New Year, New Threats—Cyberattack Concerns

With the most recent election season behind us and cyberattack investigations underway, cyberspace creates a new frontier for applying existing privacy laws. Small businesses are increasingly targeted for cyber attacks and cyber security for small businesses is different than in years past when a company only had to worry about protecting desktop computers and locally stored files.

According to Symantec’s 2016 Internet Security Threat Report, 430 million new pieces of malware hit the market in 2015 and that roughly a third of cyber attacks were aimed at small-to-medium sized businesses with fewer than 250 employees. The Arberdeen Group, a leading computer industry market research, analysis and consulting organization says, “If employees are left unrestricted by policy and unchecked by monitoring software, then the corporation has exposed itself to significant legal liabilities, probable bandwith abuse, and employee productivity gaps. Employees are cited as the highest risk and most common cause of network abuse, data loss, and litigation.”

What can you do to mitigate risk?

Your business should consider creating an “Acceptable Use Policy” that establishes a culture committed to protecting the company and its employees from illegal or damaging actions by individuals knowingly or unknowingly. An “Acceptable Use Policy” should apply to all employees, contractors, consultants, and other workers at the business and apply to all equipment that is owned or leased by the company.

Policies typically cover internet, intranet, extranet-related systems, including but not limited to computer equipment, any software, operating systems, storage media, all network accounts providing electronic mail, and online browsing. These systems are to be used for business purposes serving the company and its clients and customers in the course of normal business operations.

Because these systems are primarily for business purposes, incidental personal use should be kept to a minimum and employees should not have an expectation of privacy regarding information stored within or communicated through them.

Proprietary information stored on electronic and computing devices, whether owned or leased by the business or the employee, remains the sole property of the business. You must ensure legally or technically that proprietary information is protected for your business.

A good technical defense is to install reliable firewall, spyware and virus software. Sometimes all the information collected by spyware is used for identify theft or fraud and it is extremely challenging to catch hackers and people often fall victim to thieves without even realizing it.

A good legal defense is to make sure that each user is committed to using the business network properly and report anything suspicious. Whether online or offline, fraud and theft are illegal. One key protective measure should be to require each person to promptly report the theft, loss or unauthorized disclosure of the company’s proprietary information.

In summary, the beginning of the year is a good time to review your company’s Acceptable Use Policy to make sure that your network is not misused or abused. In order to protect your proprietary information, you need to let each user know in writing what your rules are for using the network. These policies can be an important tool for any size business in protecting intellectual property and improving cybersecurity.

This article is providing general information and is not intended to be legal advice.

Amanda James is an Associate Attorney with the Sullivan & Ward Professional Corporation. She can be reached at (515) 247-4712 or ajames@sullivan-ward.com.