Best Practices for Reducing Cybersecurity Risks
With millions of cyber attacks occurring every day, South Florida businesses need to pay close attention to their security practices. Otherwise, they risk a data breach that could lead to the theft of confidential data, a ransomware “lockup” of their networks, regulatory penalties or exposure to lawsuits.
“This is a problem that will be with us for a long time and you should understand the best practices to minimize those risks,” said Rodolfo Pittaluga, Jr. adjunct professor FIU School of Law. He moderated a panel discussion on “Managing Security Risks in the Americas” at a September 29 seminar for corporate counsel hosted by the Morgan Lewis law firm with the University of Miami School of Law and the Juncadella Corporate Counsel Group. More than 250 corporate counsel from multinational companies in the Americas attended the session.
"Cyber crime is not going away and businesses can't rely on law enforcement to prevent attacks," said Thomas Mellor, partner, Morgan Lewis. "If you are hacked, you can't call 911."
Instead, businesses should try to educate employees and build a focus on security into the culture, Mellor said, adding that everyone in an organization has a role to play in cybersecurity.
“What we see is a consistent approach to poke through an organization's least protected area,” said Jose Gonzalez, CEO and co-founder, Trapezoid, Inc. “An intruder will try to gain credentials to penetrate your network and gain privileges that allow them to do whatever they want. So, from a company perspective, you have to look everywhere.”
Recommendations for Reducing Risks
Here are 15 recommendations for reducing cybersecurity risks from panel participants, as well as other legal and accounting professionals interviewed by South Florida Legal Guide.
- Undertake a data inventory. “You need to know the nature and scope of your sensitive information and where it is stored,” said attorney Alfred Saikali, chair of the Data Security and Privacy Practice at Shook, Hardy & Bacon in Miami. “If there is a cyber attack, you will be better able to tell whether your sensitive information has been affected.”
- Stress-test your network security. "Conduct an assessment and test your security tools in advance," said Angela Polania, CPA, a principal at Elevate LLC certified in risk and information systems control. "This will help you address potential vulnerabilities and provide you with a third-party report you can show to your clients if they are concerned about their data."
- Keep your systems and applications up to date. "Make sure your IT department is installing the latest security patches," said Polania. "If you are developing your own software, be sure you use secure coding practices to avoid any hacking of your programs."
- Know your vendors. If your organization shares information with outside vendors or provides theme with access to your network, take time to understand their security practices, Saikali said. If there is a vulnerability a hacker could exploit, your data could be compromised, even if you have strong internal controls in place.
- Stay alert for internal problems. An employee with a grudge, a manager seeking to embezzle funds or a supervisor who visits an illicit website and brings malware back to the network are among the potential problems. “You can have top of the line protection, but be vulnerable to the basic human errors,” said Alvaro Quesada Loria, general counsel, Florida Ice and Farm Co. “That’s what keeps us awake at night.”
- Prepare for a ransomware attack. “Decide in advance if you will pay or not pay an attacker, said Richard Nolan, managing director, global cyber investigations, Citigroup. "Remember that paying money to an unknown entity can also expose you to regulatory and compliance risks, such as money laundering .”
- Have a secure backup in place. In the event of a serious malware or ransomware problem, having a backup that is separate from your network lets you restore your system without paying a ransom, added Nolan.
- Consider a cloud-based services provider. Many businesses don’t have the resources to invest in cybersecurity or prefer an outsourced approach. "If you don't have the latest and greatest security tools at your company, a cloud-based provider is likely to have a stronger collective security infrastructure," Saikali said.
- Create an incidence response team. The team should include technology, legal, human resource, and marketing professionals, as well as a senior executive. “You may also include external people, such as an information security firm, outside counsel and a cyber insurance provider,” Saikali said.
- Engage outside security, accounting and legal professionals in advance. “Should an incident occur, you want to have go-to people in place,” Saikali said. “Otherwise, you won’t have the time to review their suitability for the task or negotiate a contract for their services.”
- Consider purchasing cyber insurance. The nature of your data, the extent of your operations and the risk of a breach are all factors to consider before purchasing insurance. “Some providers offer security updates and incidence readiness tools that can also help you prepare,” added Saikali.
- Ensure that your legal team guides your response. While IT experts need to be part of a response team, they may not understand the legal, compliance and customer aspects of a problem, said Nolan. "Legal needs to be part of the incidence response team to develop the playbook and the scripts that teams will follow."
- Understand your disclosure requirements. If you discover a data breach, you need to know your obligations to notify employees, customers and regulatory agencies, Nolan said. The situation can be complex for a multinational company, as those regulations differ from country to country.
- Be as transparent as possible in public communications. A poor public relations response could ultimately be more damaging than a data breach, Nolan said. "You should lay out what you know and what you don't know at the time, and let the facts come out as the situation develops,” he said.
- Train, train and retrain. Just as hackers are constantly trying new attack strategies, organizations need to educate and remind employees to be vigilant. "Humans are the weakest link in cybersecurity," Polania said. "Make sure they understand what to do – and what not to do – when online."
Be Sure to Follow Data Privacy Regulations
South Florida businesses that collect personal information about their customers and employees should be aware of applicable data privacy regulations, according to panelists at the Morgan Lewis corporate counsel seminar.
"Today, there is no federal standard for data privacy," said Aaron Mendelsohn, chief data privacy officer, Ingram Micro. "Instead, there is a patchwork of state laws that generally focus on protecting consumers against identity theft and financial fraud."
However, the situation is different in Europe and Latin America, where many countries have enacted laws and regulations designed to safeguard employee and customer data. For instance, the General Data Protection Regulation (GDPR) in Europe imposes fines of up to 10 million euros or 2 percent of a company’s worldwide annual turnover for failing to comply with its provisions.
“One best practice is to provide your employees with a privacy notice that defines the information you collect and how it will be used,” said Humberto Padilla Gonzalez, international partner, Morgan Lewis. “Having that in place can help you avoid fines for violating a nation’s disclosure rules.”
Back to October 2017 Edition