5 Steps To Make Cyberattacks As Painless As Possible

Everybody gets hacked. It’s as immutable a fact of modern life as anything. If it can happen to Equifax, Yahoo!, Cravath Swaine & Moore, the Securities and Exchange Commission, the National Security Administration, and it can — and in all probability will — happen to you.

The question is, what happens next? Will you be hauled before Congress? Sued by everyone? Lose all of your clients or customers? The answers to those questions will largely come down to the answer to this one: What happened before you got hacked?

“To a significant degree, cyber-attacks are inevitable — it’s not a matter of if, but when, and how severe the toll,” crisis management and public relations expert Richard Levick says. “The rub is putting protocols in place for how to mitigate the damage once it’s done, contain the fallout and communicate to stakeholders what the company is doing to remedy the situation.” It’s also, he points out, “a convincing case for general counsels and corporate attorneys to make it to the inner sanctum sanctorum — and greatly enhance their value to upper management in the process.”

To get there and do that, there are five key steps.

Get everyone committed
Too often, cybersecurity is seen as an IT problem: Let the experts handle it, and the less I know about it, the better. But an effective cybersecurity policy requires buy-in from the top to the bottom, because cybersecurity affects every corner of your operation.

Making cybersecurity part of a company’s DNA starts with the C-suite and board of directors. But the lawyers leading the charge can’t stop there: It’s vital to involve everyone, from IT to communications to brand managers and business developers, and to establish clear lines of communication and responsibility. Everyone should know what’s theirs when the inevitable breach occurs.

Teach and learn
Imbuing everyone with a sense of ownership over cybersecurity begins with making sure everyone knows what it means. Some corporate and law firm leaders continue to labor under the delusion that they’re not a target, or that they’re adequately protected. They need to be made aware of the growing threat — and what has to happen if it materializes.

That means the legal experts leading this charge have to educate themselves. Take stock of your organization, including network providers and third-party vendors. Where are the holes? And how much money and how many people is it going to take to plug them?

Don’t forget the small stuff
When one takes into account how damaging cyberattacks have become — the average cost of a data breach is expected to top $150 million by 2020 — it’s amazing how simply many can be avoided. The recent Equifax breach, for example, might have been prevented had the company updated its security software in a timely manner, and the recent WannaCry ransomware attack occurred two months after Microsoft had issued a patch that would have closed the vulnerability.

Patches and updates come out on a regular basis, and you need to ensure that you’re applying them as regularly. Of course, WannaCry didn’t just rely on people failing to install updates: It also relied on individuals opening email attachments that they shouldn’t. Employees need to be trained on cyber-protection etiquette: Not only should they not open attachments from unfamiliar emails, they shouldn’t open any attachment they weren’t expecting at all — even if it looks like it comes from a reliable source.

Training should also focus on other steps employees can take to protect themselves and the company: Don’t let your inbox become a complete history of all you’ve ever done, just waiting for a hacker to pounce. And don’t use the same old password that you’ve been using since 1997 — you know, your last name backwards. Change it often, and make it as hard as possible to figure out.

Consider the Cloud
Storing data in the cloud has become almost as ubiquitous as cybercrime. And that’s not necessarily a bad thing: Third-party cloud providers often boast vastly more robust security than their clients, especially if those clients are smaller companies or law firms. But that doesn’t mean you should blindly leap into one. Ask questions of potential cloud vendors and figure out just how secure they are — and how secure their third-party partners are. Law firms in particular have to know where their data is being stored, as well, as many cloud platforms utilize data centers abroad.

Know what to do
You’ve convinced your executives, everyone knows their responsibilities, you know where your vulnerabilities are, you’ve got a solid password protocol, and your data’s in the safest possible cloud. All good, right? Not yet: Since you will get hacked — and, again, it is inevitable — you need a formal battle plan, and you need it now. Not five minutes after you discover a breach. Now. Who is responsible for what? What needs to be done and when? Do you have to call the authorities, and when?

Once you have your cybersecurity response plan in place, test it. Then test it again. Then train your employees based on what you find, and keep patching.
Learn more about how to keep your company’s name out of the next cyberattack headline here. And if you need help, start looking for answers at Thomson Reuters Solutions Finder.