When Verizon released its 2018 Data Breach Investigations Report last week, ransomware, for the first time, topped the list as the most prevalent type of cyber incident.

According to in-house data privacy and other cybersecurity experts, cyber threats are one of the fastest evolving enterprise-wide issues that companies face, said Sou Ford, senior vice president at insurance broker and consultancy Willis Towers Watson. Ford was a participant and panel moderator at a discussion on cybersecurity at the National Asian Pacific American Bar Association's Southeast Regional Conference in Atlanta last week.

Phyllis Sumner, a partner at King & Spalding, said of ransomware—a form of cyber extortion in which hackers agree to not expose sensitive data in exchange for a ransom payment—that “unfortunately, criminals are seeing that this is effective, a way for them to make money because oftentimes companies may think it's easier to pay the criminal than to take steps ahead of time to prepare.”

Having an incident response plan is the key to  preparedness, but there are several things to consider in relation to the plan, the panelists said. 

In addition to performing exercises and walking through a mock cyber incident to “stress test” the plan before an actual event, it should take into account all of the stakeholders in an organization who need to be involved in a response to the incident, said Darren Bowie, chief privacy officer at AIG Inc.

Added Stacey Keegan, chief privacy officer and assistant general counsel at The Home Depot:

“Collaboration across many teams is key. It's important for an entire enterprise to recognize that data security is not the singular role of IT. It's an enterprisewide risk and needs to be embraced as a responsibility for the entire organization.”

In addition, the plan, to the extent possible, should not contain issues that make it difficult to put into practice, Sumner said.

“There's a big variety in what companies have, from a simple plan that doesn't consider a variety of issues, to very detailed plans that are just not workable when you are in the middle of the emergency,” she said.

Companies should have a communication plan in place in the event of an incident, Keegan said. This plan, she added, should address the issue of how relevant information is going to be communicated—not only “up,” to business executives and board members—but “out” to employees and other members of the organization, as well.

“Most of the [consumer] questions are going to come to you via your call center or people who walk into the store if you're a retailer, and where there is no information, that vacuum will fill with bad information,” she said.

Beyond the incident plan, companies should evolve their employee training methods as the risk evolves, the panelists said.

This is particularly true, given that 1 out of 5 cyber incidents is caused by human error, though frequently the insiders who expose the data are not acting maliciously, AIG's Bowie said.

“You have to think about new and creative ways to train, train, train,” he said.

Simply taking a hard look at where a company's data resides and who has access to it can prove surprisingly effective in eliminating some of this insider threat.

“If you take a role-based approach, you can remove human error by removing the human and making sure he doesn't have access to information he shouldn't,” Keegan said.

Due to some recent high-profile attacks by both hackers and insiders, however, companies' data protection policies are also coming under increased scrutiny by regulators, the panelists said. While there is no federal data-breach notification law, as of earlier this month, all 50 states have one on the books, Keegan said.

And they are being enforced, Bowie added, both at the state level by attorneys general and on the federal level. For example, the U.S. Federal Trade Commission, arguing that failure to adopt reasonable security controls is an unfair or deceptive trade practice, has recently brought more than 60 actions for such alleged violations, he said.

Added King & Spalding's Sumner: “Companies that fall victim to a significant criminal act become targeted by multiple regulators, including, as we've seen with Equifax and Facebook, Congress.”