Killian Smith: Hey, everyone. Killian from Worksighted here with another episode of Tech Riffs, and I am very excited because today for the first time I’m actually having with me on the show somebody from outside of our organization who’s going to give us some of his industry level expertise in the area of cybersecurity. This is Jason Crow, and you are from Miller Johnson. Thank you so much for coming aboard. So happy to have you.
Jason Crow: Great to be here, Killian. Thank you.
Killian Smith: So, you specialize in cybersecurity law.
Jason Crow: That’s right.
Killian Smith: That’s awesome, so having to do with like if there’s a data breach and something like that. That’s actually what I want to talk about today. We’ve kind of talked about it from the technical side in past episodes of Tech Riffs. So, I think there’s some really good information out there on that, but I want to hear from the legal side when you are working with your clients-
Jason Crow: Absolutely.
Killian Smith: What are some things that you want to make sure that they know when figuring out their cybersecurity stuff from a legal standpoint?
Jason Crow: But for the most part at Miller Johnson we get a lot of calls from clients that are outside of the healthcare space, outside of the banking space, and they say, “Okay, if I’m just a manufacturer,” for instance, “what do I do to protect myself?” I say, “Well, cybersecurity is a high-tech problem, but there’s really several low-tech solutions, and it starts with policies and procedures.”
Killian Smith: So, when you say policies and procedures, are there some that are kind of doesn’t matter what industry you’re in that are standard that you want to make sure that everybody has in place initially?
Jason Crow: Absolutely. You really want to start with a password policy and procedure, right, and that sounds super basic and almost like, “Why did I need to call my attorney to find that out?” Right?
Killian Smith: It’s important and we talk about it all the time even in past episodes, but yeah.
Jason Crow: We just had a major data breach happen last week, and we did a response and the way that the attacker got in was through a dormant admin account where the username was admin and the password was backup. That took down their whole system for two or three days. If you had a good policy and procedure in place that dealt with passwords, that dealt with documentation retention and destruction, and you followed those, that may have not happened. So, in your policies and procedures, you’re going to want to have a data breach response policy and procedure, and in that response policy, it’ll lay out who to call first. Who’s my first call when I feel like I have something that appears to be a data breach?
Jason Crow: Of course, Miller Johnson, we would say, “Call your in-house counsel,” and the reason we say that in the first instance is you can really mitigate your risk later on if those communications, those initial communications where you’re saying the worst things about this potentially terrible incident, that can be wrapped up in attorney-client privilege and attorney work product protection, and if it’s all laid out in that policy, you’ll know what to do.
Killian Smith: Knowing who to get a hold off is important.
Jason Crow: That’s right, and it brings up, I think, the other most important low-tech solution to cybersecurity, which is educating and training your employees.
Killian Smith: Absolutely.
Jason Crow: So, you can create the best policy and procedure that you’ve ever created, but they’re not worth anything unless you train on those. And so, if you get into the IT department and the human resources department and you trained your data breach response policy, the moment that it comes up, they’re going to know what to do and they’re going to have the document in front of them and they’re going to understand what to do.
Killian Smith: So, Jason, having dealt with as many cybersecurity breaches as you have, what do you see as some of the potential costs or some of the costs that companies incur whenever they do have something go wrong?
Jason Crow: Well, this is a huge issue because the cost of a data breach is hard to quantify sometimes, and it’s not immediately apparent. Oftentimes what I tell my clients is I say, “Okay, on average a data breach from our perspective in West Michigan for our clients can, the cost can range from $300,000 to $500,000.” What you have in those costs are calling people like me to discuss what your data breach notification responsibilities are, calling Worksighted to work with containing the breach from an IT perspective and a technical perspective, and then you have IT costs related to remediation. So, what do I do to harden my network, to change passwords, to update my firewalls? And then there’s a lot of soft costs. The organization can really be shut down focusing on the data breach for two or three days.
Jason Crow: What we recommend to clients is to work hard to find the best cyber risk insurance you can get. Really, right now, business interruption could be your biggest cost. If you’re a manufacturing company and you supply the automakers, if you have a major data breach, your line can go down for half a day, your production line, or two days. What is the cost of that? If you get business interruption insurance long before the data breach happens, that insurance can be collectible, and if you’ve got polices and procedures in place, that can also increase the collectivity of your cyber risk insurance. And then if you put all the pieces together, you have the right policy, you educate your employees, and if you follow those policies and procedures, utilizing these small steps to prevent a big problem.
Killian Smith: Well, Jason, thank you so much for coming on the show today sharing your expertise.
Jason Crow: Thank you, Killian. This was a lot of fun.
Killian Smith: Absolutely, and that’s a wrap for us. You can learn more about this and other cool IT tips and tricks by going to www.worksighted.com/techriffs.