Are Companies Doing Enough to Protect Themselves from Cyberattack?

Member Papers

Data-Privacy Specialists from across the Mackrell International Legal Network tackle the issue:

An Interpol report indicated that cybercrime was a major issue even before the onset of the COVID-19 pandemic.

Ransomware and spearfishing attacks utilizing the phrases “corona” or “COVID” have escalated dramatically.

In other words, hackers view the pandemic as an opportunity. They understand that the rapid deployment of remote workforces has increased system and network vulnerability for businesses and government agencies.

In this environment, it is clear that some companies are doing enough to combat cyberattack in this new security environment—and some are not.

What should companies do to guard against cyberattack and to satisfy stakeholders of the efficacy of their efforts?

First and foremost, businesses need to avoid basic negligence, by properly training employees as to organizational security policies and the need to implement them even when working remotely.

Companies must implement robust password protocols which do not allow remote employees to pick their own passwords. Company policy should, amongst other things, prohibit remote employees from leaving computers on all night or printing proprietary data in hard copy form when secure shredding may not be an option in home work-spaces.

This is key from both a regulatory and an insurance point-of-view—and from the point-of-view of other stakeholders.

Increasingly, shareholders, customers, and regulators are demanding reports of companies’ data protection efforts – even as part of the Annual Report. This obligation is a growing maintenance cost for every business, and it will only increase as further data breaches and other public concern draw attention to failures to protect data and drive increased regulation.

Businesses need to instill in every employee—particularly those with access to a network—the need for constant vigilance. Every employee must understand that it only takes one click on the wrong link in the wrong email to compromise the data of an entire network.

Developing an organizational culture of data security.

Implementing the right security policies not only as operational guidelines but also as a key component of new employee intake and current employee training will help to ensure that this occurs.

The development of an Acceptable Use Policy (“AUP”) is an excellent means of not only tasking employees with the personal responsibility for data security but also assuring shareholders, insurers, and regulators that the organization has taken the necessary steps to mitigate cyber-attacks.

An AUP can be made binding as a component of employment contracts, and it can be used in conjunction with employee training and a new employee induction processes.

Making employees aware of the importance of avoiding pop-ups and malicious email links and adhering to company policy in reporting security risks and breaches of that sort should be a condition of continued employment.

A properly drafted and disseminated AUP can also provide a defense against wrongful actions by former employees, as well as an avenue for action against employees for data breaches and misuse.

Likewise, a Bring Your Own Device (“BYOD”) policy will ensure that employee use of private computers, tablets, and other devices to access company data not present a security risk.

A BYOD policy will require that employees using their own devices comply with company password rules and other data security policies. It can further require that employees do not attempt to override company security systems and that the company maintains the right and ability to remotely wipe such devices should they be lost or stolen.

A changed landscape for employers and employees.

It is crucial for companies who have moved formerly office-bound staff to remote work environments to recognize that the pandemic has changed the security landscape dramatically—and potentially permanently.

It is never too late to create a company culture with data-security at its core – to formulate, draft, and train employees on effective security policies that will effectively protect company and customer data from cyberattack and other threats. This will help also you comply with increased stakeholder demands and increased regulation, whilst potentially also reducing costly insurance premiums.

Transcript of a MI webinar on data-privacy and cybersecurity involving:

James Carnie from Clendons in New Zealand

Benson Ngugi from Igeria & Ngugi in Kenya

Alex Koskey from Baker Donelson in USA

Stephanie Sparks from Hoge Fenton in USA

Emiel de Joode from TenHolter Noordam in the Netherlands.