4 tips to prevent data theft during the holiday season

As we head into another holiday shopping and giving season, it’s important to remember that cyber security is tested now more aggressively than at any other time of the year.

Online theft and fraud are increasingly rampant as consumers and businesses alike process millions of transactions as the holidays and year-end approach. In fact, more than half of retailers recognize increased cyber-attacks around the holidays, with most coming in the areas of supply chain attacks, data breaches and phishing attacks, according to a recent survey by managed security services provider VikingCloud as cited in trade publication Chain Store Age.

For most of us, that just means a reminder to keep our credit cards in places where we know they are safe, be vigilant about looking at our bank statements for any suspicious entries and ensure our annual giving to charity is going where it’s supposed to go.

But what about companies? Organizations large and small, profit or not-for-profit, local and national are all under constant attack by online bad actors looking for vulnerabilities. In fact, often smaller organizations are even more vulnerable due to outdated cyber security measures and weak IT processes that leave them open to attack.

What is a business to do about cyber preparedness?

Think about cyber preparedness measures in the same way you do smoke alarms. They only work well if you change the batteries once or twice a year.

You may think this is the IT group’s problem. While it’s certainly their responsibility to ensure systems are up to date, it’s management’s problem if something goes wrong and suddenly there’s a data security incident that threatens revenue streams and reputation among customers, donors and vendors.

Here are 4 Tips

So, what’s the best way to get started? Here’s a few things to get lined up in advance of a cyber threat to make sure your batteries are charged all year long:

• Make sure IT has the resources it needs to stay in alignment with best practice in cyber security. This is not a sexy use of available capital, but when neglected, it can become an expensive problem to fix rather than prevent.
• Establish relationships with experienced cyber legal counsel, forensic IT consultants who can evaluate and get familiar with your data security processes, and communications/PR counselors who are familiar with the necessary steps to take following a data security event if it occurs.
• Assign a cyber security champion from the senior leadership team. As mentioned above, this is not just an IT department problem. It’s a management issue and as such should have management backing to ensure it gets the proper attention it needs.
• Run a drill annually with your outside IT, insurance, legal and communications partners to simulate a data security incident and evaluate your response. Getting prepared in advance always pays dividends when an actual crisis occurs.

what if a data security event happens anyway?

The reality is even the most prepared organizations can be compromised by determined bad actors. Preparation can certainly help shorten the duration for recovery and mitigate losses so those actions can and should still be taken.

Here’s 4 tips for things to do when you get the call from a harried IT technician that something’s wrong on your network:

• Quickly assemble your emergency response team. Comprised of outside IT consultants, PR consultants, legal counsel and key internal managers, they can assess the situation in real time. The first 24 hours can be critical in recovering assets and data so prompt action with the experts alongside is important. Set daily update meetings with this team for the foreseeable future so you can share information in real time.
• Prioritize your audiences based on who was most acutely exposed. Not all data security incidents affect all audiences the same. It’s entirely possible that a cyber event could only impact your employees while leaving customers, vendors and other outside audiences unaffected. While legal disclosure requirements will drive the notification process, there may be audiences which require a more personal touch given who (and how) was exposed.
• Engage media monitoring immediately. Knowing what appears on social media sites or in mainstream media is critical because those are often the leak points where a broader consumer audience can learn of a data security event. Understanding what is appearing online as it happens can help inform your decisions on whether to be proactive with your key audiences regarding the incident.
• Keep your insurance company in the loop from the beginning. While cyber security insurance is increasingly difficult to get and afford, if you have it, it can make a significant difference when it comes time to pay the consultants. The insurance company can also work closely with the legal team to assess the bad actors and negotiate things like ransom payments based on their experience and connections.

The threat of data security events has never been higher, even if it feels like only the biggest attacks get headlines because they are so common today. Vigilance has never been more important, and one only needs to look at the insightful annual report from leading law firm Baker Hostetler to realize the gravity of the threat to organizations of all sizes.

If you’d like to learn more, here’s another Falls’ subject matter expert blog about cybersecurity.

Do you want to talk about cyber preparedness or response, please contact the Falls & Co. team.