After the massive data breach involving Marriott’s Starwood hotel brands was reported in 2018, businesses of all sizes began wondering again if anyone can remain safe against hackers. About 500 million guests who stayed at Starwood properties (including Westin, Sheraton, W Hotels, and the St. Regis) had their names, phone numbers, email addresses, birth dates, encrypted credit card data and other information stolen.
What’s shocked people even more is that this breach covered a four-year time period extending from 2014 through September 2018. It’s hard to believe that any company’s computer networks could be so severely compromised over such a long period of time before being discovered.
Companies of all sizes who haven’t already done so must immediately take proactive steps to reduce their chances of having their customer data and other proprietary information suddenly stolen or compromised.
What one past study revealed about cybersecurity threats – that keep increasing annually
- Close to half of the businesses surveyed consider themselves “very dependent” on the Internet for their daily business operations;
- Over one-third of those interviewed said that it would be very damaging for their companies to be without Internet access for 48 hours in a row;
- Small business employees rely on using the Internet for 75% to 100% of their daily work.
A much more recent study revealed that 58% of the victims of malware (cybersecurity) attacks are small businesses. Furthermore, cyber attacks wound up costing most targeted small companies about $2,235,000. Clearly, no one should avoid addressing this crucial issue.
Fortunately, various cybersecurity experts and business professionals are sharing their ideas about some of the best ways to prevent new attacks – as opposed to just responding to them.
You must determine your current level of risk to an attack before creating a protection plan
Even if you already have a highly qualified IT professional on your payroll, it’s often best to hire an outside cybersecurity consultant to come in and objectively assess your various levels of risk to a hacking attack. A “white-hat hacker” (someone on your side) can attempt to evaluate your code vulnerabilities and network and system weaknesses.
This expert can also evaluate how appropriately your employees are responding to suspicious emails that could easily introduce malware into your computer networks and databases. Give serious thought to having this type of outside expert audit your risk level at least once every two years – if not annually.
Keep in mind that it’s often useful to assign a risk level of low, medium or high to each system that might be compromised by a data breach. This can help you as you design a cybersecurity protection plan that prioritizes various risks.
Regularly review the FINRA cybersecurity checklist if you’re a smaller firm or business
This source is designed to help companies handle the following tasks.
- Identify and evaluate all current cybersecurity threats to better protect all business assets against outside intrusions (or in-house security lapses);
- Readily determine when your company software or databases have been hacked or compromised;
- Decide (in advance) how to quickly counter attacks or threats as soon as they’re detected. It’s always wise to create several options based on the type of information or software that may be under attack;
- Develop a plan with any in-house IT professionals and your outside cybersecurity consultant for readily recovering any company assets that are lost, stolen or otherwise compromised.
Create an employee training program that will help protect your systems and networks
Your employees must take the ongoing threat of a cyberattack very seriously. Staff members who fail to follow all in-house cybersecurity protocol often make it easier for outside hackers to gain entry. You might consider requiring a two-factor authentication password for those seeking to gain access to some of your company’s most valuable or vulnerable accounts.
Before providing this training, you must decide which parts of your computer network, systems and databases should remain off limits to various levels of employees.
It’s also important to let your employees know if you’ll be regularly monitoring their usage of all company computers. (It’s best to obtain written permission for this practice at the time you initially hire all employees). Inform everyone that each employee’s access to information will probably be restricted — based on their normal daily need to access certain information or to complete their assigned tasks.
Give very serious thought to limiting the outside Internet websites that employees can visit while at work and indicate what types of data downloads from outside sources are forbidden. Including these restrictions in your company’s formal training and cybersecurity protocol can help decrease the chances of anyone downloading threatening malware or viruses.
Always ask everyone to encrypt their attempts to access various company databases and accounts. You should also encrypt access to all email accounts. Finally, be sure all employees know the safest ways to file and store data, so it can be fully protected from hackers, while remaining easy to access again when needed.
Regardless of whether someone is being fired or has accepted a new job elsewhere, you need to have a systematic way of reclaiming company property when workers leave. You must also revoke their access to all business networks. Be sure all exiting employees return all company laptops, ID badges, company credit cards, mobile devices and other equipment.
Finally, delete the email addresses of exiting employees as soon as they leave. Someone should also change the company passwords they regularly used that were not encrypted. And always try to make sure every employee has signed an appropriate NDAs (non-disclosure agreements).
Although not intended to be comprehensive, we hope this list of suggestions will help your company gain greater protection against future cybersecurity attacks.
Please feel free to contact one of our Murray Lobb attorneys about how various Texas and federal cybersecurity laws and regulations may impact your company. We can also provide you with a non-disclosure agreement for exiting employees to sign and review the terms and legal limitations of any cybersecurity insurance policy that you may be looking at in hopes of limiting your business liability for future data breaches.