The National Institute of Standards and Technology released its “Framework for Improving Critical Infrastructure Cybersecurity” in February. Yet a recent survey by Today’s General Counsel magazine (a discussion of which can be found here) indicated that roughly two-thirds of its respondents had failed to either read or take any action in response to the “Framework.” The Framework will help your company identify its risks, protect against those risks, detect cybersecurity events, and have a plan in place to respond to and recover from cybersecurity events. And other government resources (e.g., the Department of Homeland Security’s Stop. Think. Connect. Campaign) provide simple tips on how you can make your company’s data more secure, including:

  • Buying data risk insurance.
  • Securing your data by requiring more secure passwords and other user authentication.
  • Controlling access to you data and restricting who has “administrative” access to your network:  don’t let everyone in your company access all your valuable data. Consider segregating critical and valuable data to a separate/private network.
  • Backing up important data.
  • Properly vetting new employees by analyzing background checks, applications, resumes, interviews, and references.
  • Educating employees by ensuring they know about phishing schemes, “scareware,” and related tricks. Tell them about the dangers of thumb drives and other removable media.
  • Preparing a plan for departing employees.
  • Protecting against malware by, among other things, keeping security software up to date.
  • Planning for loss or theft, including having a loss or theft reporting protocol:  you should not be developing a plan after a breach.

 

Don’t expose your organization to unnecessary risks. As noted above, your company can take simple steps to dramatically improve its cybersecurity. Failing to install appropriate safeguards to protect your company’s data increases its exposure in the event of a lawsuit or other investigation related to a data breach (not to mention the risk to corporate executives’ jobs). If you have any questions about what specific safeguards you should put in place for your business or industry, please contact me.