By Jennifer A. Beckage, originally published in Rochester Business Journal on February 16, 2018.
Avoid Cybersecurity Fatigue and Frustration:
Practical Advice For Businesses In A Complicated Cybersecurity World
So many news articles, alerts, stories, and headlines about cybersecurity tell businesses that the sky is falling and leave business people so scared about cybersecurity that they are not clear where to start or what to focus on to prevent (or respond to) cybersecurity attacks and to meet their separate legal obligations to protect confidential information. With so much information (and misinformation) in the news and in social media, it’s not surprising that business leaders have a hard time sifting through the noise to pay attention to what matters most to their business.
Leveraging my background as a former technology business owner, and extensive experience providing incident response to organizations that have been subject to ransomware, malware attacks, employee errors, disloyal employees, and other data security incidents, I guide clients through these tricky waters. Here are some suggestions to avoid cybersecurity fatigue and frustration:
- Find. Protect. Back up. Does your organization have human resource files, full credit card numbers, health records or other protected data? Find out where protected information is stored, and determine what legal obligations apply to protect it. Do you have a workable backup of data that is segregated from your network so that the data can be retrieved in a disaster or crisis scenario? Incidents and accidents occur; have a plan in place.
- Don’t let the perfect be the enemy of the good. A phrase popularized by Voltaire but used often by the members of our Data Security & Privacy Practice Team. Too many organizations don’t finish the policy, finish the training manual, finish the conversation about cybersecurity because they will not do so until it is perfect. The result is that the policy is never finished, executed and implemented, no training occurs, and the topic of cybersecurity does not make it to the board’s agenda. But there is no perfect or absolute in cybersecurity. It’s a constantly changing landscape. Advice: Finish that policy, that training manual, that conversation about data privacy and cybersecurity. These may not be perfect beginnings, but you can always change courses and amend later.
- Take the first step. Whether calling a trusted advisor, or meeting with your team, you will be one step closer to a robust cybersecurity program. Not sure what the right first step is? Start with users. What are they most concerned about? What are they seeing? What impacts their day? What practices and policies are already in place? Use this information to perform a gap analysis, to identify what you have and what you need.
- Rome was not built in a day. Cybersecurity is an ongoing effort, and a team effort. Do not become overwhelmed by what you see as the enormity of the needed cybersecurity efforts. This will result in the business becoming paralyzed and not moving forward. After that first step, just continue taking one step at a time. Remember that the cybersecurity landscape is constantly changing, as are your obligations and potential responses.
- Experience Matters. Listen to those who have experience, and lots of it. Many people are interested in working in the space (“data breach” sounds sexy) but do not have the requisite experience. Experienced professionals also allow for lower costs where they are familiar with cybersecurity requirements and responses. Data security and privacy matters are a very specialized area of the law and technology. Ask your attorneys and technologists how many data incidents they have actually worked on, their specific role, the results, the size, the scope, the types of data involved, how they interfaced with authorities, how they interfaced with the business to help it stand back up again. There are many people doing cybersecurity marketing, promising to solve a business’ every cybersecurity need. Be wary of snake oil salesmen, and ask questions, lots of questions, and if you do not know the questions to ask, use an experienced cybersecurity attorney who can assist you.
- Industry Focus. Focus on information from those in your industry, which will be guided by the laws and best practices that relate to and impact your industry. For example, if you are in the banking and finance space, look to those who often work in that space, industry-specific periodicals and presentations. The cybersecurity landscape is changing quickly, look to reputable sources for updates and news.
- It’s ok if you don’t understand it, as long as you partner with those who do. Be wary of those who claim they can solve “all” of your cybersecurity needs. Or who suddenly are providing alleged cybersecurity services. Budgets and time are limited. So work with people who can explain what you need and the best ways to satisfy those needs. As a former business owner, I understand the importance of admitting what you don’t know, finding those who do, and getting to the answer as quickly as possible in an effective manner.
- Insurance does not solve the problem. A business cannot simply buy insurance and believe that solves the problem, completely shifts the risk, and so nothing else needs to be done. Insurance may complement and may provide some opportunities, but definitely not in all situations. Also, there are many instances where insurance does not cover incidents, so have a backup plan.
- Nothing will truly prepare you. We have responded to numerous data security incidents, ransomware, cyberattacks, data breaches, data theft, loss of data, phishing emails, spoofing emails, fraudulent electronic fund transfers, theft of data and they all have had the same thing in common – when “it” happens – people want to do the right thing, they want to fix the problem, they want to get back to normal as fast as possible – and it all is possible. It is not always devastation, it is not always front page news, it may not always be the worst case scenario. The right team can help with the right response.
Jennifer A. Beckage is a Phillips Lytle partner and leader of the firm’s Data Security and Privacy Team.