How to Reduce Your Company's Attack Surface

Tips on preventing and responding to cyberattacks and data breaches in California

By Steph Weber | Reviewed by Canaan Suitt, J.D. | Last updated on December 29, 2023 Featuring practical insights from contributing attorneys Jack Russo, Anthony M. Isola and Daniel Zarchy

Use these links to jump to different sections:

California is the winner of an unwelcome title: the state with the most data-breach incidents and exposures of consumers’ personal records. The state’s size and concentration of tech and internet companies no doubt have much to do with these metrics, but the problem is worrisome for all business owners who increasingly rely on data as the currency of commerce.

“You’re looking at a situation where people—and businesses equally—don’t even recognize how much exposure they have,” says Jack Russo, managing partner and intellectual property litigator at ComputerLaw Group in Palo Alto. A company’s “attack surface,” as he calls it, increases along with its social media and internet presence.

Three Proactive Measures for Attack Surface Reduction

Your company’s attack surface is comprised of all the vulnerable entry points in your network through which a hacker or unauthorized user could infiltrate your system — from weak passwords to poorly maintained software. There are some proactive measures for cybersecurity, many of them low-cost, to decrease your attack surface area.

Litigator Daniel Zarchy, with Patton Sullivan Brodehl in San Ramon, recommends that companies:

  1. Inventory the data they store;
  2. Create a coding system based on sensitivity; and
  3. Restrict employee access accordingly.

Problems and vulnerabilities tend to arise, Zarchy says, when businesses store more customer data than their customers realize or they fail to enact basic security protocols and patches, as was alleged in the class action suit against credit-reporting agency Equifax, whose 2017 data breach ended in a $425 million settlement.

You’re looking at a situation where people—and businesses equally—don’t even recognize how much exposure they have… The mousetrap gets more and more sophisticated, but the mice get the cheese, regardless of how much the mousetrap is bolstered.

Jack Russo

Assemble an Informed Security Team

Having an informed security team is half the battle. “There are a lot of organizations that provide commonsense, non-tech-speak company training and policy guidelines,” says Zarchy, who is certified by the International Association of Privacy Professionals.

California-based nonprofit Secure the Village, for example, offers digital resources, webinars, and in-person sessions. Guidance is also available through the U.S. Small Business Administration and New York-based nonprofit Center for Internet Security.

Storage devices used in the course of business, like a thumb drive or external hard drive, should be password-protected.

Anthony M. Isola

Apply Your Cyberattck Safeguards Consistently

To be effective, safeguards against cyber threats must be applied consistently. Although minimum security measures like password protection are widely used on computers, tablets, and cellphones, other portable technology is often overlooked. “Storage devices used in the course of business, like a thumb drive or external hard drive, should be password-protected,” advises Anthony Isola, an employment & labor attorney at Fisher & Phillips in San Francisco.

Two-factor authentication is another underutilized tool, especially helpful for fending off phishing and other common attacks. It’s a good way to make sure a hacker and other malicious actors can’t get access control into a system and sensitive data with just a password. And setup often takes just a few minutes.

[If an attack occurs], figure out what was taken. You have to know that before you can notify anybody because you don’t want to stir up panic when you don’t actually have the answers… Sometimes companies have insurance that will pay if they shut down operations for a few days to figure out their data situation.

Daniel Zarchy

Four Steps To Take if a Cyberattack Occurs

Of course, the potential for human error, coupled with society’s reliance on technology, means businesses must operate under the assumption of when, not if, a hacking attempt will occur.

Russo says it’s pretty much a game of cat-and-mouse—”the mousetrap gets more and more sophisticated, but the mice get the cheese, regardless of how much the mousetrap is bolstered.”

So what do you do when a breach takes place? The lawyers offer four tips:

  1. Patch the security hole;
  2. Investigate;
  3. Notify customers; and
  4. Recover.

Most critically, have a prearranged game plan that identifies key roles, such as the person in charge of overseeing each task and security controls.

“Figure out what was taken,” advises Zarchy. “You have to know that before you can notify anybody because you don’t want to stir up panic when you don’t actually have the answers.” He notes that it pays to check your insurance policy: “Sometimes companies have insurance that will pay if they shut down operations for a few days to figure out their data situation.”

Informing Consumers When Their Personal Information is Exposed

All 50 states require companies to inform consumers when their personal information is exposed. In addition, under the California Consumer Privacy Act (CCPA), customers have the right to:

  • Know what data is being collected;
  • Delete personal data stored by a business;
  • Opt out of having their personal data sold; and
  • Avoid being penalized for exercising these privacy rights;

Under a 2023 amendment to the CCPA, California residents also have the right to:

  • Correct inaccurate personal information that a business has about them; and
  • Limit the use and disclosure of sensitive personal information collected about them.

Although its mandate targets mainly larger companies, Zarchy notes that ignoring basic security guidelines can get any size—or type—of business into trouble through civil liability. Last, consider involving law enforcement or pursuing an injunction against the cyber-criminals if they can be identified.

Find an Experienced Attorney

For legal help in assessing your company’s security risks and vulnerability to potential attacks, reach out to an attorney with experience in business technology and cybersecurity issues.

For more information on this area of law, see our overviews of technology transactions, business litigation, and intellectual property.

What do I do next?

Enter your location below to get connected with a qualified attorney today.

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you