The Spring is a good time for all businesses to review and update their cybersecurity policies and practices.
We are only a few months into 2019, and already we are hearing breaking news about new data breaches. The German government suffered a breach involving many prominent politicians and celebrities and Singapore Airlines announced that changes to its software in early 2019 allowed some members of its frequent flyer program to view the personal information of other members. These breaches were all preventable with proper diligence by the affected organizations.
Spring is a great time for businesses to make plans for operations, marketing and sales for the upcoming year. It is also an excellent time for all businesses to review and update their information security policies, practices, and technology.
Although the needs of each business will be different, you should focus on the following areas:
- Review and Update Your Policies, Procedures, and Technology. Consider the cyber-security risks associated with your lines of business, products and services, systems, devices, employees and vendors, particularly new ones. Do you need to update your business’s policies to address growing cyber risks? Is your business dealing with new kinds of personal or confidential information than in the past? Are the appropriate contract provisions in place, particularly with vendors, to protect personal information adequately? Now is the time to review and update your business’s policies, and to add new policies, procedures, and technologies to fill in any gaps.
- Maintain and Improve Awareness. Adopting the best policies and technology to protect your business can only go so far. That is why employee security awareness and data loss prevention training are critical to minimize data breaches. However, threats change, systems change, and people forget. Businesses should conduct frequent trainings to help employees recognize and respond appropriately to suspicious behavior. While the details may differ, your business should conduct training at all levels of the organization. Now is the time to plan and schedule the training sessions throughout the year, and to make a plan to ensure that all of your technology systems are consistently and properly updated over the course of the year.
- Do Some Spring Cleaning. Many homeowners “clean house” periodically and throw away or give away unwanted items. A business also should take inventory and reduce the amount of information it is collecting and storing. You can reduce the harm from a breach by minimizing the amount and types of information you collect to only that which is necessary. As part of the periodic housekeeping process, you and your employees should also change your passwords and confirm that you do not use the same password for multiple accounts.
- Evaluate Insurance Options. Many businesses are surprised to discover that their general commercial liability policies do not cover most types of cyber risks. Commercial general liability policies typically only cover bodily injury and property damage, not monetary losses, ransom costs, or regulatory fees and expenses. In addition, coverage is often limited to losses caused by “tangible” means, while insurance companies typically consider data breaches to be “intangible” causes not covered by the policy. Most commercial general liability policies also include an exclusion for access to or disclosure of confidential information, and the resulting liability. Cyber insurance is still an emerging product. There are differences in services and coverages, as well as in the services for which the policy will pay, making it critical to take the time to understand the changes and services provided by insurance carriers.
Defending against cyber-attacks has become a cost of doing business for all businesses. The first defense is to have consistent policies and procedures in place that are followed by all employees and others who have access to confidential data. As a backstop, cyber insurance can be an important part of that defense for many businesses, but not all cyber insurance policies are created equal, and care is needed to understand and properly protect against risks.
A version of this article is published in the Spring 2019 issue of The Anchor, and can be viewed here.