How to Reduce Your Company's Attack Surface

California is the winner of an unwelcome title: the state with the most data-breach incidents (1,500—twice as many as runner-up New York) and exposures of consumers’ personal records (5.6 billion total) since 2008.

The state’s size and concentration of tech and internet companies no doubt has much to do with these metrics, but the problem is worrisome for all business owners who increasingly rely on data as the currency of commerce.

“You’re looking at a situation where people—and businesses equally—don’t even recognize how much exposure they have,” says Jack Russo, managing partner and intellectual property litigator at ComputerLaw Group in Palo Alto. A company’s “attack surface,” as he calls it, increases along with its social media and internet presence.

There are some proactive measures for cybersecurity, many of them low-cost, to decrease the risk. Litigator Daniel Zarchy, with Buchalter PC in San Francisco, recommends that companies inventory the data they store, create a coding system based on sensitivity, and restrict employee access accordingly. Problems and vulnerabilities tend to arise, he says, when businesses store more customer data than their customers realize, or they fail to enact basic security protocols and patches, as was alleged in the class action suit against credit-reporting agency Equifax, whose 2017 data breach ended in a $425 million settlement.

Having an informed security team is half the battle. “There are a lot of organizations which provide commonsense, non-tech-speak company training and policy guidelines,” says Zarchy, who is certified by the International Association of Privacy Professionals. California-based nonprofit Secure the Village, for example, offers digital resources, webinars and in-person sessions. Guidance is also available through the U.S. Small Business Administration and New York-based nonprofit Center for Internet Security.

To be effective, safeguards against cyber threats must be applied consistently. Although minimum security measures like password protection are widely used on computers, tablets and cellphones, other portable technology is often overlooked. “Storage devices used in the course of business, like a thumb drive or external hard drive, should be password-protected,” advises Anthony Isola, an employment & labor attorney at Fisher & Phillips in San Francisco.

Two-factor authentication is another underutilized tool, especially helpful for fending off phishing and other common attacks. It’s a good way to make sure a hacker and other malicious actors can’t get access control into a system and sensitive data with just a password. And setup often takes just a few minutes.

Of course, the potential for human error, coupled with society’s reliance on technology, mean businesses must operate under the assumption of when, not if, a hacking attempt will occur.

Russo says it’s pretty much a game of cat-and-mouse—”the mousetrap gets more and more sophisticated, but the mice get the cheese, regardless of how much the mousetrap is bolstered.”

So what to do when a breach takes place? The lawyers offer four tips:

1. Patch the security hole,
2. investigate,
3. notify customers and
4. recover.

Most critically, have a prearranged game plan that identifies key roles, such as the person in charge of overseeing each task and security controls.

“Figure out what was taken,” advises Zarchy. “You have to know that before you can notify anybody, because you don’t want to stir up panic when you don’t actually have the answers.” He notes that it pays to check your insurance policy: “Sometimes companies have insurance that will pay if they shut down operations for a few days to figure out their data situation.”

All 50 states require companies to inform consumers when their personal information is exposed. In addition, California has a new consumer-privacy law that took effect this year. Although its mandate targets mainly larger companies, Zarchy notes that ignoring basic security guidelines can get any size—or type—of business into trouble through civil liability. Last, consider
involving law enforcement or pursuing an injunction against the cyber-criminals if they can be identified.

For more information on this area of law, see our overviews of business litigation and intellectual property.