August 10, 2021

Privacy and Cybersecurity Reminders for an Increasingly Remote Workplace and Digital Economy

Clients and Friends:

Privacy and cybersecurity are increasingly on the minds of business management in an increasingly remote workplace and digital economy. Privacy and cybersecurity, while distinct concepts, continue to intersect in the business world as businesses seek to maintain and protect sensitive and confidential information and data while maintaining effective cybersecurity measures.

As businesses grow and evolve, they are faced with constantly assessing the increasing privacy and confidentiality concerns of their clients, customers and employees. At the same time, cybersecurity and the protection of computer and data systems remains a significant concern for businesses, especially as employee connectivity to these systems is no longer fully maintained and controlled by the business’ workplace office technology systems.

Cyberrisk has become one of the biggest risks that businesses face today. Cybercriminals target a wide range of businesses (Colonial Pipeline; JBS Foods) seeking to cause business interruption in exchange for ransomware or to engage in fraudulent activities. Businesses with large quantities of customer or client information are usually targets not only for their large sources of information but because of numerous employees making them more at risk for phishing attacks that can gain entry into their computer, operations and financial systems.

Given these mounting risks, businesses must continue to focus on data privacy and cybersecurity. This requires business management to be willing to invest in developing and maintaining privacy and cybersecurity programs and to instill a culture of cybersecurity. For many businesses, this means including chief privacy officers (CPO) and chief information security officers on their management teams. Both roles focus on protecting information from unauthorized access, but the CPO also must focus on legal compliance with privacy laws, often across multiple jurisdictions, including whether information is being collected, transferred and maintained in an appropriate and legally compliant manner. This is even more important for businesses who are active on the internet through web-based businesses.

While businesses work to enhance their privacy and security programs, they face the new Pandemic challenge of remote working environments as they continue to try to manage a more disparate work environment while continuing to remain connected to their clients and customers. Ensuring employees are focused on the security of emails, texts, laptops, tablets and wireless environments, particularly when traveling, can be difficult. These risks no longer should be relegated to the information technology department, but need to be addressed through global privacy and security policies and procedures and training and awareness programs.

One of the best ways for an organization to reduce cyber risk is to build a culture of cybersecurity by creating an employee mindset that the risk is real and their daily actions impact that risk. A cybersecurity culture needs to be part of a broader corporate culture of day-to-day actions that encourage employees to make thoughtful decisions that align with security policies. A security culture is more than just cybersecurity awareness. It requires the workforce to know the security risk and the process to avoid that risk. It is the building and enforcement of following an operating process of tasks that keeps the firm safe. Most organizations have spent years and countless resources to acquire and create their customer or client data, and if lost, stolen or corrupted, it could impact their bottom line for years to come.

Ninety percent of cyberattacks are caused by human error. A business is more likely to be compromised from employees losing their laptop or cellphone, inserting a flash drive into their computer or opening up a mysterious email than a malicious criminal hack from the outside. While businesses spend much on hardware and software while neglecting properly training employees on security practices. Teaching employees to recognize threats, curb poor behavior and follow basic security habits can be the best return on investment. However, it can be difficult to measure and therefore justify the expense. Trying to quantify the return on investment in employee training and building a cybersecurity culture can be difficult for upper management to assess.

One example is a phishing email. Ninety percent of cyberattacks start with a phishing email. Employees believe they know how to recognize a phishing email and would not act to the request in the email but according to surveys 30% of all phishing emails are opened and 12% of the links are clicked. With 90% of ransomware infections coming from some form of phishing, investing in employee training about phishing emails can reduce risk significantly. Given ransomware is a fast-growing cyberthreat and usually comes from phishing, it is now even more important to have employee training.

CMXLaw’s Privacy, Data & Cybersecurity practice advises clients on privacy compliance and privacy, data & cybersecurity policies and best practices.

For further information or any questions on Privacy, Data & Cybersecurity, please contact your relationship partner at CMXLaw, email us at info@cmxlaw.com or visit our Privacy, Data & Cybersecurity practice group.

Crath Miller & Xistris LLP

Offices: New York / Newport Beach

For further information, please contact us at info@cmxlaw.com.

The materials contained in this message and website pages, whitepapers, advisories and other items directly linked to it have been prepared for general informational purposes only and should not be construed or relied upon as legal advice or a legal opinion on any specific facts and circumstances. The publication and dissemination,including on-line, of these materials and receipt, review, response to or other use of them does not create or constitute an attorney-client relationship.

To ensure compliance with requirements imposed by the Internal Revenue Service, we inform you that any tax advice contained in this communication (including anyattachments) was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax-related penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any tax-related matter(s) addressed herein.