Nation-State Cyber Attacks Are a Good Reminder of Cybersecurity For All

Ok, so the first question is what is a nation-state cyber attack?  It is exactly what it sounds like:  a foreign government (or government-directed) organization targets another country’s government or commercial institutions or infrastructure.  There are a plethora of motivations for these attacks including attempting to influence politics; obtaining information on weapons proliferation programs; chipping away at a rivals’ economic and military competitiveness; altering a country’s diplomatic standing; and cyber warfare to create an advantage in conflicts. Phew!

So you are not a nation-state.  And, frankly, France has not called to ask for my opinion about the possible hacking of President Macron’s emails.  But, the bottom line is that I am writing this blog not because nation-state cyber attacks could happen to you but because they could happen to you.  WHAT?? The point here is that if these “alleged” cyber attacks can happen to Hillary Clinton, Emmanuel Macron and the Democratic National Party, then they can happen to anyone.  Cybersecurity is not something that we should take for granted.  In fact, it is extremely serious with extremely serious consequences. Moreover, it is not just a concern for nation-states, politicians or large corporations: by the end of 2016, 43% of all cyber attacks were against small businesses.  Cybersecurity is for everyone.

Despite the claimed political incorrectness the news media currently enjoys, they have brought nation-state-sponsored cyber attacks out of the darkness and into the proverbial light of public awareness.  And regardless of which side of the political aisle you reside, the message is clear, nothing is sacred, safe or off-limits. So maybe your business is not necessarily concerned with weapons proliferation, but how about trade secrets? Goodwill? Protecting employee privacy? Protecting customer and client information? Yeah, these are things that every business should be concerned about and committed to protect.

As technology and security advance, countries will continue to devote resources toward cyber espionage and warfare.  Similarly, as technology and security advances, hackers will continue to devote time and resources to infiltrate systems.  And just like the government, if you are breached you have to make sure that you are ready.  For many businesses, this involves both internal and outward facing concerns along with the ability to comply with whatever state and federal laws may apply.  You need to be prepared, and not just from the tech side of things. Yes, your business should update patches in a timely manner, have password controls, use encryption technologies, and have thoughtful and practical WiFi safeguards (i.e. using a VPN).  However, having a basic knowledge of your system and your data is just as important.

Knowledge is power when dealing with cybersecurity. What type of data do you store? How many people could be affected? Are the cybersecurity protections in place reasonable and defensible? Do you have reasonable and defensible cybersecurity guidelines and protocols?  Do you audit your business to make sure that those cybersecurity guidelines and protocols are being followed?  Do you have regular employee training?  Do you have a breach response plan? What is the corporate exposure in terms of liability in the event of a breach?

These are all valid and important questions to ask before you are breached.  What is important to note is that being prepared to answer these questions, i.e. knowing your systems, knowing your privileges and knowing your employees practices, all play into whether you are prepared or are simply a sitting duck. Because in the end, when dealing with cybersecurity, luck favors the prepared.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.