Peddling cybersecurity during and following a pandemic is like telling a paraplegic to get a flu shot. Businesses are struggling to financially recover from the COVID-19 lockdowns and cyber nerds continue to scream about digital threats with comic-book-style villain names. But next to actually getting a flu shot, cybersecurity counsel (in every form) is perhaps the most important part of self-defense for any business. Whether in construction, banking, education, medicine, the culinary arts, or retail, cybersecurity is vital unless you write everything down and store it in a fireproof safe.
A real horror story: Let’s say your business makes widgets. You sell 100 widgets to Customer X every month and because they are a routine, loyal customer, your invoicing schedule is somewhat irregular. Unbeknownst to you, an employee downloaded a malware-laced application on a work computer that allowed cyber criminals to watch your network activity for the past year to see how best to exploit you (because that’s what they do). The cyber criminals realize that Customer X knows that your invoices are irregular and pays them almost immediately. Therefore, criminals spoof your invoices to Customer X, pretending to be you for two months, and redirect payments to a different bank. You finally get around to invoicing Customer X to learn that they made the last two payments and refuse to tender any further sums. Eventually, you realize that you were spoofed, hacked, and now have to alert other customers and legal authorities. In addition to losing actual profits, you also lose goodwill.
While there is no full-proof plan to prevent any cyberattack and ensure forever cybersecurity, there are 10 cybersecurity policies that, if implemented, are likely to reduce both insider threats and cyberattacks from third parties:
1. Limit administrative credentials: Do not make every user on the domain an administrator. Reserve administrator credentials, regardless of inconvenience, for senior IT staff or management.
2. Cyber incident response policy: Hire an attorney to work with your IT staff and management to draft an incident response policy with communication chains, warning signs, and evidence holds to mitigate damages and liability.
3. Monitor employee activity on network: Revise or create employee agreements allowing you to digitally monitor your employees to watch for improper activity.
4. Access policies: Limit employee access only to network data that is strictly necessary for their position.
5. Termination policies: Access credentials must be terminated at the same time as termination or resignation of an employee.
6. Password policies: Passwords must be routinely changed with character and length requirements and applications with multifactor authentications must be utilized if available.
7. Cybersecurity training for employees: Phishing is easier to spot if you know what to look at when receiving an email (such as the absence of a telephone number). Bring in a trainer.
8. Cyber/data loss insurance: Work with your insurance agent to find a policy fitting your industry that includes coverage for data loss, breach notification, equipment loss, and business interruption.
9. Third party vendors: Do background checks on your vendors who provide any type of “smart” services. Ensure that they are contractually obligated to alert your business if they suffer a cyber incident. Target was hacked due to poor cybersecurity of one of its vendors and paid dearly to the Federal Trade Commission as a result.
10. Back up data: Back up data in a place that is isolated from the primary network, either on a separate cloud-drive or through an IT service vendor.
Cybersecurity is no longer a budget-surplus item; it is a “must-have” item. Bring in an attorney to work with your IT staff and guide your business on how to protect itself from cyberattacks and mitigate potential liability.
Sarah W. Anderson is an attorney specializing in cybersecurity law at Alexander Sides, LLC in Baton Rouge. Sarah can be reached at email@example.com and 225.238.1800.