New England Biz Law Update
Cyberattacks continue to grow, with a 30% increase in weekly attacks on corporate networks in Q2 2024 compared to Q2 2023, and a 25% rise compared to Q1 2024, according to Check Point Research.
“It’s almost incalculable how many threats exist,” said Reg Harnish, CEO of OrbitalFire, a cybersecurity services provider specifically for small businesses. “Some of those are accidents, but some of those are intentional. The motivations can all be different, but the number of threats is truly incalculable.”
Whether by malicious or accidental means, how can businesses protect themselves from cyber incidents? Identifying risks and developing a security program around them is key.
“To identify the risks, you take all the potential problems, you evaluate likelihood, then you evaluate impact,” Harnish said. “Using simple math, you multiply likelihood times impact and those become your identified risks. Then you just sort from most to least and that’s really how you build a cybersecurity program.”
Harnish says a business’s cybersecurity program should match their risk tolerance and that one of the most overlooked pieces of putting a program together is putting someone’s name on it to create accountability.
“Managing risk has become very popular and it’s been really since ‘69 when we invented the Internet, but today it’s truly a critical capability for any organization because they can’t deal with all the threats and they can’t implement all the solutions without it,” Harnish said.
Cheryl Nelan, president, and owner of CMIT Solutions of Rochester, explains that the first step in developing a cybersecurity program is recognition that you are at risk of a data breach despite the size of your business.
“Every business needs to recognize that it’s a concern for them,” Nelan said. “It’s not something you set aside and think, ‘Oh, it’s not going to happen to me.’ It’s something everyone really must manage.”
When it comes to cybersecurity, she says that identified risks need to be looked at with a broad brush that includes risk from employees, third-party vendors, cybercriminals and more.
“Have a brainstorm with your team,” said Nelan about a good first step in identifying the risks unique to your business. “Multiple minds can come up with a lot. Also, having some type of partner like an MSP [managed service provider], IT consultant or general business consultant to help you talk through the risks and help you protect yourself is important.”
When your security program is in place, Nelan stresses that it’s an ever-evolving process that requires diligence and frequent re-visiting.
“Even if you had all the budget in the world and you just did absolutely everything you could think of to lock things down and protect yourself well, things are going to evolve,” she said. “You have to continually look at it because as soon as you close one hole, they’ll [bad actors] find another one.”
Attorneys can also help guide best practices to avoid a cyber incident and manage post-incident response, along with advising on regulatory compliance and risk assessments, potential litigation, regulatory action and more.
“When I’m involved in risk assessment interviews, I’m able to play a meaningful role in the question and answer process to help uncover that risk and identify those potential areas of gaps when it comes to compliance with applicable laws,” said Daniel J. Altieri, a partner at Harter Secrest & Emery who is a member of the firm’s privacy and data security team.
Altieri works with companies of all sizes and says that the challenge he sees for some businesses is getting started when it comes to cybersecurity risk assessment and incident response planning.
“It is very easy for organizations to get overwhelmed either because of the complexity of their networks or the risks that they face or that they hear about on a daily basis,” Altieri said. “And, unfortunately, what sometimes happens is that feeling of being completely overwhelmed. It leads to a sort of paralysis where there’s so much to get done, that nothing gets done because you don’t know where to start.”
Altieri says that the first way to push past that overwhelmed state is to identify someone within your organization who will take ownership of your security program and be responsible for pushing it forward and holding others accountable for adherence.
“The second and probably most important thing that organizations can do is perform a good risk assessment on a regular basis,” said Altieri, who recommends using a standardized framework, such as the U.S. Departments of Commerce’s NIST Cybersecurity Framework. “It’s going to help give you structure to your assessment, and it’s going to help make your assessment more defensible.”
It’s critical to involve an appropriate cross-section of your organizational departments in the process, he said, including leadership so that it is a comprehensive holistic enterprise-wide risk assessment.
“It’s really important that organizations understand that a holistic and comprehensive risk assessment is going to extend beyond just the IT team,” Altieri said. “If you’re leaving anyone out, or if you’re focusing on just the IT team, what happens is that you develop blind spots and you’re not getting a clear picture of that risk that you’re facing.”
Once you’ve identified the risks, you need to realize they can’t be eliminated overnight and that even the biggest companies have some sort of resource limitations, he said. Therefore, you need to do some sort of scoring of the risks based on the likelihood of them causing harm and the scope of the potential impact if that harm is realized.
“Focus on making meaningful, measurable, but realistic process over time so that by the time of your next risk assessment hopefully your top risks are going to look a little bit different,” Altieri said.
