In such an environment, how should organizations prepare for the unexpected? While the challenge is significant, it is not insurmountable. While the impact of a cyberattack on an organization can be significant (e.g., litigation, reputational harm, cost of remediation, etc.), organizations where management is engaged and has a clear plan how to respond, are much better positioned to effectively deal with the fallout of a cyberattack.
Preparing Your Organization
There are several steps management can take to prepare their organization to withstand a cyberattack. Although these measures will not entirely eliminate the possibility of a cyberattack, they will certainly mitigate the negative consequences of such an attack and also serve to demonstrate that management had acted diligently.
- Know Where You Stand. In order to prepare adequately for potential cyber threats, map out your organization’s networks and IT systems, including a clear understanding of what the key business functions are, as well as where the organization’s critical data resides and how it is protected. Consider encrypting or tokenizing all critical data and limit your employees’ network privileges to only those required for them to carry out their duties.
- Build a Cyber Monitoring Team. Communication and coordination between different departments is critical to effectively counter cyber threats. Consider building a team consisting of knowledgeable managers and professionals (internal and external) who will meet regularly to asses threat levels, discuss how to address gaps and make recommendations to management on how to protect the organization’s digital assets. The team should not be limited to or be the sole responsibility of your IT department — rather, the team should also include legal and management executives. Care should be taken in putting together the team by ensuring that the right people are around the table and that the team’s mandate and deliverables are clear.
- Audit and Test Security Measures. Each security measure implemented by the organization should be audited and tested on a regular basis. Results of these audits should be regularly reported to management to ensure that the leadership team is aware of any potential cyber threats, understand the organization’s cyber risk profile, assess the effectiveness of current defences and be able to take necessary remedial steps. If necessary and appropriate, consider engaging external counsel with cybersecurity expertise and/or third party security experts to conduct audits or suggest remedial measures.
- Educate and Train Staff, Then Repeat. Training staff is a critical element of cybersecurity (if not one of the most critical). They need to understand the importance of protecting the information held by the organization. To do so, staff will need a basic grounding of potential cyber risks and how to make good judgments online when faced with cyber threats such as spear phishing.
Staff need to know and understand the policies and best practices you expect them to follow in the workplace (e.g., how to avoid cyber threats such as spear phishing or how to secure data when traveling to offsite conferences or meetings). These policies should be drafted in simple and practical terms.
Since cyber threats are constantly evolving, ensure regular staff training, including holding refresher workshops.
- Be Aware of Supply Chain Risks. Address potential vendor and supply chain risk by restricting access to your network to only what is necessary. Organizations should consider requiring vendors to provide notice of suspected breaches, require third-party security audits and obtain adequate indemnification. Organizations will also want vendors to ensure that they (and their employees) follow proper cyber hygiene.
- Cyber Risk Insurance. Insurance is a key part of risk management and can offer organizations significant protection in the case of unplanned events. Organizations should review their existing insurance coverage in the ease of a cyberattack. If it is deficient, consider investing in cyber-risk insurance that would cover network breaches, data loss and potential litigation costs. That said, cyber-risk insurance is not a complete solution as it will only cover a fraction of the cost related to a cyberattack. Also, premiums will often depend on whether the organization has implemented effective cyber risk mitigation measures.
- Have a Plan. Organizations must prepare for the eventuality that they will at some point be victim of a successful cyberattack with their network and data being compromised. The key to handling an attack effectively is preparation. Organizations should map out key legal and other issues that will need to be addressed in the case of a cyberattack (e.g., notification to regulators or security agencies, use solicitor-client privilege, escalation of communications to senior management, business continuity plan, public relations strategy, etc.).
Many of these steps will be need to be customized according to the organization’s business and day-to-day operations. It is critical for organizations implementing cybersecurity measures (both from a governance/compliance and technical standpoint) to engage external third party experts (e.g., external legal counsel, consultants, and other advisors with specific cybersecurity expertise) to assist them in designing and implementing the measures discussed above. The fact is that organizations that spend time and effort prior to a cyberattack will be extremely well positioned to mitigate the fallout of a cyberattack.
This is the first article in a series dealing with what organizations can do in the face of growing cyber threats. The second part will cover how businesses should respond in the case of a significant cyberattack.
Imran Ahmad is a Partner at the law firm Miller Thomson LLP in Toronto and specializes in the area of cybersecurity law. He can be reached at email@example.com.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…