Editor’s note: Jerry Thompson is senior vice president of Identity Guard, provided by Intersections, Inc., which since 1996 has protected more than 47 million consumers.
Allscripts is the latest high-profile organization to be victimized by data breach—and it is now grappling with the public backlash that always ensues. After the company was hit by a ransomware attack that forced some health systems to shut down e-prescribing functions and others to resort entirely to paper records and reporting, Allscripts now faces a class-action lawsuit accusing the company of “wanton, willful, and reckless disregard” in “failing to secure its systems and data from cyberattacks.”
As any executive whose company has suffered a data breach knows, the true costs of cybercrime are devastating, far-reaching and continue long after business functions have been restored. Between investigation and repair costs, customer notification requirements, contractual liabilities and workflow continuity, worldwide spending to mitigate the impact of cyberattacks is projected to reach an unprecedented $90 billion this year. Then there are the indirect costs, which include legal fees and public reputation rebuilding. This last component is particularly crucial, since a recent Gemalto survey revealed that 70 percent of consumers said they would cut ties with a company that had suffered a cyberattack.
Indeed, businesses are anticipated to bear the brunt of cybercrime’s growing financial burden.Over half of last year’s cyberattacks targeted corporations; and among all small businesses, 58 percent had been personally hit by data breach. Given small and mid-sized companies’ tendency to store large swaths of data in single locations, along with their inability to afford comprehensive breach protection and response programs, these organizations make especially compelling targets for hackers.
Readiness, response, retrospective
Yet the security practices for vulnerable businesses continually fall short, and affordable solutions from specialized services are hard to come by. The majority of small organizations likely to face a data breach this year need cost-effective, commonsense tools that won’t overburden their employees or interrupt everyday workflow. That’s why companies that best survive cyberattacks have a thorough, easily understood and quickly deployed plan across three tiers of cyberdefense: readiness, response and retrospective.
When it comes to readiness, successful businesses begin with a thorough and expert network assessment of all company servers. Too often businesses fail to take this critical first step, fearing that any revealed vulnerabilities will reflect badly on their internal security platforms. In truth, however, the reality is usually the inverse: no system is foolproof, and weaknesses and loopholes that can be patched ahead of time and continually monitored for suspicious activity are a company’s first and best stronghold across an ever-widening threat landscape.
Next are the employees themselves. Training programs oriented towards individual departments’ and staff members’ levels of expertise and likelihood of exposure to different sources of threat—phishing scams, for instance, or malware—are another critical component of company readiness. With a proactive data breach response plan in place, companies that do end up being hit by a cyberattack are able to quickly call upon their predefined resources to patch security holes and protect client and employee data.
Even the most rapidly arrested attacks, though, can result in legal fees and risk reputational damage. In responding to a breach, companies need to have a ready list of external resources, like digital forensics specialists and lawyers familiar with breach reporting requirements and individual companies’ contractual obligations. PR representatives who can mitigate public fallout and establish collaborative, ongoing relationships between targeted companies and regulatory or law enforcement personnel are another highly useful yet too often overlooked asset.
In the aftermath of a data breach, companies must be fearless in evaluating what went wrong, as well as what went right: did employees and existing tools respond appropriately to the threat and address the consequences? What might have been done differently to respond faster, or avert the attack altogether?
Breach retrospectives are valuable opportunities for organizations to evaluate and expand their existing security protocols, even those external to cybercrime. Corporate strategies initially designed for other types of company threats, like privacy violations, can often be applied toward the digital realm.
When it comes to making these resources and strategies accessible and affordable for companies, it’s critical that the digital intelligence industry devise solutions to help all organizations meet critical cybersecurity checkpoints. The welfare of these businesses, the freedom of international markets—and in Allscripts’ case, the lives of many consumers—may depend on it.