Perform a Cybersecurity Checkup for a Healthy Start in 2018

November 2017

Kristen G. Hilton, CIPP/US

 Published in the Daily Journal of Commerce
November 2017

Stories about cybersecurity and data breaches, like the one involving Equifax, have dominated the news this year. While large-scale incidents at national companies get the most press, all businesses are at risk. Small and medium-size businesses are hit by nearly two-thirds of all cyberattacks – about 4,000 a day, according to IBM. Such attacks are costly. The average price a small business has to pay to clean up after a cyberattack was about $690,000, according to a 2016 report by the Ponemon Institute research firm.

It is more important than ever to perform regular cybersecurity checkups. Here are five things businesses can and should do before the end of the year to protect themselves from a cyberattack, and prepare to effectively respond if and when one occurs.

1.  Perform a data risk assessment

Performing a data risk assessment will demonstrate how information flows through a business and help identify vulnerabilities.

Take stock of the business' type(s) of personal, confidential and financial data, how it is collected, and where it is stored. Even businesses that do not deal directly with consumers may have information desirable to cyber criminals, including employee social security numbers, bank account numbers and business trade secrets.

Consider who has access to the data and how they access it, such as from remote work stations or mobile devices. Look at how the data is secured and transmitted, both internally and externally, and whether the data is backed up properly. For instance, if someone requests a wire transfer or a copy of a W-2 form via email, are set procedures in place to verify the request is legitimate?

Finally, examine how data is retained, how long it is retained, and when it is destroyed.

2.  Update IT systems

Once data has been identified, take steps to safeguard it. The latest security software, web browser and operating system are the best defenses against cyber threats.

Make sure that all available software updates are installed and that future updates are installed as soon as available. If employees use their own devices to access business data, those devices also must be updated with the latest software patches. If the business operates a website, update its content management system, and don't forget to install security updates on its server as well.

After installing all updates, run antivirus software. Confirm that the operating system's firewall is enabled, or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

If there is no in-house IT expertise to set up and implement security measures, consider hiring an expert. It is better to be safe than sorry.

3.  Prepare an incident response plan

Even with security measures in place, data breaches and cyberattacks may still occur. It is crucial to have an incident response plan in place before a breach occurs. A response plan helps limit damage, and ensures compliance with state and federal laws, such as Oregon's data breach notification law.

The first step in creating an incident response plan is to designate a response team. The team should be led by one person who has extensive knowledge of the business' network and system security. This person, perhaps the head of IT, will be responsible for managing and coordinating response and mitigation efforts, among other things.

The response plan should include the categories of data that the business has a duty to protect, the roles and responsibilities of the response team, and an internal and external communication plan. The external communication plan should include names and phone numbers of computer forensics experts, outside counsel, law enforcement and government agencies, and fraud or credit monitoring services.

In addition, the response plan should detail the steps required by breach notification laws, and list any other obligations that apply in case of a breach (such as contractual notice provisions).

Once drafted, test the plan on a regular basis and make adjustments as necessary.

4.  Conduct employee trainings

A well-trained workforce is the best defense against cyberattacks. Ponemon Institute's 2017 Cost of Data Breach Study suggests that human error caused 28 percent of data breaches last year, and according to a December 2016 study by PhishMe Inc., an estimated 91 percent of cyberattacks begin with a "phishing" email, in which an employee clicks on an unsafe link.

Train staff on safe browsing rules and how to spot cybersecurity vulnerabilities. It is important they know how to recognize common information security risks, including social engineering, phishing and online fraud, and that they understand how to avoid emailed or web links from suspicious or unknown sources.

In addition, train employees on what to do when encountering suspicious activity online. They should be familiar with the incident response plan and know how to report threats and to whom. As new risks are discovered, update employees on security protocols.

Even if officials have conducted cybersecurity training in the past, consider trying a fresh approach. New data suggests that game-based and interactive training that focuses on positive incentives may be more effective than traditional methods.

5.  Consider cyber insurance

Purchasing cyber insurance may be another way to bolster a business' long-term health. Most cyber policies cover the replacement of lost or damaged equipment, forensic and investigative costs, along with legal expenses and crisis management. They may also cover breach response costs, such as notifying breached victims and providing victims with credit monitoring.

Cyber insurance may be especially valuable for those businesses that do not have an IT department or dedicated IT manager because insurers often require assessments and other steps to improve security before issuing a policy. Some insurers even offer services, such as assistance with incident response plans and network penetration testing.

If a company partners with or supplies large organizations, or wants to do so in the future, cyber insurance may be a requirement of doing business.

Kristen Hilton is an attorney with Sussman Shank LLP. She focuses on business litigation and employment. Contact her at 503-243-1654 or

Related Practice Areas


Return to Articles