Emerging Markets Law

Showing 2 posts from October 2017.

Five Lessons from Equifax

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

For other businesses, Equifax is going to be a case study — for YEARS — on how not to handle a crisis. Among the reports:

  • The company’s leadership ignored warning signs of an issue.
  • The warnings were ignored because of a spat with the vendor that flagged the issue.
  • The C-suite didn’t inform the board of the known breach – involving HALF of Americans – for three weeks after learning of it.
  • The company approved stock sales by several insiders after the problems came to light.
  • Etc. Etc.

In other words: the news keeps getting worse.

For companies on the outside of Equifax, what are the lessons to draw? This is a timely exercise to run through: October is National Cybersecurity Month.

  1. Lock up your information. This is priority one. It is not, however, enough. All locks can be picked. There has to be a behavioral focus as well.
  2. Create a culture that values confidentiality and makes those problems an urgent priority. If your factory shut down, you’d be all over it; an infosec/cyber compromise might be no less urgent. Don’t wait to find out.
  3. Have a response plan that goes into effect upon discovery of a problem. Who steps up, what do they do, what do they say, and to whom? Knowing these things in advance, you will be able to act more quickly, and you will be more sure-footed, if you ever face a problem.
  4. Communicate clearly and timely. Let appropriate stakeholders know when you discover a problem, and be sure the timing, scope, and substance of those communications takes into effect the potential fall-out of the issue. Employees need to hear. The board needs to hear. The C-suite needs to hear. The public may need to hear. What they hear, and when, and in what order, may depend in part on the incident. But you have the power to tell the story at the beginning. If you tell a bad story, or a partial story, you lose control of the narrative.
  5. Security must be a priority from the top down. That is the only way to accomplish #1-4, and that is the biggest lesson of this debacle. It’s clear in hindsight that the company doesn’t have a culture attuned to confidentiality and security. Plenty of people could have made this better, but the collective response — from the outside and after the fact — looks like a big, collective shrug.

In short, cyber and infosec planning cannot be an afterthought: they have to BE your business. And they have to be treated like any operational issue, not like a mere box to check on your list of annual compliance matters. There is no better defense than a good offense. It’s your company: why wouldn’t you protect it? #cyberforgrowth #cyberforbusiness

National Cybersecurity Month: Protect Your Assets

It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.

All these entities “should know better.” They probably had layers and layers of plans in place. Their plans probably aimed at security for the benefit of their third-party constituents. They see the same headlines we all see, their lawyers tell them “you should do this so you don’t face angry consumers.” Their planning focused on liability avoidance.

Cyber planning IS important. The reality for most companies, though, is that the real value of planning is that it allows you to protect your own assets. Most companies will never be the subject of worldwide headlines and consumer class-action suits about a hack of their networks. Hackers routinely penetrate the networks of companies large and small, but the true danger for most companies is not a loss of consumer data. It’s that their own assets may take a hit.

Paying attention to cyber matters will be increasingly important as these major players continue to take very-public hits: it gets harder and harder for even small companies to say, “I never thought it could happen to me.” But the resources directed to information security planning don’t have to be all about network penetration and bells and whistles. They don’t have to be fancy and only capable of implementation with a huge legal, IT and risk management staff. A lot of problems can be avoided by simple process tweaks and employee awareness and training.

Consider the company customer records: they may not have any “personally identifiable information” in them, the loss of which drives the massive breach headlines we now see so routinely. But they probably contain pricing, discount information, volume and tiering plans, sales cycle data, and other material that would make you vulnerable if it got leaked.

Now consider that information in an Excel spreadsheet, not protected by encryption, role-based access, or even a password. How easy would it be for someone to email that outside the company, whether accidentally or on purpose?

Think it doesn’t happen? It does. I’ve had multiple clients face some variant of this spreadsheet email in the last three years. It’s disruptive, it’s expensive, it’s embarrassing, and it’s got the potential to lead to liability. Most importantly, it’s compromising your “secret sauce.” Why wouldn’t you spend some time on planning and training and shoring up a few easy practices to prevent this kind of event?

If you are a small company looking to grow, and looking for a buyer, having your assets protected is important to your value: that’s why you’ve registered your intellectual property, for instance, and put contracts in place to protect it. If you are a company at scale, protecting your assets is about investing in your stable returns.

None of this is expensive or scary or overly “techy.” It’s just good business sense.



Stay Connected

Subscribe to blog updates via email