By Geoffrey Lottenberg
Imagine a swarm of termites secretly and incessantly feeding on your home. In relative silence, your home is under attack, 24 hours a day. By the time you detect the bugs, your door frames have turned to dust and your joists have failed. Cybercriminals are like termites. Relentless. Sure, you can repair the house after the walls crumble down, but what if you had detected the infiltration earlier and prevented catastrophic failure? This is the key question modern cybersecurity professionals are asking themselves every day.
The Common Foe
It has been recently reported that only 10-20% of American hospitals have a meaningful cybersecurity program – a scary thought given hospitals process an enormous amount of financial and personal health information. For other industries outside of the tech industry, this number is likely far worse. Many business owners question the motives of cybercriminals and do not necessarily see themselves as a potential target, which is a mistake. The single prevailing motive for cybercriminals attacking businesses is financial gain. Financial gain is typically derived from ransoms, trafficking in stolen personal and financial data, or corporate espionage. The latter – corporate espionage – has seen a significant uptick since COVID-19, as businesses were pushed deeper into the Cloud. Many of these attacks are “inside jobs,” perpetrated by outside criminals given access credentials or other information about a company’s system.
Layers of Security
Preventing cyberattacks in the corporate world requires a multi-faceted approach. Businesses must simultaneously mobilize their information technology, human resources, and legal departments.
Information technology and data security departments need more time, personnel, and a more extensive equipment and software budget to implement necessary changes to prevent and redress cybercrime. Advanced firewall and encryption technology become an absolute must – two-factor authentication is often not enough. Incident response plans will need to be reviewed and updated quarterly to provide specific guidelines on how to respond to the latest cybercrime techniques. After changes and upgrades are implemented, businesses should engage third-party cybersecurity companies to run independent cybersecurity audits and penetration testing so that weakness can be exposed before an actual security incident occurs (insurance companies may require such testing, or offer discounts if testing meets certain standards).
An essential advancement for IT professionals is the implementation of AI-enabled infiltration detection software. Machine learning has been proven a key development in meeting cyberattacks head-on because as infiltration techniques change and improve, so does the AI engine of the detection software. There are many AI solutions on the marketplace – enough to fit virtually any use case from SMEs all the way to Enterprise-level. Not to sound like the “SkyNet” alarms – but AI-enabled cybersecurity detection software can go a long way to solving the relative unavailability of qualified cybersecurity and IT professionals in today’s market.
Businesses should also have in-house counsel or experienced outside counsel review, update company data and privacy policies, and engage in critical analysis and education to develop an in-depth understanding of current and proposed state, federal, and international law regarding cybercrime, reporting, and response obligations on a business entity should an attack occur. Cybersecurity insurance policies should be procured or updated to meet increased exposure.
HR departments must implement and improve company-wide cybersecurity and data privacy training for all employees. This means both technical training to understand how to securely use new systems and compliance training to understand where data and/or privacy breaches can occur and how to spot and redress potential security breaches.
Sleeping with the Enemy
HR departments must also pay significant attention to their hiring and retention practices, implement fail-safes to avoid hiring potentially disloyal employees, and detect unusual activity indicating that an active employee may be misappropriating sensitive information, including feeding it to would-be cybercriminals. A standard vetting process would include multiple interviews (including live, in-person interviews, even for remote positions), in-depth background searches as to financial, employment, and criminal histories and an investigation into the candidates’ Internet and social media presence. These practices must be implemented in compliance with applicable state and federal employment practices – so consult your local employment attorney.
Human resource managers and hiring partners must work cohesively with information technology and security departments to develop and implement safer employment practices. Proper data controls must be in place to identify and designate data with the appropriate level of secrecy, tier and compartmentalize access to that data, and track the use and transfer of that data internally and externally. Most enterprise-level file management software includes this functionality, and these resources’ cost has decreased significantly over the past several years.
From a legal perspective, failure to take reasonable precautions to prevent cyberattacks – a standard that varies with the type and size of the business, can expose a business to significant liability under state and federal law in the event of a cyberattack. As noted above, cybersecurity insurance may help, but it is not a silver bullet and only matters after an attack has occurred. Much of the focus now needs to be placed on the front end with prevention, testing, education, and compliance measures working together to stop the house from turning into dust.
About the Author
Geoffrey Lottenberg is partner and lead of Berger Singerman’s intellectual property practice and co-manager of the firm’s Dispute Resolution Team, Geoff handles a wide variety of matters, including IP procurement and enforcement, business and technology law, and complex commercial litigation. With a calculated approach, Geoff regularly litigates patent, trademark, and copyright disputes in Federal Court throughout the United States. He also handles a variety of technology-related commercial litigation matters including disputes over software contracts, non-compete agreements, and trade secrets.
As a Registered Patent Attorney armed with a background in mechanical engineering, Geoff prosecutes domestic and foreign patents and renders opinions on a variety of cutting-edge technologies, including automation, facial recognition technology, medical devices, emergency communication devices, software-based systems, and energy devices. Geoff also has hundreds of federal trademark applications and registrations under his belt.
Geoff is also an experienced transactional lawyer who works on broad array of corporate intellectual property matters including negotiating and preparing license agreements, software contracts, manufacturing and distribution agreements, and intellectual property asset transfers. Geoff is a key member of our firm’s mergers and acquisitions team and provides support in restructuring and work out matters.