Companies must plan for a potential data breach and theft of intellectual property

Last year cyber-crime may have evolved into cyber-warfare. Welcome to a new era of cyber warfare with nation states like Russia hacking into the DNC email and stole thousands of emails. From what we know, the information hacked and released injected distraction and subsequently doubt about the Democratic Presidential candidate. If one had read this headline just 18 months ago, few would have given it any credibility. We now understand, as perhaps never before, that the ability of these global bad actors to take what they want, whenever they want, is highly likely.

In the same way that the FBI and other intelligence agencies rely on specialized expertise to protect US Government secrets from foreign intelligence services and cyber criminals, companies are turning to cyber security experts to assist them in the protection of critical company information as they face and ever-increasing array of threats to their success and even viability.

Companies realize that they have a legal obligation to protect their stockholders, investors, employees, and customers from known and unknown, but reasonably foreseeable, cyber-crime threats. Target, Sony Pictures, the IRS, OPM, Anthem, et al, were all breached in the last several years. Analysis after each breach revealed that each of these entities were prepared for cybercrime at some level (Anthem was at a high level and still was breached), yet still were ultimately unable to catch sophisticated intruders who were hiding within their own networks.

For the same reason that companies purchase insurance, e.g. to protect them against unanticipated events such as fire, theft, natural disasters, etc. companies must now take more proactive measures to protect themselves against a cyber breach. The cost of investigation and mitigation efforts, and the potential loss of reputation and market share may well exceed the cost of a robust cyber-crime defense. When companies fully understand that many of the costs to their business cannot be effectively insured, the value of investing in threat prevention is a smart investment.

As 2017 begins with an optimistic business forecast, the most farsighted company leaders have appreciated the increased risks to their business and have begun to plan for such a likelihood. The threat of a data breach transcends what the company sells, how loyal all their employees may be, and how secure their servers, cloud, and third-party vendors seem to be.  Sensitive corporate data, to remain secure, requires strong risk management oversight, proper cybersecurity defenses and protocols, and most importantly, policies and procedures which encourage an engaged, enthusiastic and committed work force.

Perhaps the most frightening and insidious problem is not knowing what you don’t know. For example, it is reported that the Russian hackers spent a year-plus inside the Democratic National Committee servers before they were discovered. For five months, the US Office of Personnel and Management was oblivious to the cyber thieves that stole the records of more than four million federal employees. Intruders broke into Yahoo’s systems in 2013, and it is still not known how long these bad actors were inside; Yahoo only discovered that their servers had been breached when stolen data turned up for sale on the dark web two years later, compromising over 500 million user accounts.

As companies invest more in cyber security in 2017, the focus should be on your biggest risk; computers don’t steal data – people do.  The largest single threat comes from infiltration of your systems not only externally, but in many cases with internal assistance, by just one disgruntled or malicious employee.

Senior leaders within small and mid-sized companies including the CIO, Chief Risk Officer, Chief Privacy Officer, Human Resources Chief, General Counsel, Communications Head, and Chief Security Officer are generally not organized and trained to effectively prevent and promptly respond to a data breach, whether from an internal or external source.

Instead of a clear and comprehensive insider-threat, cyber-crime management plan, many companies have ambiguous, outdated and unenforced policies regarding the protection of sensitive information. Further, ownership of employee-created information (including emails) is often unclear, making effective prevention and response even more problematic. In addition, uneven hiring and firing practices will negatively impact the ability of the organization to reach its vision of a ‘trusted and engaged’ workforce. When (not ‘if’) one of your colleagues leaves under acrimonious circumstances, sensitive and proprietary data is at risk to leave as well.

This is the year companies must invest in a comprehensive insider threat, cybercrime plan. Benjamin Franklin’s axiom has never been more prescient – “An ounce of prevention is worth a pound of cure”.

For more information email