Preemptive Measures to Limit a Cyberattack’s Damage to Your Business

05.01.2024
Issues & Policies

The following article was first published in the Hartford Business Journal. It is reposted here with the permission of the authors.


It’s been nine months since Connecticut’s sweeping new data privacy law to protect consumers took effect, after lawmakers made the decision that due to inaction in Congress, the state should pass its own law to protect consumer data.

By all indications, Connecticut businesses impacted by the new law seem to be taking it seriously in terms of compliance, with some even going above and beyond what is required.

This is good news.

Having this sweeping law on the books is progress indeed, but the unfortunate reality in 2024 is, no state law can ever fully protect a business or consumers from those looking to cause chaos and harm, as the risk of a cyberattack remains as heightened as ever.

So, it is still up to the individual business to remain breach-ready at all times, because no one is ever breach-proof. Businesses should not think with a mindset of if a cyberattack can happen, but when one will.

Because when such an attack occurs, it is no laughing matter.

According to IBM, the average cost of a data breach is $4.45 million, and there is also a $1.3 million average cost of lost sales and revenue associated with an incident.

Additionally, there is the impact to the company’s reputation — a recent survey of 1,000 U.S. consumers found 60% of respondents are less likely to work with a brand that has suffered a data breach, and 21% will immediately seek a new provider following an incident.

This is why establishing core procedures that will potentially mitigate the harm derived from a data breach is critical to protect sensitive data and any resulting reputational damage to a business.

Reducing Risks

For starters, companies should very much strive to be in a state of “breach-readiness.” This means three things: reducing the likelihood of a breach, reducing the scope of a breach and being prepared to respond when a breach eventually occurs.

Once this is made clear, there are a number of steps that must be taken. The first is the company should develop an understanding of what its cyber risk profile is. This means asking a series of questions.

What personal data does it collect and retain? With whom is that data shared? Where is the data located? This step is also referred to as data mapping or data inventory, and it is crucial—a business cannot protect data unless it knows what it is and where it is located.

Companies should develop an understanding of their cyber risk profile.

Having this knowledge, a business can then evaluate its cybersecurity on a number of levels, including technical security (such as encryption, multifactor verification, threat detection software and more), administrative controls (properly training staff) and the actual physical controls they have in place (such as security cameras, visitor policies and document storage).

Next, a business should be looking to limit the scope of an eventual attack, which is why a data-minimization project is often very helpful.

This involves reducing the volume of collected data, and reducing the data fields that are kept on file. After all, data cannot be breached if it cannot be found in your system.

Training Plan

Lastly, as with every strategic undertaking, there needs to be a plan in place to train employees on what to do in case of a breach, as well as to test existing plans to determine their overall efficacy.

Companies should encourage their employees to develop and constantly review a comprehensive cybersecurity plan, including tabletop breach simulations and written response plans that are shared throughout the business.

As each employer is different, it is equally important that these plans are tailored and optimized to fit the unique needs of each individual business.

A law alone will not stop those who are determined to hack into, steal from, and disrupt a business.

Connecticut’s new law was a meaningful step to provide some protection to consumers, but as in many cases, a law alone will not stop those who are determined to hack into, steal from, and disrupt a business.

This is why preemptive protections are so important, as is informing the employee base just how critical these protections are.

Perhaps a company can’t stop an attack from happening, but it can take steps to potentially limit the harm it causes.


About the authors: Chris DiPentima is the president and CEO of CBIA. William Roberts is a partner with Day Pitney LLP and co-chair of the firm’s data privacy, protection and litigation practice.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected with CBIA News Digests

The latest news and information delivered directly to your inbox.

CBIA IS FIGHTING TO MAKE CONNECTICUT A TOP STATE FOR BUSINESS, JOBS, AND ECONOMIC GROWTH. A BETTER BUSINESS CLIMATE MEANS A BRIGHTER FUTURE FOR EVERYONE.