Cybersecurity and Data Privacy Planning Series: Begin Planning Now for the Threats to Come

October 2, 2017

By: Sarah M. Gates and Craig R. Smith

Lando & Anastasi’s program on “Cybersecurity Strategic Planning” provided practical solutions to threats against your data, privacy, and trade secrets.   This is the second installment of the key takeaways from the program and focuses on Planning for the Threats to Come.  (Click here for Part 1: Identifying the Risks).

Begin Planning Now for the Threats to Come

Every week there are new reports of cyber attacks or data privacy incidents.  Many companies recognize that threats exist and want to be better prepared to prevent or minimize the potential damage.  To that end, advance planning and the preparation of a robust plan are essential.

When creating a cybersecurity plan, companies should consider the following issues:.

  • Assemble a team.  A key person or small core group should have responsibility for executing the company’s response plan so that appropriate action can be taken quickly. Companies should not address cyber risks and data privacy issues for the first time after an attack or incident has occurred.  For example, it is less expensive and more efficient to enter into contracts with cybersecurity vendors, such as forensic experts, prior to an incident.
  • Assess the risks associated with your data and systems.  Identify the vulnerabilities of your computer systems and determine how to control access to sensitive data. Companies should look for ways to reduce data collection and storage, evaluate what data you need to keep, and implement data retention policies to remove unnecessary data. The risks associated with storing large quantities of personally identifiable information can be mitigated by segregating personal information from usage data and breaking the link between the two.  In some circumstances, anonymizing data can avoid the disclosure of personally identifiable information.
  • Evaluation of protections. Sensitive data and systems can be protected in many ways.  Companies should consider encryption technology and password protections, including two-step authorizations, to limit access to company data.  Mobile devices must be evaluated for security and protected from unauthorized access.
  • Testing of systems. Test the vulnerability of your systems on a regular basis, and if any vulnerability is discovered, make the necessary investment to address the issue.  Educate and train employees on security policies and reporting processes.
  • Detection of incidents. Companies should actively monitor their systems to detect improper activities, including intrusions, access to data, and downloads.   Information technology departments should be trained to notify the cyber response team of any unusual activity on the network.
  • Response. Companies should develop a response plan for each type of potential threat.  A comprehensive response plan helps ensure that the appropriate steps are being taken immediately after a problem is detected.  It is important to know who to contact when a cyber attack or data privacy event occurs, including management, IT, legal, cybersecurity vendors, insurance carrier, and possibly law enforcement. Key documents and contact information should be accessible in the event of lost access to certain computers or servers (e.g., a ransomware attack).  Also, a copy of your organization’s cybersecurity insurance policy should be readily available as it may specify who must be contacted and the timeframe for doing so.
  • In many instances, response speed is essential to mitigate the damage caused by a cybersecurity or data privacy event. The best way for organizations to be able to respond quickly and appropriately is to have considered any possible threats and consequences ahead of time, and have a comprehensive response plan before an attack occurs.

Companies should regularly revisit their cybersecurity and data privacy policies and their response plans to ensure currency, as both the regulatory landscape (which may dictate certain actions that must be taken) and relevant technologies are changing rapidly.  In the next part of this series, we will discuss  specific cybersecurity and data privacy laws in various jurisdictions.

Contact us for more information on this panel discussion and any cybersecurity and data privacy issues.