MakovskyThursday, January 10, 2019
Cybersecurity has become a critical risk factors facing modern CEOs and business owners. Data-theft, industrial espionage, insider misuse, and ransomware have plagued businesses of all sizes, across all industries and has led to loss of productivity, customers, profitability and the trust of key stakeholders.
Who do you call when your business becomes the target of a cyberattack? None other than your cybersecurity A-Team. In November, we hosted an interactive forum to discuss practical and strategic methods for assembling a rapid-response team in the wake of a cyber breach.
Our panel of experts included John Curran, CEO & Co-CISO of Redpoint Cybersecurity, Michael Weinstein, Member of Litigation Department at Cole Schotz, Leonard Bailey, Special Counsel for National Security and Head of the Cybersecurity Unit at the U.S. Department of Justice, Doug Hesney, Executive Vice President of Financial & Professional Services at Makovsky, and Anthony Bracco, Partner and Leader of Anchin’s Litigation and Valuation Services Group.
If you couldn’t join us, here are six important takeaways about the legal, technical, accounting and public relations issues that often arise before, during, and after a data breach has occurred.
If you couldn’t join us, here are 5 important takeaways about the legal, technical, accounting and public relations issues that often arise before, during, and after a data breach has occurred.
Preventing the wide-spread damage of a breach requires understanding all of your network’s entry points and vulnerabilities.
“Most of the IT people I’ve talked to, I’ve asked them, ‘Exactly what does your network look like?’ and they’ll pull out a napkin and start drawing things on the back of it, and by and large, that’s the way it looks.
“They don’t generally have their arms around what their entire networks looks like. So your ability to defend that is going to be limited. You should really think about triaging. Look at your network and understand what it is, what kind of business you’re running, what you need to protect, what can’t go down, and focusing your efforts on those things.” – Leonard Bailey, U.S. Department of Justice
Prior to a breach, have outside counsel in place to exercise attorney-client privilege
“Anytime there’s a breach, you’re going to have potential litigation issues, notification to regulators, law enforcement, Department of Justice, FBI, FTC, SEC, and if you’re a public company, then you got all kinds of reporting requirements…What comes along with that is the legal requirements and discussions internally before those notifications occur. You want to make sure all of those discussions are protected under privilege. And if you don’t have an outside lawyer in place when a breach occurs, you’ll be scrambling to find someone who is knowledgeable about privilege issues.” – Michael Weinstein, Cole Schotz
Your IT Team Is Not Your Cybersecurity Defense Team
“Your IT team got hacked. If you got hacked, they got hacked. And a lot of times, [hackers] go through them first. Why? Because they have the keys to everything. That’s not negative against IT folks. They’re doing tremendous work. They’re working very hard. It is a matter of a niche skill set, having too many things to focus on at one time, and frequently, they’re not being listened to by senior management when they advocate for the budget and resources they need…Do not confuse an IT team with ethical hackers because they are absolutely not the same thing.” – John Curran, Redpoint Cybersecurity
Business executives need to take crisis communications seriously
“The number one issue that I have seen in any kind of crisis situation–whether it’s an investigative piece or some sort of controversy, or an activist is attacking the company–whatever the situation may be, the biggest issue that I have seen from CEOs and C-suite is not taking the communication side of it seriously enough, or having a blinkered view that this could be resolved relatively quickly, people aren’t going to care about this, or ask why do we have to engage with all of this preparatory work if this is not an issue.
“What I’ve seen is that the best way CEOs and the best executive leadership can navigate a crisis effectively is to have a plan that’s flexible enough to account for specifics that they’ll learn about the severity of the breach.” – Doug Hesney, Makovsky
Have a single narrative that is consistent and communicated effectively internally and externally
“You have to have one narrative. That one narrative has to drive everything–legal and communications both internally and externally. You need to have one person organize your message internally, and then bring everyone together to say, “This is our corporate narrative for how we’re dealing with this situation.
“Then you find out how to get that message out externally. It has to be consistent–whether you’re notifying customers, reaching out to law enforcement, you’re going to the SEC, or if you’re dealing with other experts. One narrative, and that has to be driven internally, agreed upon, and then it has to effectively communicated. That’s very important, because you don’t want two inconsistent statements–one from the communications staff and the second from the legal side.” –Michael Weinstein, Cole Schotz
Be open, honest, and transparent with stakeholders
“When I’m in the room with a CEO or an executive who is dealing with a crisis, my counsel is always to be as transparent as we possibly can be within the confines of what’s going to invoke liability or other issues.
“People are sophisticated consumers of news. People can read through a press release. People can read through the lines. People have become much better at decoding spin from reality. They can tell when a company is not being completely forward–especially if they’re not being forward at first, and then things sort of drip out…that’s where the real reputational damage comes in.” – Doug Hesney, Makovsky
– – – – –
Looking for more tips on how to effectively respond to and communicate about a data breach? Stay tuned for our our exclusive one-on-one interview with John Curran of Redpoint Cybersecurity.