The cars we drive to work every day run primarily on computers that collect thousands of data points. Same goes for the factory that manufactured them and the company that designed and sold them. This evolution makes cybersecurity vital at every step in the supply chain. We know manufacturing is one of the most hacked industries. We know hackers target individual cars. We’ve seen cybersecurity best practices from Auto-ISAC and NHTSA. With that, we wanted to provide companies with a list of concrete steps to consider to help minimize the risk of, and prepare for, cyber-intrusions.
Below is our list of 17 measures every company should consider to reduce the risk of cyber-intrusions.
Conduct internal compliance and risk assessments, to determine your organization’s vulnerability to cyber-attacks.
Develop and implement corporate policies and procedures required for compliance with federal and state privacy and security laws.
Develop quick-response teams to handle potential cyber-attacks, using pre-formulated decision trees and procedures so that you don’t have to develop them while under the fire of an ongoing attack.
Establish secure data backup protocols to ensure that, even if your company is under attack, important company records are secure.
Establish protocols to deal with common forms of cyber-attacks (denial of service, etc.).
Line up outside experts, if necessary based upon the risk profile of your company, to swing into action if company processes are overwhelmed by a cyber-attack.
Perform periodic audits of cybersecurity practices against industry norms, accepted best practices, and the risk profile of your organization.
Implement information security best practices, reflect them in information security policies, records retention and management policies, and in internal controls/standard operating procedures.
Make certain the CEO and executive leadership are properly informed about the cyber risks to your company and that they’re involved in oversight and the decision-making process related both to cyber-attacks and proactive cybersecurity measures.
Review funding of all electronic security measures to ensure they are adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems in light of increasingly sophisticated measures being used by hackers.
Collect only that personally identifiable information from clients, customers, or company personnel that is needed for identified business needs, with the retention of such information being only for as long as it serves those business needs, with storage being accomplished in a way that minimizes the chance of it being of any use outside the organization (encryption, etc.).
Review cybersecurity programs to ensure they apply industry standards and best practices.
Coordinate cyber incident response planning across the entire company.
Store sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect “crown jewel” information.
Conduct appropriate data security due diligence on third-party service providers with access to personal information and sensitive business information, and require them to enter into agreements that they are implementing robust data security procedures, follow up to ensure these requirements are in fact implemented.
Assess ways in which your company’s access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimize potential intrusion risk, with regular testing and probing to update and address identified risks.
Perform companywide training, tailored to the personnel at issue, to ensure the importance of adherence to all electronic security measures are followed.
This list was generated as part of a Legal News: Cybersecurity newsletter by Greg Husisian, Chanley Howell and Jacob Heller titled, “Cybersecurity and the New Trump Administration: Your Top Ten Questions Answered.” Click here for the original publication.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.