Tim Toohey, head of the firm's Cybersecurity practice, participated in Los Angeles Times' roundtable "What You Need to Know About Cybersecurity." Tim, alongside a group of experts, shared valuable insight regarding cybersecurity threats that professionals face today as well as tips that on how professionals can safeguard the privacy of their organizations and associated stakeholders.

Q: What are the biggest cybersecurity-related challenges in 2022?

Toohey: The biggest challenges this year will be those stemming from the fact that a large portion of the workforce continues to operate from home because of COVID-19, which increases the vectors for remotely launched security attacks, including ransomware attacks. In addition, given the ongoing global tensions with foreign countries, including Russia and China, businesses in critical sectors, such as energy, technology and national security, will continue to experience attacks from hostile nation-states seeking disruption or theft of intellectual property. With ransomware attacks growing in scope and severity, we are likely to see the continued increase of this type of attack.

Q: How has the COVID-19 pandemic changed the cybersecurity landscape?

Toohey: The increase in the number of personnel working remotely who are connected to their employer’s networked systems has dramatically increased the vector for potential cyberattacks, including ransomware attacks. With remote working, it has become much more challenging for businesses to ensure compliance with security protocols meant to prevent phishing attacks and other threats that can lead to ransomware or personnel being fooled to send money to hackers. Moreover, many personnel who are not working remotely, including service personnel for large enterprises, are unaccustomed to such work and may blend the use of work and personnel devices, which further increases the risks. Finally, COVID-19 has given rise to scams based upon testing, preventative measures, and other related products.

Q: What are some of the biggest trends today in cybersecurity?

Toohey: One of the biggest trends today is the proliferation of new laws relating to the protection of personal information and the growth of the scope of information protected by these laws. Starting with California’s Consumer Protection Act (CCPA) and the expansion of that law with the California Privacy Rights Act of 2020 (CPRA), which will come into effect on January 1, 2023, California has led the way with enactment of privacy laws to protect its residents. This year, we are likely to see other states join California, Colorado and Virginia in passing their own privacy laws. In contrast, the continued impasse in Washington D.C. is likely to inhibit much needed federal protections, including protections against growing cyber threats. 2022 is also likely to see the growth of privacy laws outside of the United States which, in some cases, are modeled on the groundbreaking General Data Protection Regulation of the European Union. Accompanied by restrictions on data transfer outside of the “home” jurisdiction, the privacy landscape is likely to become increasingly complex and difficult to navigate.

Q: Is cybersecurity awareness training a good idea for businesses?

Toohey: Whether or not remote working is here to stay, cybersecurity awareness training is vital for businesses to educate their workforce regarding the myriad of bad actors that are seeking to exploit the vulnerability of electronic communications. The days are gone (if in fact they ever did exist) when a business could rely on its information technology department to fend off threats from hackers. Today cybersecurity threats come from within the workforce when employees click on links in a phishing e-mail that can lead to malicious programs launching a destructive ransomware attack on businesses or sending a wire transfer to an unintended party. Training of personnel (which should include monitoring and testing through spoof destructive e-mails) is vital to prevent what could be a ruinous security breach that could cost hundreds or even millions of dollars in harm.

Q: What is cybersecurity insurance and do we need it?

Toohey: If a business has valuable data (both personal information and proprietary data), it should seriously consider cybersecurity insurance. A cyberattack may be financially ruinous or even fatal to a business. Cybersecurity insurance protects a business against both first-party and third-party losses caused by a cybersecurity event (as defined in the policy). First-party losses are the costs a business itself must pay to remediate an event, such as restoring its systems. Third-party losses are costs a business must pay to a third party, such as a regulatory agency or customers for losses caused by a cyber event. Many newer cybersecurity policies protect against a wide variety of cyber events, including data breaches, ransomware attacks, fraudulent attacks designed to trick a business into sending payments to a hacker, and other emerging threats. Policies vary considerably so it is important to consult an experienced broker who can find a policy tailored to a company’s needs and exposure.

Access the roundtable here.

Resources

• Los Angeles Times B2B Publishing