Expect the Unexpected

If 2020 has taught us anything, it is that you should expect the unexpected. Last week, Garmin—a popular multinational technology company and maker of an array of products for athletes—was the victim of a ransomware attack that took down many of its services for several days, sending their customer base into an internet frenzy. Hackers are becoming more sophisticated and businesses remain their main target, largely due to the wealth of data each business retains. Information such as trade secrets, confidential communication, customer information, and HR records are stored on company’s computers, and protecting this information must be a top priority for any company. It only takes one security breach or unexpected disaster to make a company leader regret not having sufficient processes in place to store, recover and utilize their data.

Businesses need a proactive, documented plan called a Crisis Management Plan that anticipates potential threats and guides the restoration of operations in the event of a physical or digital disaster. Cyberattacks and data breaches can cost companies many thousands of dollars (often times millions), lost time, revenue, and credibility. Additionally, staying abreast (or finding someone who is) of ever-changing current industry laws and regulatory compliance is particularly important. If you are not skilled in these areas, it is important to consult with professionals who are. A few areas to start assessing your business’ Crisis Management Plan include the following:

• Building and Maintaining a Secure Network
  • Install and maintain a firewall and router configuration to protect cardholder data. A firewall is a piece or set of software or hardware designed to block unauthorized access to computers and networks.
  • Update passwords (and ensure they are secure passwords).
  • Train Employees.
• Maintaining a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs.
• Implementing Strong Access Control Measures
  • Access control is a security technique that regulates who or what can view or use resources in a computing environment. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.
• Regularly Monitoring and Testing Networks;
  • Test your network and team with realistic attacks. Monitor complex networks involving multi-site distributed applications
• Maintaining an Information Security Policy
  • An information security policy is a set of rules enacted by an organization to ensure that all users of networks or the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.

By preparing your Crisis Management Plan before a time of crisis, a company can stay ahead in this ever-changing world of global pandemics and cybersecurity. In the end, Garmin was criticized only for slow communication back to their customers, but reports the company was able to recover its data from backups and stated, “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.”

Although those Garmin users who could not upload or access their data for a few days might have wanted a faster Crisis Management Plan plan; from a business standpoint, I say, well done, Garmin. Well done.