Five Common Misconceptions About Cybesecurity

The first misconception is that a breach is inevitable and there is little in-house counsel can do to prevent it. Formidable firewalls and security measures may not stop a fanatically committed attacker, but virtually all hacked companies are soft targets of opportunity. Hackers typically scan random systems and identify vulnerability. Once they detect it, they can decide whether to exploit it. Most vulnerabilities are created by preventable human error.

Another common misconception is that insurance is a silver bullet, which can lead to a false sense of security. Policies vary widely, and many coverage issues have yet to be definitively addressed by the courts. There is no average policy, and no average risk profile. An organization’s preferred policy may have exclusions or riders that do not address the business context.

Another notion that creates problems: that a carefully prepared cybersecurity plan can be considered finished. In fact every business evolves, as does the technology itself, and the “perfect” plan is frequently out of date. Absent constant revision, the company will have plans that look good on paper, but are increasingly disconnected from the reality of operations. If disaster strikes, counsel can expect regulators and future opposing counsel to focus on the gap between this reality and the letter of the plan.

Cybersecurity risk is like other risks. It requires steadfast attention to current and potential issues. Inside counsel play a key role, not simply in addressing breaches when they occur, but also in articulating the risks, establishing protocols and enforcing compliance.