When brand-named companies that have been in the IT game for a long time suffer headline-inducing data breaches, you’re on notice that you could be next. That means you have responsibilities, not just to customers but to shareholders, investors, and employees.
Where there is responsibility, there is liability. And where there is liability, there is litigation. For a board of directors, this could get personal, as their own assets might be on the line in the event of a negative judgment.
Is your cybersecurity program up to the task?
Your cybersecurity program not only needs to be as hacker-proof as possible, it needs to be ready for litigation. The better your cybersecurity program protects your assets against reasonable and realistic threats, the better it will stand up in court when someone’s questioning how seriously you took your duty of care.
A court is unlikely to expect your cybersecurity program to be bullet-proof, but it has to be highly defensible. You have to be able to show that it was given careful thought and was reasonable in all circumstances.
The threat against you is a moving target. You need staff who can keep up. If you recruited staff mainly for their ability to manage operations, you might need to upskill, re-hire, or supplement. The last thing you want in the witness stand is your IT professional who can’t speak about your security measures with authority.
Somewhere on the team, you need someone with security credentials, and you need to be able to show that person had a voice and was listened to.
To get answers, you need to ask questions
The more questions you ask, the better, but for starters:
- Are we sure what we’re doing is best practice? How do we know? Can we show how we came to these conclusions?
- Have we declared our objectives and plans in writing so everyone is clear?
- Does our cybersecurity program take into account business strategy—are we across any planned mergers? Do we know the risks posed by our vendors and other partners? And are we mitigating any risks?
- Do we have an emergency plan for sudden attack? Why is it the best plan possible? Does everyone know what it is?
- Has everyone been trained in the physical security of IT (e.g., laptop theft) and social engineering attacks?
- How are we making sure this isn’t all written out and just put in a drawer?
These are things you could be asked in court by a lawyer trying to prove you didn’t do enough, so make sure you have watertight answers before declaring your cybersecurity program is up to standard.