Many have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never happen to us. Over the last few years and the litany of high profile incidents, however, there has been a noticeable shift in how companies assess their cybersecurity risks and the steps taken to lessen the likelihood of an incident and to be better prepared to respond if one occurs. There is no room for doubt–cybersecurity is an issue that the executive leadership teams and Boards of Directors must address.
After working with companies to respond to over 750 potential incidents, our advice to companies is to become and stay “compromise ready.” This is easier said than done and involves finding the right mixture of the following elements based on the company’s risk profile and appetite. Companies should also consider how these activities can be conducted so they are subject to the attorney-client privilege and work product protection.
Risk & Security Assessments – If you do not know what sensitive personal information and business data you have, where it resides, and who has access, you cannot implement appropriate safeguards to protect it. When facing a potential security incident, the inability to provide an accurate network diagram and describe the company’s sensitive data flow will complicate the forensic investigation. We often see companies (even large companies with sophisticated IT/IS departments) not able to provide these at the outset of an investigation. Continue Reading