[co-author: Scot Huntsberry*]
Over the past few months, the OIG shorts series focused on structuring and implementing a comprehensive and effective ethics and compliance program. Many times, this requires a mindset shift from a checking-the-box mentality to a wholistic approach in which everyone feels they have an important role to play. Nowhere is this more apropos than in the area of cybersecurity including developing a data security strategy and maintaining an effective incident response plan.
This post focuses on the importance of developing and implementing practical Information Security policies and procedures within your organization as well as the ethical and legal obligations you have to protect your organization’s sensitive data. Our next post will cover the vital role cyber incident response planning plays – not only in the aftermath of a cyber-attack, but in preventing many such attacks.
The security of your organization’s information systems and the data stored within are essential components of virtually every aspect of your business. Your data needs to be trustworthy, readily available as needed for the business, and only accessible by authorized users. Depending on the type(s) of data you hold – e.g., personal information of employees, customer information, trade secrets, credit card information, sensitive government data, protected health information, export controlled information, and/or company proprietary information – you will be subject to minimum security requirements through regulations and contractual obligations, but also should explore additional practices based on your specific risk profile.
Consider that when critical systems are interrupted or destroyed, there will likely be financial and reputational consequences for your organization such as:
- Compromised or Altered Data – Theft of trade secrets could cause you to lose business to your competitors. Exposure of customer information could result in loss of trust and business.
- System Downtime – When a system fails to perform its primary function, customers may be unable to place orders and employees may be unable to do their jobs or communicate.
- Legal Consequences – If data is exposed or stolen from one of your databases, you can incur fines and other legal costs because you failed to comply with data protection security requirements such as HIPAA.
Unfortunately, many organizations still base their security plans on generic minimum requirements rather than a risk assessment tailored to their company. To be successful in today’s business environment, the simple reality is this: you are in the Information Technology risk management business.
Understanding the specific risks to your organization is essential to developing appropriate security measures. Before you spend substantial budget or time implementing a solution to reduce risk, you should feel confident in your answers to the following questions:
- What are your organization’s critical assets – specifically data – which if exposed would have a major impact on your business operations?
- What are the top five business processes that utilize or require this information?
- What threats could affect the ability of those business functions to operate?
- What is the risk you are actually attempting to reduce?
- Is this risk really the highest priority security risk for your organization?
- Are existing controls sufficiently mitigating this risk?
- Are new risk mitigation strategies cost-effective options?
Once you know what you need to protect, you can begin developing defensive strategies.
Protecting your organization from cyber threats – both from within and without – demands a great deal of your IT staff’s time and resources. But, as most organizations now understand, good data security is the responsibility of everyone in the company. It only takes one careless employee leaving sensitive data unprotected, and potentially ending up in the wrong hands, to create an obligation for you to investigate, potentially report, and suffer the consequences associated with a data breach. Thus, a robust training program that ideally includes drills and tabletop exercises can go a long way to minimize the risk of human error.
In 2022, Black Fog, which tracks publicly reported Ransomware attacks, reported a 29% increase in such attacks over 2021 and 34% increase from 2020 In 2022. But perhaps more concerning, 2022 brought with it the first occurrence of a national government being successfully targeted by Ransomware criminals. Beginning in the spring, Costa Rica’s government networks became infected with a strain of Ransomware that led to a series of cascading infections through the country. The interruptions to critical services caused by these Ransomware attacks ultimately led to Costa Rica declaring a state of emergency.
As many companies have found out the hard way, compliance does not necessarily mean you have achieved security. Laws and regulations in this space generally lag behind technology and are responsive to the ever-evolving cyber threats. Thus, in addition to compliance, you must consider your risk and the best methods to protect yourself from cyber threats. Most organizations understand it is no longer a matter of “if” but “when” they will be subject to a cyber-attack. Good awareness of information security obligations and best practices throughout the organization – facilitated through focus on cybersecurity in the C-suite and emphasis on training – will minimize risk of an incident and help mitigate negative consequences that can hamper your reputation and ability to do business effectively.
The second installment in our cybersecurity series will take a look at the role that developing and practicing a robust Incident Response Plan plays in not only preparing for a cyber incident, but in fostering a positive Information Security culture within your organization.
*Scot Huntsberry is an Investigations Specialist and Sheppard Mullin ABLE Fellow in the firm’s Washington, D.C. office.