Issue link: https://nebusinessmedia.uberflip.com/i/1220847
18 Worcester Business Journal | March 16, 2020 | wbjournal.com 10) High priority. 64% of businesses are prioritizing IT security above everything else and 80% of small and medium businesses rank IT security as a top business priority. 9) Bad news. A successful cyber-attack can damage your company reputation beyond repair including financial losses, intellectual property theft and erosion of customer confidence and trust. 8) Out of business. By 2021, cybercrime is projected to cost $6 trillion worldwide, and 50% of businesses suffering a data breach may shut down permanently. 7) First steps. Understand the risks, prioritize them, document and communicate. Deploy malware/ransomware protection to secure your endpoints and servers. Safeguard mobile devices and control their use. Create an incident response plan; assign responsibilities to all stakeholders involved. 6) Determine how much risk your company is prepared to tolerate. Raise awareness of these risks to employees. Make it a regular agenda item and communicate regularly to ensure ownership and buy-in from management. 5) Invest in user awareness training and education to remind users of cyber-risks. IT teams can look at investing in phishing simulation tools to break bad habits involving malware-laced email, web, text and phone scams. 4) Draft an official security policy. Your overarching policy should be reviewed and communicated regularly to enforce adherence. Your policy should cover permitted device types, information types, applications, encryption and incident reporting. 3) Secure IT infrastructure. Create and maintain (with use of automated tools) an inventory of every network device, users and applications on your network. Limit privileged access to only a few users; create generic access for all others. 2) Establish timescales. Maintain devices and applications by performing regular updates and patches. Scan your infrastructure for vulnerable software and devices; plug vulnerabilities quickly as possible. (There are automated tools available). 1) Meet compliance requirements. Businesses need to be proactive and look ahead on the calendar to all incoming regulations. Better to build a foundation for future efforts than to reactively apply bandages. K N O W H O W Failure to respond can be costly for your business 10 1: C ompanies know they need to train new employees, but today, training all employees takes on new importance in terms of retention. Forbes cites LinkedIn's 2018 Workforce Learning Report, which shows 93% of employees saying they would stay at a company investing in their careers. Training programs need constant evaluation. Here are some ideas on the process. Know the Kirkpatrick Evaluation Model, four steps to size up training programs, developed by a University of Wisconsin professor – Donald Kirk- patrick – in the 1950s. e first level of measurement is reaction, gauging trainees' impressions (with surveys, for example). e second level is to measure learning, with metrics like test scores. Next is measuring behavior, or how the training has impacted the learner's performance and attitude; and finally, the measuring of actual results, like lower company turnover or higher productivity. Avoid complacency, advises the Association for Talent Development. "e level of comfort you feel with the training starts to mentally and even emotionally outweigh the perceived benefits of changing things up. It makes you more and more reluctant to spend money on new training becuse you feel like everything is fine the way it is," the organization stresses. Indicators of a needed change: Employee complaints about too much text to si through, un- certainty in how to use the information or the training platform itself. Realize review is constant. According to ManagementHelp.org, training can be evaluated before, during and aer. Before training, a manager can use the methods on a highly skilled employee and get their opinion, for example. During training, look for employees coming to the sessions late and leaving early. "Ask the employee to rate the activ- ities from 1 to 5. If the employee gives a rating of anything less than 5, have the employee describe what could be done to get a 5," the website suggests. Aer the training, companies can assign an evaluator – maybe someone outside the company – to evaluate the employees' knowledge. 1 0 T H I NG S I know about . . . ...Cybersecurity BY JARED A. FIORE Special to the Worcester Business Journal I f your business receives a written complaint from a consumer, you should think twice before simply tossing it aside. A timely investigation into the allegations and a reasonable response could save your business from being hit with a substantial judgment in a subsequent lawsuit. Massachusetts General Laws Chapter 93A, known as the Massachusetts Consumer Protection Act, declares unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce as illegal. e law does not outline specific acts as violations. Each case is judged on its own merits, influenced by how prior court decisions came out. e Massachusetts attorney general is authorized to make rules and regula- tions interpreting the law. It is important for businesses to know the basic workings of the law and how to mitigate their risk once a consumer has claimed an injury under Chapter 93A (injury in this context means an invasion of a consumer's legal right). e law requires the consumer to make a written demand for relief on the business at least 30 days prior to filing a lawsuit as a way to encourage pre-suit resolutions. e written demand must identify the consumer and reasonably describe the unfair or deceptive act or practice and the injury suffered as a result of the act or practice. It must define the injury in a manner to provide the business with an oppor- tunity to review the facts and the law in order to determine whether to make a reasonable offer of settlement. A timely response to the demand can be very important. If, within 30 days of the demand, the business makes a written offer of settlement which is rejected by the consumer, the business may use that offer in a subsequent lawsuit to limit any recovery to the offer amount if the court finds the offer was reasonable in relation to the injury. Otherwise, if the consumer prevails, the court can multiply the damages by up to three times if 1) the act or prac- tice is found to be a willful or knowing violation of the law, or (2) the refusal to make a reasonable settlement offer was made in bad faith with knowledge or reason to know that the act or practice violated the law. In addition, the court is required to award a successful consumer his reasonable attorney's fees and costs associated with the lawsuit. However, if the consumer rejects the settlement offer and the court deter- mines the offer was reasonable, the award of costs and fees will be limited to those incurred by the consumer prior to his rejection. erefore, that seemingly annoying letter could lead to a liability entirely disproportionate to the consumer's actual injury, particularly where the business could be responsible for the consumer's attorney's fees. us, taking the time to evaluate the claim and making a reasonable offer of settlement within 30 days of the demand could be time and money well spent for your business. Jared A. Fiore is an attorney at Worcester law firm Bowditch & Dewey, LLP. Reach him at jfiore@bowditch.com. BY SUSAN SHALHOUB Special to the Worcester Business Journal By Michelle Drolet Michelle Drolet is a CEO of Towerwall, a woman- owned independent data security services provider based in Framingham. You may reach her at michelled@towerwall.com. W W is is the second in Jared A. Fiore's three-part series about Dispute Resolution. Watch out for part three in the March 30 edition of WBJ, and read first one on WBJournal.com. W E V A L U A T I N G T R A I N I N G