Cybersecurity – What Is It? Why Should You Care? What Can You Do?

SEPTEMBER 2022 Cybersecurity – What Is It? Why Should You Care? What Can You Do?

For many, the word “cybersecurity” is as confusing as the concept of information technology (IT).  The word “cybersecurity” entered American lexicon in the early 1990s and, since then, it has grown into a cottage industry.  If you own or operate a business, the sad reality is that experiencing a cyberattack is not a matter of “if” for your organization – it oftentimes is a matter of “when.”  Equifax, Yahoo, the NSA, financial institutions, hospitals, school districts and government agencies are just a few examples of victims of cyberattacks over the past several years.

First of all, what is Cybersecurity?  Importantly, it is not simply “an IT issue.”  Cybersecurity is the state of being protected against a criminal or unauthorized use of electronic data, or the measures taken to achieve this state.  Gone are the days when cybersecurity was merely an IT issue.  Today, it requires a multi-disciplinary approach for preparedness and oversight.  CEOs, boards of directors, and small business owners alike must take ownership of ensuring robust cybersecurity.

Cyberattacks typically come through ransomware, a type of malicious software designed to block access to a computer or network.  Once access is blocked, a ransom is demanded to restore access.  The most common types of ransomware are crypto-malware, lockers, scareware, doxware and RAAS (ransomware as a service).  These types of ransomwares all can easily spread malware easily through networks, lock out users, masquerade as anti-virus warnings claiming a computer is “infected,” threaten to release personal information, and appear to provide a “service” in exchange for payment to repair or unlock a network.

Everyone is at risk for a cyberattack – an individual, business or government agency.  However, the latter two retain the highest risk since they store valuable personally identifiable information (“PII”) of both employees and customers, such as social security numbers, financial information, and bank and credit card numbers.  Similarly, businesses retain valuable internal information such as research/prototypes, trade secrets, and other intellectual property, which can be the subject of exploitative hackers.

Why Should You Care?  Simply put, because your business depends on it.  Cyberattacks adversely affect small businesses to a much greater degree, costing on average more than $110,000 per incident with more than 60% going out of business within six months of an attack.  Perhaps even more surprising is that 90% of small businesses don’t use any data protection to ensure the confidentiality of company and customer information.  As a result, these companies lack the necessary protections and protocols to prevent malware attacks.  Not only is this detrimental to business operations, but failure to properly maintain cybersecurity measures when in possession of PII or other sensitive information could create legal liability and exposure for a company.  For these reasons, more than 90% of organizations have adopted some type of security framework or combination of such to make themselves as hard a target as possible for the ever-increasing number of cyber-criminals and hackers trying to exploit a company’s security weakness.

Ok, You Got My Attention. What Can I Do?  First, prepare for the possibility of the worst and have a cybersecurity plan for your company.  Consult a cybersecurity company or firm for additional guidance, but most plans include the following protocols and best practices:

 

  • Back up your data/IT systems!  Keep at least three (3) backups of your data, in different places if possible.
  • Establish a mandatory cybersecurity policy for your company.
  • Employ the use of software protection services and ensure updates are routinely downloaded.
  • Control access to data sensibly.  Limit access to need-to-know employees only.
  • Require the use of secure passwords and authentication.
  • Store sensitive PII securely and protect it during transmission (i.e., email or mail).
  • Monitor who is trying to access the network, and ensure employees who resign or terminated have computer access privileges immediately revoked.
  • Apply sound security practices when developing new products or services (i.e., don’t overshare).
  • Make sure that service providers to your business have likewise implemented reasonable security measures.
  • Establish procedures to keep security current and routinely address vulnerabilities that may arise.
  • Secure and limit access to paper, physical media and devices.
  • Develop a computer use policy outlining what employees can and cannot use work computers for, including addressing personal use and social media.
  • Properly train employees on practicing good cybersecurity.

 

What Should I Do if My Business is Attacked?  If your business is a victim of
a data breach or ransomware, immediately report the incident to the South Carolina State Law Enforcement Division (SLED) or the Federal Bureau of Investigation (FBI).  There may be decryption keys available, depending on the ransomware variant.  Law enforcement does not tend to recommend the payment of any ransom since there are no guarantees the hacker will provide a decryption key – which is why backing up data is so important.

This may all sound intimidating, but the important thing to remember is there is no such thing as perfect security.  The best approach is maintaining reasonable and robust cybersecurity protocols based on the volume, sensitivity, size and complexity of your business.  Hackers are in the business of exploiting the “low-hanging fruit” rather than investing time and effort into a hardened business target.  These “best practices” can go far in ensuring your business is a hard target.

 

DISCLAIMER: The information on this page is provided for informational purposes only and should not be construed as legal advice or acted on as such. The content on this page may not reflect current legal developments or address your situation. It does not create an attorney-client relationship or provide guarantees or endorsement of behavior and is not a substitute for obtaining legal advice from an attorney on a particular legal matter.