How to prepare your company for cybersecurity threats:

When the FBI announced the arrest of a Russian hacker in October, it was notable
but maybe not for the reason you d expect. Yevgeniy N., who was picked up in Prag
ue, is implicated in the 2012 megabreach at LinkedIn. That cyberattack exposed t
he usernames and passwords of 117 million people, and led to a fire sale of logi
n data on the open market. The size of the hack was extraordinary, but the arres
t of its alleged perpetrator is astonishing not because of what authorities say
he did, but because he was caught at all.
Most cybersecurity situations do not have such clear-cut endings. The criminals
who conduct these attacks often hide behind the borders of nation-states that ar
e unwilling to cooperate with the FBI or INTERPOL. Often, hackers go unpunished
or even unidentified. And yet, victim companies continue to spend money, time an
d resources they don t have playing legal whodunnit.
Companies need to think about how they can more effectively protect and prepare
themselves. You can t send your IT teams to law school, deputize your executives f
or international manhunts or break the bank hiring professionals to hunt down cy
bercriminals who aren t likely to be caught. Instead, try these three steps, which
every business should consider before they suffer a hack.
1. Establish roles and responsibility for privacy governance
Data notification laws are complex, and they re only one aspect of the legal frame
work involved with data governance. However, seeking legal advice in advance of
a hack will give your business an edge when a serious issue occurs. If a data br
each occurs, you should already be aware of the data notification laws for each
and every jurisdiction in which your company has customers, partners and busines
s assets. Often, you re required to notify both regulatory agencies and users if y
ou suffer a breach. Those requirements should not be something you dig into afte
r a hack; learn them today.
Additionally, someone on your team needs to be responsible for collecting eviden
ce for legal purposes a role that should also be informed by prior training and
legal advice. Ideally, an in-house incident response team collaborating with a l
awyer can help establish procedures and policies to benefit the entire organizat
ion. Actively working to get educated and proactive about the legal aspects of d
ata privacy can save your company from legal fees that may result from complicat
ions following a breach.
2. Train your employees to understand your policies, as well as threats such as
email phishing
Do your executives, directors and other employees understand your cybersecurity
policies? Having such documents is not enough. Teach your team what s in those doc
uments and train them in simulation exercises to ensure they understand what to
do when they re presented with a security threat. This is absolutely essential; ap
proximately 90 percent of attacks start because of an employee error, like openi
ng an email from an unfamiliar sender and clicking a lick or downloading an atta
chment.
Your policies should clearly explain expectations around phishing scams and simi
lar attack techniques, as well as detail roles and responsibilities in the event
of an attack, how to report suspicious activity, management of devices, privacy
expectations and an incident response plan. Once you create all of that materia
l, teach it to your staff in engaging, interactive ways.
3. Implement intelligence-sharing procedures for immediate reactive action and p
artnership with law enforcement
As part of your incident response planning, establish contact with law enforceme
nt organizations to ensure you can coordinate with them efficiently in the event
of an attack. Determine which intelligence-sharing procedures your team will ha
ndle and which you ll need to outsource in order to act quickly. Be sure to includ
e your attorney in your plans and outline what his or her role will be.
The likelihood your company will suffer a cybersecurity breach remains far highe
r than the likelihood a hacker group that targets you will be caught. However, t
hat fact does not mean your company is helpless. Protect your business now by ed
ucating your team about your policies and clearly defining post-breach responsib
ilities and roles.