“As a CEO, it’s never been more important to lead with a security-first mindset, regardless of your technological experience or knowledge of cybersecurity.”
Why this is important: We have discussed in previous issues of Decoded that to be effective in thwarting a cyberattack, cybersecurity has to be an integral part of an organization’s culture. An organization’s culture of cybersecurity must be one that is organically developed from the top down. When leadership demonstrates genuine interest in cybersecurity, it encourages employees to notify managers of areas of risk and possible data breaches. This top-down culture also results in leadership approving necessary funding for cybersecurity and training to avoid a data breach. By developing a cybersecurity-focused culture in your organization, you can hopefully avoid being one of the 90 percent of organizations that experienced at least one identity-related data breach, of which 68 percent had a direct business impact, in the last year.
However, as cybersecurity tools and training improve, so do cybercriminals. Consequently, cyberattacks have moved from a threat to an inevitability. Cybersecurity requires constant vigilance, including taking the following steps:
- Organizational leadership must know what data your organization is holding by conducting at least an annual data security audit. This includes both customer and the organization’s own data. Then investigate both external and internal threats from that data. This data audit will allow you to know what data is integral to your organization’s operations, and which data can be safely discarded. It also allows you to limit who has access to the remaining data. Not everyone within the organization has to have access to all the data. Identify what data is necessary for each level or department, and limit everyone else’s access to that data.
- An organization needs to invest in cybersecurity specialists to implement a robust cybersecurity program. While leadership at an organization is anticipated to be experts in accomplishing the organization’s mission, they are likely not as well versed in cybersecurity. That is when it is advisable to retain cybersecurity experts to help your organization institute a comprehensive cybersecurity plan.
- Protecting the organization’s data first helps protect your customer’s data. This includes having the right tools to monitor and protect the organization’s network from attack. If you have the right tools in place to protect the organization’s data, those same tools should be used to protect customer data. Moreover, understanding how your organization uses its own data will help your organization know how it uses its customers’ data.
- Having strong cybersecurity in place will do your organization no good if you do not have your employees properly trained on it. Cybersecurity training is not a one-and-done proposition, but should be continual and evolve as threats evolve. While the organization’s employees are the most likely vector of attack, be it from a lack of training or sophisticated social engineering by a bad actor, they are not the enemy. The training provided to employees should be proactive in order to empower them to recognize and thwart attacks, and not as a punishment. All the investment in cybersecurity is a waste if the organization’s employees do not receive regular cybersecurity training.
- An organization’s leadership has a duty to be educated on the ever-evolving risks their organization faces. Implement a cybersecurity planning group that includes a representative from all your organization’s departments, internal IT, legal representation, and cybersecurity consultants. Have regular meetings that address evolving risks and how the organization should address those threats. Have a plan in place if your organization has a data breach so you can effectively respond to minimize the damage. As the organization’s leadership, you need to educate yourself about effective cybersecurity so you can make educated decisions when the time arises.
Taking these steps, and being proactive about cybersecurity, also will aid in the defense against a civil lawsuit if there is a data breach. Generally, to be successful in the defense against a lawsuit involving a data breach does not require your organization to have instituted perfect cybersecurity. Your organization need only have implemented reasonable cybersecurity measures that comply with state, federal, and industry requirements, and are proportional to your organization’s size and yearly revenue. Additionally, as a member of your organization’s leadership, strong cybersecurity protects you from possible personal liability in the event of a data breach. Plaintiffs bring suits on behalf of company stockholders alleging the damages associated with a data breach are a result of corporate officers and board members failing to satisfy their fiduciary duties to the company to protect it against cyberattacks. That is why it is so important for an organization’s leadership to not only implement strong cybersecurity, but to foster a strong culture of cybersecurity. This culture will not only encourage employees to identify cybersecurity risks to leadership, but also for leadership to take proactive steps to address those risks, thereby protecting the organization and themselves from future liability. If your organization would like help implementing a strong cybersecurity program, please contact a member of Spilman’s Technology Practice Group. --- Alexander L. Turner
New Trials Aim to Restore Hearing in Deaf Children—With Gene Therapy