When the FBI announced the arrest of a Russian hacker in October, it was notable – but maybe not for the reason you’d expect. Yevgeniy N., who was picked up in Prague, is implicated in the 2012 megabreach at LinkedIn. That cyberattack exposed the usernames and passwords of 117 million people, and led to a fire sale of login data on the open market. The size of the hack was extraordinary, but the arrest of its alleged perpetrator is astonishing not because of what authorities say he did, but because he was caught at all.
Most cybersecurity situations do not have such clear-cut endings. The criminals who conduct these attacks often hide behind the borders of nation-states that are unwilling to cooperate with the FBI or INTERPOL. Often, hackers go unpunished or even unidentified. And yet, victim companies continue to spend money, time and resources they don’t have playing legal whodunnit.
Companies need to think about how they can more effectively protect and prepare themselves. You can’t send your IT teams to law school, deputize your executives for international manhunts or break the bank hiring professionals to hunt down cybercriminals who aren’t likely to be caught. Instead, try these three steps, which every business should consider before they suffer a hack.
1. Establish roles and responsibility for privacy governance
Data notification laws are complex, and they’re only one aspect of the legal framework involved with data governance. However, seeking legal advice in advance of a hack will give your business an edge when a serious issue occurs. If a data breach occurs, you should already be aware of the data notification laws for each and every jurisdiction in which your company has customers, partners and business assets. Often, you’re required to notify both regulatory agencies and users if you suffer a breach. Those requirements should not be something you dig into after a hack; learn them today.
Additionally, someone on your team needs to be responsible for collecting evidence for legal purposes – a role that should also be informed by prior training and legal advice. Ideally, an in-house incident response team collaborating with a lawyer can help establish procedures and policies to benefit the entire organization. Actively working to get educated and proactive about the legal aspects of data privacy can save your company from legal fees that may result from complications following a breach.
2. Train your employees to understand your policies, as well as threats such as email phishing
Do your executives, directors and other employees understand your cybersecurity policies? Having such documents is not enough. Teach your team what’s in those documents and train them in simulation exercises to ensure they understand what to do when they’re presented with a security threat. This is absolutely essential; approximately 90 percent of attacks start because of an employee error, like opening an email from an unfamiliar sender and clicking a lick or downloading an attachment.
Your policies should clearly explain expectations around phishing scams and similar attack techniques, as well as detail roles and responsibilities in the event of an attack, how to report suspicious activity, management of devices, privacy expectations and an incident response plan. Once you create all of that material, teach it to your staff in engaging, interactive ways.
3. Implement intelligence-sharing procedures for immediate reactive action and partnership with law enforcement
As part of your incident response planning, establish contact with law enforcement organizations to ensure you can coordinate with them efficiently in the event of an attack. Determine which intelligence-sharing procedures your team will handle and which you’ll need to outsource in order to act quickly. Be sure to include your attorney in your plans and outline what his or her role will be.
The likelihood your company will suffer a cybersecurity breach remains far higher than the likelihood a hacker group that targets you will be caught. However, that fact does not mean your company is helpless. Protect your business now by educating your team about your policies and clearly defining post-breach responsibilities and roles.