Just Like the Flu Shot, Cyber Prevention Is No Sure Thing
By Becky Blalock
Getting a flu shot doesn’t mean you won’t get the flu – and so it is with cyber breach prevention. Yes, companies and individuals need to be diligent about deploying the latest tools and training to help secure their systems, but let’s face it: For each new technology that prevents a breach, a new one is developed to compromise it. So, it is important to be prepared in the event you are hacked. Here are some ideas every company should consider as best practices when dealing with breach prevention.
Few companies have a breach response plan in place, and for those that do, the data shows that most are not practicing them. It is a best practice to do a dry run on your plan at least once a year. These plans should include. how you will communicate with your employees, customers, stockholders and potentially the media. It should also list whom to contact for help, including details on which vendors you will use for different kinds of hacks, along with their contact information. It should also include direction on whom you will contact in law enforcement or regulatory agencies. Many companies do not know that the FBI is the best place to turn for help and advice if you get hacked.
Assuming that a breach has occurred, it is also important to understand what you will do to remediate any damage done to other parties, such as your employees or customers. Will you provide credit monitoring or other services? And whose services will you deploy? If there is a service disruption due to a hack, what is your contingency plan? Many companies think they are safe because they are backing up their data. However, backups may be corrupted going back months. What is your plan if this happens? Does your company have a cyber insurance policy? According to the type of business you are in and type of data you manage, this may be an investment you need to make.
It is important to understand what the law is regarding a breach. These laws are changing rapidly and vary by country and industry. In the U.S. the laws vary from state to state. The strictest law currently in effect is in the U.K. where companies must report within 72 hours if there has been a breach. Failure to do so may cost the company 4 percent of their global revenue. The SEC has also recently given more direction on disclosure regarding breach potential and risk-mitigation practices.
It can be hard to make the investment of time and resources to prepare for something that may never happen. However, there are bright spots. Metro Atlanta is a key hub for the cyber security industry with a number of established companies and a plethora of tech startups working in the space. Not only do we have the organizations making a difference in tomorrow, our region is also home to universities and technical schools – like Georgia Tech, Emory, Georgia State and the Atlanta University Center Consortium schools – all providing a smooth pipeline of talent to the areas with the most need. Our centers of education have more than 275,000 students enrolled in 60 colleges and universities, offering the built-in diversity that tech and cyber security companies are looking for.
Often, responding quickly to cyber security breaches can be the very best way to protect your company’s brand. I have learned that people can handle bad news; what they cannot handle is no news. The longer you wait to inform affected parties about a breach, the more damage you do to your credibility and brand.
So along with all the prevention you can do, be prepared for the worst.
Catch Becky Blalock, NACD Atlanta Chapter board member, on the panel “Improving Your Cyber Readiness and Resilience” on October 9 at Cybercon 2018 during Atlanta Cyber Week.
Atlanta Cyber Week connects the dots in our cyber security ecosystem and contributes to the story of metro Atlanta as a top venue for global commerce. Registration for Atlanta Cyber Week and Cybercon is open now! Visit www.atlcyberweek.com or register here.