Throughout the business world, breaches have become a constant reminder of the critical need to assess and take action on cyberrisk. But they can also make addressing the issue seem like an ever more daunting task, leading many to either put off substantive measures or blindly buy the latest insurance or software to “take care” of the problem and move on.
“The biggest mistake companies make in the breach recovery process is just not being aware of the risk in the first place,” said John Mullen, managing partner at Lewis Brisbois Bisgaard & Smith LLP and chair of the firm’s data privacy and network security practice. “You would be amazed—I do up to 100 presentations a year, and at 80% of them, people still look at me like it’s the first time they have heard about it, and I have been doing this for over a decade. The people in the know are in the know, but there is an amazing amount of people who have no clue.”
There are countless ways a cyberbreach can unfold, and countless ways response can go wrong, but laying the strongest possible foundation ahead of time ultimately makes the difference between successful response and absolute disaster for a company that gets hacked or otherwise compromised. According to Mullen, a breach coach who reports that his firm sees a new breach case every business day of the year, “If you don’t do all of the prep stuff, you’ll never get response right.”
“As regulators get more experienced, they are starting to appreciate the differences between the people who responded appropriately and the people who either did not respond at all or handled it terribly,” Mullen said. “What they see with a bad investigation or bad event handling is a company that never took data security seriously in the first place. With a company that handled it well, they might still take them through the investigation process and fine them if applicable, but they are going to absolutely hammer a company that comes through with a lackadaisical attitude.