Very likely you are thinking, “Please don’t throw me more stuff to keep after, I already have more than I can efficiently handle, and by the way I’m a barn manufacturing company and you’re asking me about data security?”
Yes, we hear what you are saying, but hear us out. Because your RTO provider is handling all of the personal information for the hundreds or possibly thousands of customers they have on file, it’s worth investigating just how they handle cyber security. After all, most times it is you, the manufacturer, who is collecting all this information. Cyber security risk is so pervasive that it is causing an evolution in the way companies perceive it in the last couple of years.
Attacks are Inevitable
In October 2014, Robert Mueller, director of the FBI, said, “There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.” Statistics and security professionals affirm this statement. In May 2014, a study by FireEye examined 1,217 organizations around the world and found 97 percent of those organizations had been breached in the preceding six months.
The words “data breach” became part of many people’s vocabulary in 2014 as they learned about Target, Home Depot, eBay, and Michaels breaches. It became solidified when the year closed with news of the catastrophic Sony breach. The trend has continued. Anthem is likely the largest healthcare data breach in U.S. history. Shortly afterward, the global banking breach of more than 100 banks in 30 countries potentially earned cybercriminals $1 billion. Given the lucrativeness of cybercrime, this trend will surely continue.
The familiarity the business community now has with cybercrime explains why business owners’ duties regarding cyber security are evolving. It’s no longer reasonable for anyone, especially business owners, not to be familiar with the threat of cyber security risks.
Companies Have a Duty to Prepare
While the situation may sound hopeless, there are several reasons why it is vital for companies to prepare. Ninety percent of the data breaches from the first half of 2014 could have been prevented by better cyber security practices, according to a study by the Online Trust Alliance. Of those breaches, many were phishing attacks that can be minimized with education and training. In some cases, basic preparation can be more effective than expensive and complicated tools.
In many cases, the initial breach of the company’s systems is not what causes the harm. Instead, it is the inability to quickly detect, mitigate and respond to the breach that causes the problems. While companies may not always be able to prevent data breaches, by implementing reasonable security measures, companies minimize their impact. This may explain why, following a breach, authorities always want one question answered: “What steps did the company take to prepare before the breach occurred?” An ounce of prevention is cheaper than the very first day of litigation.
A cyber security risk-protection program can lower a company’s risk of breach and, should one occur, lessen its negative impact. Documented evidence of the program will help show authorities the company took reasonable measures before the breach. This can help dissuade them from assessing severe penalties. This can also be very valuable for public relations, which can be vital for minimizing the negative impact on the business.
Cybercriminals are highly motivated, often skilled experts, who continue refining their techniques as defenses adapt. To combat this, the program should include experts from different disciplines who understand cyber risk and work together as a team with the company. An effective program is not a one-time event. It is an ongoing process that should include these phases: overall cyber risk assessment, strategic planning for findings, implementation and training, effectiveness and readiness testing, and regular reassessment and refinement to adapt to new threats.
Duty of Care Requires Companies to Prepare
In early data breach lawsuits, plaintiffs had little success and their cases were dismissed quickly. The trend is changing. Courts are allowing these cases to proceed as seen by the December 2014 ruling in the Target breach litigation. In that ruling, the court found companies have a duty to safeguard customer data, not disable security features that would prevent a data breach, and heed warnings of an attack and respond appropriately.
While the courts address companies’ duty of care, so too do administrative agencies, such as the Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), and the Federal Financial Institutions Examination Council (FFIEC). The courts and agencies are reaching the same conclusion—companies have a duty to be reasonably informed of and take reasonable measures to protect against cyber security risks.
Evolution of a Company’s Duty
The company’s duty is also evolving. To encourage compliance with these duties, agencies are directing their message to corporate boards and emphasizing cyber security’s importance as a pillar of corporate governance.
The company is charged with these responsibilities because it has the ability to bring about the needed changes. It can do the following things to uphold its ethical and fiduciary duties to the company, minimize its cyber risk, and avoid being a lawsuit target.
First, establish a company culture that focuses on security. Second, stay reasonably informed of cyber security risk issues. Third, exercise appropriate oversight by ensuring compliance with an adequate cyber security risk protection program.