‘Tis the Season…for Cyber Attacks

‘Twas the night before Christmas when all through the halls
Hackers were vishing through numerous calls
The President in panic, the CEO in distress
Everyone knew this situation was a giant mess
When from the CISO there arose such a clatter
All employees were watching to see what was the matter
And what to their wondering eyes did appear
A breach response plan and data map from work done that year.
She spoke not a word, but went straight to her work
Contacting her lawyer, IT, and insurance clerk
And laying her finger upon her smart head
She told everyone there was nothing to dread
So as the forensic team worked and toiled and strived
The employees all knew the company would survive
For knowing your data your systems your needs
Makes all the work worth it from costs to the deeds
And we heard them exclaim as they worked through the night
We have our breach plan so it will all be alright!

With holiday season upon us, the XPAN team wants to remind everyone that this is the season of cyber attacks and breaches. It is important to send out a cybersecurity reminder to all employees to be vigilant and cognizant of potential email and telephone scams. With two (2) high profile security incidents happening back-to-back (Marriott Hotels and Dunkin’ Donuts) organizations of all sizes are susceptible to cybersecurity incidents and/or breaches. Particularly this time of year when we receive increased traffic on our email systems and we attend various holiday festivities, our ‘defenses’ are down, or at least heavily distracted.

The most effective way to combat cybersecurity threats to your organization is to know and understand your systems, your contractual obligations and your regulatory responsibilities. Every business should understand: (i) the type of data they store (PII,PHI, international,etc.); (ii) why they are storing that data; (iii) how long they should keep that data; and (iv) who/what they share that data with (i.e. vendors). Every business, no matter the size, should have a breach response and business continuity plan in place. And every business should have a good cyber liability insurance policy. In addition, businesses should put considerable energy toward creating sound, reasonable security and privacy policies and training on those policies.

Creating, following and enforcing policies demonstrates a reasonable and good faith effort. Policies provide a framework and roadmap for employees to follow. Guess work is alleviated when there is a concrete policy in place that an employee can follow. It also provides management the ability to track and understand what their employees are doing with data and how employees interact with the network. But it is not enough just to have policies; businesses need to train their employees on cybersecurity generally and the policies specifically. Putting resources into explaining the cyber threats and how employees can help the organization to combat those threats goes a long way to minimizing threats.

Remember, cybersecurity is not a zero sum game. Every organization that uses the internet in any way assumes risk. The goal is to reduce that risk, and training employees is a critical tool in a business toolbox to meet that goal. Employees need to be invested in the organization’s security, and see that management has made that same investment. Cybersecurity and data privacy takes a team because cyber criminals only need one (1) person to click on a bad link or download a bad file and they are in the inner sanctum.

In the coming weeks and months it is important to remind everyone in your company that they are on the front lines of protecting the organization. Whether through smart and vigilant on-line use or by properly vetting any vendor your company may use, everyone in your organization has a part to play. Constant vigilance on the part of the employees, and constant reminders on the part of management. Remember, in the world of cybersecurity, luck favors the prepared.
Happy Holidays!


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.