Nowhere to Run, Nowhere to Hide

This week we saw yet another rash of cyberattacks. The Philadelphia court system website was shut down Tuesday (May 21st) all afternoon because of a virus intrusion. The court website is where attorneys file all of their pleading (complaints, answers, motions) for court cases taking place in Philadelphia. And while it is bad enough to deprive an attorney of their access to the Court system, the system itself can house sensitive documents containing sensitive information. This attack on a governmental entity comes after hackers in Atlanta shut down critical portions of the city’s infrastructure last year. In addition to creating a problem from a governmental standpoint, the attack cost the taxpayers millions. The City of Baltimore also suffered two (2) cyberattacks in the past two (2) years. Last year the 911 dispatch system was hacked which forced officials to temporarily shutdown automated dispatching (i.e., the ability to send an ambulance to the scene of an accident, etc.).  And in just the past few weeks, digital extortionists froze thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services.

In addition to the Philadelphia court system and the recent Baltimore cyberattack, First American Financial Corp. also reported that approximately 885 million pieces of digital information was said to have been compromised.  Some of these documents date back to mortgages from 2003 and, as we all know, this type of breach can expose some of the most sensitive types of financial information. Additionally, the Shubert Organization, which owns 17 Broadway theaters and the ticketing service Telecharge, also reported a cyber-breach. It was reported that someone had obtained access to the email accounts of several employees. The compromised email accounts included customers’ names, credit card numbers, and credit card number expiration dates.

Cybersecurity, while seemingly on the radar of most organizations still does not get the attention of other risks.  We hear about this all the time. In fact, cyber breaches seem so commonplace nowadays that we have almost grown numb to the idea that a person, or group of individuals, continually attempt to steal our personal information. The common phrases you here in the cyber world, is that an attack is not a question of if a cyberattack will happen to an organization, but when, seems more and more true.  But does that lead to a feeling of complacency? If so, that is a dangerous approach: we have to constantly guard against that feeling of hopelessness.  We cannot simply give up and throw up our hands in despair.

The only way to combat a cybersecurity threat is to first take the threat seriously. Apparently,the CEO of Delta Airlines, Ed Bastian, is not worried as much about Boeing 737 Max jets in his fleet crashing as he does about a cyber attack. Recently he was asked what scared him the most or kept him up at night. His response, cybersecurity. And to all of this, you may ask… so what? What does that say about the real threats that companies are facing on a daily basis?

Organizations cannot simply rely on a firewall and antivirus software for sole protection. A company needs to understand its systems; create a data map or data categorization.  Do you know if your employees have sensitive data in their email account? Email accounts are probably the most insecure areas of your network. Sensitive data should never be stored there. Create a policy that requires employees to move sensitive data from their email accounts and to clean their email exchange regularly. Oh, and just in case you think you can rely on employees to follow policies, you can’t. Therefore, you need to enforce the policies by regularly (and without warning) auditing your systems; and, that includes those pesky email accounts.

An organization also needs to ensure that it is prepared for a cyber breach. This does not  just mean obtaining cyberliablity insurance (even though that is a key part of risk mitigation that would recommend every company explore). In addition to that insurance, you also need to have a breach response plan and business continuity plan. And, plans that are actually tested and not just thrown into a folder, forgotten. Your business or organization should also have regular assessments. Organizations constantly change, and so does the composition of the data it is collecting. You need to know what jurisdictions, contracts, regulations and statutes would be implicated by a data breach. These efforts may appear trivial at first; but, this prevents an already horrific situation from turning catastrophic.

Finally, you need to educate your staff regularly and often. If you don’t impress upon your employees the importance of cybersecurity, you cannot expect them to focus on it or worry about it. And they should worry. It is also their data and their livelihood that is at stake as well.  For most companies, the most sensitive information they will have will relate to their own employees. I can’t think of a more compelling argument to provide your employees to pay attention and stay secure.

When people question why you are devoting so many resources to these areas, the response is simple: when it comes to cybersecurity, we are all at risk and so we must all be working together to combat the problem. Only when an organization has a comprehensive and cohesive approach to security and privacy can it hope to mitigate these risks.  Because, when it comes to cybersecurity- luck favors the prepared.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.