A cyber-attack is an assault by hackers intended to compromise the functionality of a website or computer network, oftentimes employed in order to gain access to stored confidential information. Installing viruses or malware (malicious code), interrupting the functionality of all, or part, of an online program, or changing a computer’s or phone’s hardware or software are all forms of cyber-attacks. A small business can take the following actions in order to protect its company’s website, hardware, and stored proprietary information.
The old adage “a chain is as strong as its weakest link” holds true for Internet security. You need to maintain control over the applicable website (and company's) entire security change. One weak link leaves a website (and the company that maintains it) open to attack. Perform network scans regularly in order to assess all vulnerabilities.
In order to ward off potential attacks, you should only grant computer access to those who absolutely require it to fulfill work related obligations. Have any and all such individuals execute a data protection and confidentiality agreement. Passwords should be protected as well, difficult to guess, and frequently changed. Use data encryption and secure configurations wherever practically possible. All computer network usage by employees, agents, and other third parties should be closely monitored on a regular basis. Remote access should never be granted unless absolutely required to fulfill work duties. Up-to-date anti-virus software should be loaded onto every computer in the network.
The strength and efficacy of all security measures should be tested on a regular basis. Monitor and manage all log files to detect, record, and maintain reports of any security incidents. Develop and implement strong network security architecture and controls, including network segmentation, firewalls, intrusion detection services, and data loss prevention software. Employ security-by-design principles in order to build security directly into commonly used applications and systems. Cyber liability insurance should also be obtained in order to protect against financial loss in the event of any attack.
Large cyber-attacks should be promptly reported to law enforcement in all applicable jurisdictions. A company liason should be appointed to supervise the communications. The following agencies are responsible for handling Internet crimes: (i) the FBI; (ii) the US Secret Service; (iii) the U.S. Postal Inspection Service; (iv) The Bureau of Alcohol, Tobacco, and Firearms; and (v) The US Immigration and Customs Enforcement. The Department of Justice provides information respecting the appropriate agency to contact depending upon the type of cybercrime being reported. The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, is another excellent resource for reporting cybercrime.
The primary statutes addressing cybercrime include: (i) the Computer Fraud and Abuse Act (CFAA), the main federal criminal statute regulating computer crimes which criminalizes, among other things, accessing a computer or a computer network in access of one’s authorization; (ii) the Wiretap Act and Electronic Communications Privacy Act, a federal statute which prohibits the interception, use, or disclosure of wire and electronic communications; and (iii) the Stored Communications Act, a federal statute which criminalizes the intentional, unauthorized access of a facility through which an electronic communication service is provided.
When faced with evidence of a cyber-attack, big or small, make sure to preserve all evidence. A failure to do so can adversely affect a civil or criminal action down the road. Someone at the company should also make sure to prepare and file all legally required disclosures. For example, the SEC requires public companies to disclose certain data breaches, as does the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Gramm-Leach-Bliley Act (GLBA), among other federal statutes.
Security testing should be performed immediately upon learning of an attack in order to identify the locus of the breach and mitigate damage to the extent possible. Inform proper personnel designated to handle any such attacks. Implement an effective incident response plan. Consider engaging the services of an experienced cyber consultant. And with respect to the reputational fallout that may ensue, a public relations expert could help to communicate the attack to the public and confirm that the company is doing everything possible to mitigate damages and prevent future attacks of this nature.