If your company has a Point
of Sale (POS) terminal anywhere in its infrastructure, you are no doubt
aware from the active media coverage that malware attacks have been plaguing
POS systems across the country.
Just within the past week, the
New York Times has reported that:
§ Companies
are often slow to disclose breaches, often because of the time involved in
immediately-required investigations;
§ Congress
is beginning to make inquiries of data breach victim companies; and
§ Even
those companies who have conducted cybersecurity risk assessments still get
attacked, often during the course of implementing new solutions to mitigate
potential problems and protect their customers’ payment cards or other personal
information.
§ Former
employees can be a source of information to the media about your efforts to
investigate and secure your POS systems.
No Quick Fix
Even the best intentions, most
competent efforts and unlimited budgets cannot fix a problem such as this
overnight. These fixes take time, and
have become an unavoidable symptom of having POS terminals.
What should your company do?
(1) Launch a cybersecurity
risk assessment, if you have not yet done so.
(2) Protect your risk
calculations by engaging outside counsel and qualified cybersecurity
experts to provide legal risk advice protected
by the attorney-client privilege. Keep
C-suite executives and Boards of Directors informed. The outside counsel, together with experts,
should:
§ educate
and advise directors and executives on legal and business risks associated with
your company’s particular threats and vulnerabilities;
§ engage
a qualified, experienced external cybersecurity team to review technical
infrastructure and identify vulnerabilities stratified and prioritized by risk,
likelihood of being exploited, and costs and time involved in remedying each
one;
§ review operational procedures across a
multi-disciplinary team in your company, which are often overlooked and can
have the greatest impact on the overall health of your risk profile;
§ help
identify the most sensitive categories of information in your organization and
develop data governance procedures tailored to your organization to add yet
another layer of protection for your most sensitive assets;
§ regularly
remind your team members, including from your third-party vendors engaged by
counsel, about privilege and confidentiality obligations.
(3) Treat cybersecurity risk
assessments and remediation efforts as an iterative process. Constantly review your multi-disciplinary
team’s recommendations as they change week by week or day by day. Re-evaluate the spend allocated based on
updated information about your risk landscape as the investigation and
assessment progresses.
(4) Stay informed about
updated regulatory requirements and case law on cybersecurity and privacy. Ensure stakeholders understand these updates
and charge them with implementing appropriate changes in their domains.
(5) Recognize that there is no
such thing as perfect security, but that there is a tipping point over which
your company will move outside the category of high-risk operations and into a
safe zone.
(6) Allocate the necessary
resources to get the job done – and done well.
If your company goes an extra mile in building security policies,
procedures and technology that are better than industry standard, you can use
your low risk profile as a market differentiator. In addition to reducing litigation and
reputational risks, validated strong security will increase customer confidence
and loyalty.
(7) Review your insurance
policies for adequate coverage to address interim risks. While reputational risk cannot be insured
against, insurance can be very valuable in the event of a breach.
In the retail industry in
particular, the widespread compromises in Point of Sale Terminals resulting in
staggering amounts of payment card theft is a hallmark of 2014. A decrease in brand reputation alone is too
high a cost to ignore. If your company
is – very understandably – not equipped to tackle the daunting task of finding
and prioritizing vulnerabilities and choosing the best cybersecurity governance
and technical plans, find someone who is.
No comments:
Post a Comment