Cybersecurity conversations filled the halls when 400 Iowa business leaders came together for the first time in two years in early June. New breaches dominated the headlines as the Association for Business and Industry’s Taking Care of Business conference convened. In fact, throughout the gathering, Iowa’s largest community college was shut down while trying to recover from a ransomware attack.
All the breaking breach news put cybersecurity at the front of many minds. It was hard to find a conference attendee who still thought their business is too small or their data too boring to draw a hacker’s interest.
To help leaders across industry sectors understand how to ramp up their organizations’ security posture, Pratum Founder and CEO Dave Nelson joined a panel discussion on best practices for business cybersecurity. Here are key tips highlighted during the discussion.
- Protect the data, not the device – The world’s rapid jump to remote work in 2020 accelerated the move toward security that is data-centric rather than device-centric. In short, the old approach focused on locking down access to servers, devices and networks that were all under a company’s physical control. But as thousands of employees instantly switched to working on personal devices and networks, organizations realized that data needs to carry protection wherever it travels. “You no longer control the devices or networks. And that’s scary for data managers and business leaders,” Dave Nelson said. “Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.” Read this Pratum blog to learn more about the shift to data-centric and zero-trust architecture.
- Call your attorney first during a breach – If you realize hackers have gotten into your system, your first call should almost always be to your attorney. Brian McCormac, an attorney at Pratum partner BrownWinick, pointed out during the panel that activating attorney-client privilege early serves your best interests. “Once a client engages us,” Brian said, “we can engage the cybersecurity service under attorney-client privilege.” That allows frank conversations with the cybersecurity company without putting things into the legal record. You should also contact your attorney before your insurance carrier to increase the chances that you can work with an attorney you know. “An insurance company will probably assign you a law firm in another city,” Brian said. “They don’t know who you are. And counsel that is only working with you one time probably won’t take your call at midnight if you’re in the middle of a breach.”
- Call in cyberinsurance at the right time – The panel offered several other best practices for working with cyberinsurance carriers. Dave noted that talking to your insurance carrier first may be “giving them notice of an issue that they wouldn’t even need to know about otherwise.” Work with your attorney and cybersecurity consultant to fully assess the situation before getting insurance involved.
- Build your response team in advance – Successful breach recoveries typically come from building solid relationships with an attorney and cyberinsurance consultant before the problem starts. Your incident response team helps you establish policies that will probably prevent breaches in the first place and helps you handle breaches more efficiently. Plus, if your team knows your business in advance, they’ll be able to provide more accurate and timely advice when you’re facing a critical incident.
- Identifying your partners in advance also gives you time to ask your insurance carrier to put them on the approved vendors list. If you don’t do this ahead of time, you’ll be stuck using your insurance company’s providers, even if they cost more than your preferred local provider and don’t know your business.
- Train your employees – BrownWinick attorney Drew Larson said, “Your weak vector isn’t always a hacker. It’s often an employee.” Brian echoed the point by noting that most breaches start with an employee clicking on a malicious link in a phishing e-mail. “It causes great harm,” Brian said, “but it’s not the person in a basement in the Ukraine hacking away at your firewall.” The solution is to train your entire team in how their actions affect the organization’s security—and then train them again every few months. Our Employee Security Training Planner helps you lay out an ongoing plan to build cybersecurity into your culture.
- Pay attention to mobile device management – Dave noted that every robust security policy should address best practices for mobile device management. Tools such as InTune, for example, let you separate personal and business use of the device by quarantining business data in a sandbox area on the phone. And even if a user doesn’t turn on encryption on their phone, you can have certain data encrypted.
- Encrypt your data – Speaking of encryption, the panel recommended giving more attention to your policies for this critical area. Proper encryption not only keeps bad guys out of your sensitive data but also provides legal advantages. Brian noted that, “Encryption often provides a safe harbor under breach notification laws. In some cases, you can avoid those notices if you encrypt the data.”
- One great tip – Closing out the panel, Dave and Brian offered these best practices when asked for one recommendation they’d make to any organization:
Dave Nelson: "Get an IT risk assessment. That keeps you from spending so much money on the wrong areas that you don’t have money left for the important ones. If you don’t start with a risk assessment, you’re just throwing darts—and you don’t even know if you’re facing the dartboard."
Brian McCormac: "Map your data. Invariably, you have info you don’t know you have. Businesses are very siloed. HR doesn’t know what marketing has, and legal doesn’t know what anybody has. One company was collecting racial info in Europe, which is a big no-no. Why? They didn’t know. They just said they always have. So pursue a plan for data minimization. Have only the data you need and make it available only to those who must have it."
For help in understanding how any of these areas affects your specific situation, contact Pratum today.