Data Protection Goes Beyond “Don’t Click on That”by Michelle Bomberger | February 24, 2021
We’ve all heard about cybersecurity risks and the increasing sophistication of hackers seeking to access our data. Small businesses are particularly at risk because they often don’t have sophisticated systems in place. The increasing work-from-home environment due initially to COVID-19, but likely to continue in the future, created even more access. Employees may use their personal devices or work from unsecured networks, opening the door to additional cybersecurity risks. As business owners, leaders, and entrepreneurs, we have to understand the importance of data protection and seek out sources to assist in preparing for emergencies.
Protecting Physical Assets vs. Data Assets
The reality is that business leaders know this risk is out there, but we don’t know how to mitigate it. I would ask: “How do you protect other critical assets of your company?” With physical assets, we know certain items need more protection than others. We look at a particular asset – say a set of documents – and decide what level of protection they require. Do we leave them in the open, shred them, put them under lock and key, or keep them in a fireproof safe? We then set a standard and communicate that standard to our team. In the case of equipment, we identify risks to the machine’s failure and establish procedures to maintain the equipment to maximize its life and backup plans in the event of an equipment failure. We then communicate those procedures and plans to our team. After putting in place procedures, we consider whether we need insurance to protect those assets.
Data Asset Risks
Data protection is not much different – it’s just that many of us don’t understand the nature of the risks. This is different from a fire or flood. We also don’t understand the technical aspects well enough to know if we’ve got it nailed down. Again, it’s different than a cabinet with a lock and key. Much of our data is now sitting in “the cloud,” and we rely on those third parties to safeguard it. In addition, most terms and conditions release the vendor from much of the liability. We also rely on insurance without full knowledge of what the insurance covers or doesn’t cover. These actions make us feel better about our risks – but don’t actually address the specific risks of the cyberattack because we don’t really understand how to identify them.
Implications of a Data Breach
I was speaking with a lawyer-entrepreneur who is in the tech space. Their firm was recently hacked. An email came in that appeared to be a PDF invoice from a vendor. By acting on that email, the hackers obtained access to all the emails in the employee’s inbox. For a law firm, this is a big deal. We’ve had a few clients with similar situations.
What are the implications of a breach? You’ll need to disclose the breach, which will cause reputational damages and lost revenue. Many businesses never recover. The hackers may also gain access to confidential intellectual property. The time and financial costs of remediation are high, and there may also be regulatory fines to pay.
We can no longer put our heads in the sand and believe it’s not going to happen to us or simply instruct employees not to click on things they don’t recognize. With the sophistication of hackers, we need specific procedures on data protection, how to identify phishing techniques, and for disaster recovery on what to do when (not if) it happens. This is your first line of defense – but because we don’t understand it, we’re lost as to how to tackle it. Given the scale of the risk, consider whether you need outside help to get your plan in place. It will give you peace of mind and reduce the risk of an attack resulting in irreparable damage.
You are not alone – Speak with our corporate counsel attorneys to review and formalized contacts, develop privacy policies, review company procedures, obtain essential data protection resources, and much more. Contact us at 425-250-0205 or email@example.com.
Legal Disclaimer: This article contains general information. Do not view this article as legal advice. Talk with counsel familiar with your unique business needs before taking or refraining from any action.