Data breaches are an increasing threat to the viability of any business, yet most businesses are not prepared to handle the costs associated with a data breach. Every business maintains proprietary data in nature in the form of customer lists, trade secrets and Personally Identifiable Information, or “PII” which is protected by law. It is important for attorneys to understand the costs their clients may incur, if and when, customer PII is compromised. In addition to initial expenses incurred to investigate the breach, there may be additional costs associated with potential litigation. Understanding your client’s cyber risk will allow both of you to be prepared when malicious activity occurs, so that decisions can be made efficiently and effectively.
According to a May 14, 2015 article on Enterprisetech.com by George Leopold, the average cost of a data breach is expected to exceed $150 million by 2020. New regulations regarding the handling of personal and confidential information are important, but no compliance regulation is designed to protect your business and your operations. Cybersecurity is an organization-wide issue with the ultimate responsibility falling on the owners, executives and board members. By taking a holistic approach to cybersecurity management, your clients can reduce weaknesses in their cybersecurity defenses.
In order for a business to take on the seemingly daunting task of securing and protecting its assets, electronic or otherwise, it requires the integration of several cybersecurity efforts. This can be accomplished by addressing three general areas of cybersecurity: prevention, detection and response.
The ultimate goal of cybersecurity is to prevent an incident or a breach from occurring. Preventing cybersecurity breaches begins with establishing a budget with your client. Helpful security measures can be implemented without breaking the bank as long as the business is effective in communicating its goals to the entire organization. Building a culture that not only follows best practices, but is also aware of cyber risk within the organization, is key to preventing a cybersecurity event. Finally, it is important to have a third party assess your client’s current risks. Applying what you learn from this assessment will help prioritize tasks and secure your client’s systems, networks and applications with a strategy to prevent every attempted security breach.
Preventing 100% of attempted security breaches is impossible. To defend against future attacks, your client can implement a strategy to monitor and detect every attempt to compromise security. Most incidents begin with events that appear on system and network logs. If an organization learns to identify events from technical sources and reports that pose real threats to the security and operations, it can then be determined what, if anything, needs to be done to prevent a full security breach.
Original security practices call this “Incident Response.” This effort now requires some level of forensics capability, or “Forensics Response.” The inclusion of a forensics approach to handling incidents will ensure your client has documented a defensible process to defend their actions for legal obligations as well as keeping their business operating securely. You must strategize with your client to make informed decisions on how to respond to events.
Utilize the following tips when developing a defensible process:
- Use a third party for incident response capability assessments, as well as regulatory compliance.
- Use internal IT staff for business continuity and recovery during an incident.
- Use a third party to manage the incident response and conduct the investigation. It is important that this third party is trained and qualified in forensic investigation to handle incident response in a way to prepare for any potential future litigation that may surface.
- Ensure your client is regularly conducting response activities on events that are a potential threat to their organization. It is important they do not wait to declare something an incident based on compliance standards alone.
Recently, we provided forensic response services for a law firm and their client, an online e-commerce business. After receiving the initial call, we arrived onsite the same day. A technical team was assembled to begin assessing the situation, collecting and preserving evidence and making the necessary changes to get the e-commerce site back up, protected and safely running again. This was accomplished the same day and the business was back online while the investigation continued. After several weeks, the forensic investigation was completed and we determined the systems had not been compromised. Instead, the suspected breach was a result of a third party handling the organization’s credit card transactions. This holistic approach saved the organization hundreds of thousands of dollars by providing the due diligence and documented defensible process to help defend them from any future potential litigation resulting from the incident.
A business that is disrupted due to a cybersecurity breach feels the pressure to restore operations immediately to minimize the disruption. In this situation, our team of experts managed the forensics response, properly investigated the issue, and provided risk analysis and additional technical resources. The emergency was resolved in the short-term and we provided long-terms solutions to improve prevention, detection and response capabilities.
Cyber threats and cyberattacks have increased dramatically over the past decade. These attacks have exposed sensitive personal and business information, disrupted the critical operations of organizations and imposed high costs on the economy and businesses. The majority of costs are not from the actual compliance failure. The largest costs to an organization stem from having an indefensible process when litigation ensues. It is imperative your clients stay informed about the continuously changing forms of cyber threats and develop appropriate, cost-effective controls to safeguard their businesses from data breaches and potential litigation.