dealing with them understand what their responsibilities are and you need to practice and make sure that they’re trained and appropriately ready to deal with an attack for when it happens. The third thing is you wanna think about what are the risks of dealing with vendors or third parties, because a lot of companies have to deal with third parties, have to deal with vendors, have to deal with service providers. And with that, you’re gonna have to give them access to some of your confidential data potentially. And so you wanna really make sure that if they have access to your data, that they’re keeping it as secure as you would wanna keep it. So just be aware of that, think about what needs to be in those contracts with the third parties and really do your due diligence before you decide to send confidential data to a third.

Q: What are some ways for the organization to create and maintain policies and procedures to mitigate risks?

BelingTo keep it simple and you can break it down into four steps. The organization can do a discovery step, a building step, an education step, and then also be able to evolve. So when you’re in your discovery step, what’s important there is the organization needs to understand what kind of data it has and the way that it can discover what data it has is to do what’s something called a data inventory or a data mapping which is just a snapshot of the type of data that the organization has incoming to the organization, and also how it’s used within the organization and how it leaves the organization. So once you discover what data you have, then the organization can look at, okay, well now what are our legal obligations for that data? So discover what type of either legal obligations or industry regulations or industry standards apply to the organization for the particular type of data. A good practice is to implement data minimization, only collect the data that you need and that you’ll use and only keep it for as long as you need it and as long as it’s useful. You can’t lose what you don’t have. So when organizations are in their building stage of their ways to mitigate risk and building up a data governance program, what you’re going to look for and try to do there is build internal policies and procedures that are tailored to your organization and the way that your organization uses and stores the data and how it might share the data. Also, you’ll look at your external privacy notices if you need to, if you’re obligated to give them and to make sure that they are accurate for your organization’s data use and collection processes. What organizations should strive to do is to foster a culture of cybersecurity awareness and privacy awareness. The reason why this is important is because humans are the weakest link in an organization. There’s time and time again that an email will come in with a link and an employee will click on it unintentionally or thinking that they’re trying to be helpful and that will allow the bad actors to come into your network. There’s other scams out there that will create a sense of urgency whether it’s from an executive or an upper management to an employee, and it’s human nature to wanna be helpful and to help the organization succeed. And so they will act on that sense of urgency. And then unfortunately, that organization now became victim to some type of fraud or criminal activity. And so if an organization fosters a sense of privacy awareness and cybersecurity awareness, that is a big way to mitigate risks, of letting bad actors come into your organization, or having employees being aware of, not only are they protecting the organization but they’re also protecting themselves too ’cause they’re gonna see this thing in their personal email accounts and not just their company email accounts. Organizations also need to be able to evolve ’cause laws are constantly changing, consumer and customer expectations regarding privacy and their data personal information is constantly changing. So as an organization goes through these steps of discovering, building, educating, and evolution, it’s not just a sequential step. All of these can be happening simultaneously, but this is just a framework to give you an idea of what organizations can do at particular moments in time and to focus their efforts. And because technology changes or the laws change or consumer expectations change, businesses need to be able to change and so that they can maintain their compliance.

Q: What are ways to plan and prepare for the inevitable cyberattack/data breach?

HollandCompanies at this point should have an incident response plan, that would basically dictate here’s what we do if we have a suspected cyber attack or a suspected breach, a suspected incident, here’s what we do, here are the responsibilities for specific individuals within the company, specific departments, that type of thing. And then, once you have your plan it is vitally important that you practice your plan. I know a lot of bigger companies have set schedules where every year they will practice the plan, quarterly or monthly even. So think about how often is it appropriate for you to practice, but the key is you do practice because you don’t want the first time that you’re dealing with your plan to be when you actually have a data breach. And the other thing with practicing is it will show you where are the gaps in your plan. It will kind of help you make the plan is as good as it can be. So anyways, having a plan and practicing it and you should engage third parties ahead of time. So, if you have a forensics third-party vendor already lined up, that makes it so much easier if you think you’ve had a breach to just call and speak to somebody who is aware of your business, who you’ve talked to before, and who you already have all of these kinds of logistical considerations figured out ahead of time. Another thing that a lot of companies will do is contact law enforcement or contact the FBI or those types of entities ahead of time. That way, again if you have a situation where you think, okay, this is potentially a crime that we need to get the FBI involved or get one of these agencies involved, you have a contact already set up so you have a specific person to call and they know your company and all of that. So yes, it’s definitely important. You wanna do all this ahead of time because you don’t want the first call you make to be when you’re in crisis mode.

Q: How can you best manage risk through contracts with vendors?

HollandThere are two things that I would say that are pretty key. And that’s number one, do your due diligence. I know a lot of companies have a kind of a questionnaire or something like that set up before they engage with a third party. They send that questionnaire to the third party and really do that fact finding on the front end to make sure that before you send them your confidential information that they’re gonna keep it as secure as you would wanna keep it because yeah, if they have a breach and it’s your information, that’s still is potentially coming back on you. And so you want to make sure that they’re doing the appropriate things and having the appropriate safeguards in place. The second thing is, think about your contracts with them. Think about having standard provisions or certain provisions in the contract saying, here are the ways in which the third party is going to safeguard our data. Those contractual provisions would also say, when you’re allowed to audit, if you’re allowed to audit them, how the audit would take place, if if they have a data breach, when and how and how quickly would they notify you, stuff like that is stuff you wanna think about. And you probably wanna have some standard provisions that you’re comfortable with that you can include in those contracts.

Captioning/transcript provided by Rev.

This Attorney Q&A has been provided for information of clients and friends of McAfee & Taft A Professional Corporation. It does not provide legal advice, and it is not intended to create a lawyer-client relationship. Readers should not act upon the information in this Q&A without seeking professional counsel.