Cyber security - a business requirement

Web hackers are on the prowl trying to find ways to defraud individuals and businesses alike, with criminal activity on the rise since the onset of the pandemic.

As a result, businesses are increasingly vulnerable to web hacks whereby confidential customer information could be compromised. An affected business may be sued by its customers for the damages associated with having their private information stolen. This article will explore questions business owners should ask themselves when assessing cybersecurity risk.

The attack

Similar to burglars planning to rob a house or business, cybercriminals scope out a business's website for months before the actual attack. Usually, these scans are conducted by programmed bots designed to identify areas of weakness in a business's information-processing system (IPS).

After learning about a business's IPS, they begin to probe deeper. At this point a human has typically taken over. The hacker will usually start with a small attack by accessing the mainframe. The attacker will then monitor to see if the company made any security changes; if not, they will begin their main attack.

The attack can take many different forms. They may overwhelm your system by inundating all the business's resources, which drastically reduces performance. Another attack is an SYN attack, where the attacker floods the business system with connection requests, slowing the system to unusable speeds until it eventually crashes.

Finally, a hacker may engage in a phishing initiative. Under this attack the hacker will send an email, which may appear to be legitimate. Common phishing emails may seem to be from a reputable source or from somebody of authority within the organization. The email will direct the recipient to click on a link and provide login and password credentials which can cause certain malware to be downloaded on the company system.

After these attacks cybercriminals will demand a ransom from a business or threaten to expose its customer information or to encrypt its data. At this point businesses are in trouble and have very few viable options.

Is my business at risk?

There are only two types of companies: Those that have been hacked, and those that will be. A prudent business needs to assess its risk of a cyberattack. Professionals can perform tests that identify potential areas of weakness.

The first is a vulnerability test. This assessment identifies vulnerabilities across the IT system. The assessment will set forth potential problems and options for how to eliminate those vulnerabilities. Prioritizing that list is especially helpful because it will identify urgent risks to be addressed immediately.

Another test a business can perform is called a penetration test.

This is for businesses that have already begun to take steps toward enhancing cybersecurity and thus is considered more of a high-level test. The assessment involves examining very specific targets and determining the level of cybersecurity protection. The specific targets could include payment and customer data, stored business information or domain rights.

Cost of an attack

Although these tests may sound costly or unnecessary, it is important to consider them against the cost of a cybersecurity hack. In the event of a hack, there may be numerous consumers whose data was breached, giving give rise to a potential class-action suit. Depending on the number of consumers affected, the number of plaintiffs could become significant (with damages in the millions).

There are a number of different theories on which they could recover. Some of these include:

• Benefit of the bargain losses. Plaintiffs recover damages for the cost of products that they have acquired that do not provide the expected protection.

• Loss of value of personal information. Courts attribute value to personal information. Once that information is breached and/or available without the consent of the consumer, courts will reward the victim damages for the loss of such value of personal information.

• Consequential damages. Courts will reward damages for the costs that the victim may incur as a result of a data breach.

This includes costs that they incur in repairing credit or costs incurred in the mitigation of the damage suffered by the victim (identify theft monitoring).

What can I do about it?

It is essential that businesses take steps to protect against these hacks.

Such protection must go beyond purchasing the appropriate virus protection, and may include the following:

• Companywide policies requiring advanced passwords as well as frequent password updates.

• Provide ongoing training to employees.

• Multifactor authentication.

• Dark web research. Where IT consultants can conduct research on the dark web to determine what passwords may have been compromised.

• Adopt an ongoing policy with systematic backups of data.

• Update all software programs to ensure that they have the latest security protections.

• Adopt and use a spam email filter to block any suspicious and unwanted email.

• Outfitting websites with disclaimers and notices to visitors.

Many liability carriers now provide cybersecurity insurance policies. Such a policy can provide coverage for a data breach and a hacking/encryption event. If your business is disrupted through one of these events, a cybersecurity policy may provide coverage for ransomware and other related damages.

A cybersecurity attorney can help ensure compliance with privacy and breach notification laws, as well as help you to create and implement a robust cybersecurity plan.

• Theodore M. McGinn is an attorney at Lavelle Law in Schaumburg. He can be reached at tmcginn@lavellelaw.com or (847) 705-7555.