Caroline Morgan interviewed by Authority Magazine: What American Businesses Need to Know About Cybersecurity

Authority Magazine recently interviewed Culhane Meadows’ New York partner Caroline Morgan to discuss the 5 things every American business leader should do to shield themselves from a cyberattack.

Here is Caroline’s interview:

As a part of this series, I had the pleasure of interviewing Caroline A. Morgan.

Caroline is a partner with the law firm of Culhane Meadows PLLC, practicing in its litigation and privacy, data and cybersecurity groups. In addition to being a seasoned litigator, Caroline counsels companies on navigating data privacy and breach notification laws. Caroline also assists clients with data security incident plans, privacy policies and achieving cybersecurity best practices to minimize losses.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Igrew up with three siblings and we are all very close in age so there was never any shortage of someone to play with! We moved around a lot which followed me into adulthood. I have worked with a human rights organization in London, moved to New York City after taking the bar exam, and worked with a global reinsurer in Paris for several years.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

There was no particular moment. I had a natural interest in cybersecurity so I followed my gut and pursued it. I have never looked back since.

Can you share the most interesting story that happened to you since you began this fascinating career?

Every cybersecurity incident is different so each one is interesting. From that first call from a client to the conclusion of the investigation, no two are alike. Sometimes the most challenging part of an incident is the aftermath. A fair amount of my practice involves helping clients inform their customers that it suffered a cyber attack, responding to customer questions or complaints, and maintaining trust. Often times this involves explaining the difference between an incident and a breach where data was actually accessed or transferred.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

1. Diligent. The area of cybersecurity is constantly changing. I dedicate time each day to reading, from proposed bills to an article on a new cyberattack. This helps me stay current and provide insight to my clients.

2. Focused. Cyber incidents involve a lot of unknowns which can lead you down rabbit holes. Staying focused is key.

3. Personable. People work with who they like. I get along with a variety of personalities, which is helpful in the context of cybersecurity matters where time is of the essence and clients can feel particularly stressed. Nobody is happy to discover they are in the midst of a cybersecurity attack.

Are you working on any exciting new projects now? How do you think that will help people?

I just finished drafting an incident response plan for a client which was a major step towards being prepared for a cyber attack. Not having one is like riding a motorcycle without a helmet. If your business does not have one get one! One of the important features of an incident response plan is who will make up your incident response team, which is the core group that addresses incidents from the analysis of a reported incident to containment, eradication, and recovery. There is no one-size-fits-all model and some companies outsource all or part of an incident response team.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

In addition to my experience as a privacy and data security attorney, I am a frequent speaker and writer on a wide variety of emerging cybersecurity legal developments. Being a litigator also allows me to understand the enforcement side of cybersecurity and decrease exposure for clients.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

Some of the more prevalent attacks now are ransomware and phishing. Ransomware is an attack where the bad guys will encrypt a company’s data and then demand money to restore access. Sometimes the attackers will ask for more money to not disclose the information to the public, authorities, or others. Phishing is a way to get sensitive information or to gain access to a computer system typically through an email where the sender is purported to be a legitimate business like a bank or someone that is known to the recipient, like a co-worker. The recipient is then tricked into giving up information from bank details to account credentials or opening a link that introduces malicious software. A cyber attack can have lasting outcomes on a business including regulatory fines or penalties, the inability to run your business, and loss of customers.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Everyone needs to be concerned about cyberattacks because both businesses and private individuals have valuable information. Attackers may also perceive small businesses or individuals who are less likely to have the means to invest in cybersecurity as easy targets.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

Other than me? Businesses should consider calling their cyber insurance carrier. The carrier may have a specific forensic team to use, protocols in place that are necessary for coverage, notification requirements, and similar considerations. But the big takeaway here is that no company should be asking these questions during a cyber attack. Having an incident response plan that is tailored to your company will give invaluable guidance during a cyberattack. Businesses already have response plans for many types of incidents and cyberattacks should be no different. How many times have you done fire drills at work? Just like companies do not wait until a fire to figure out who is going to call for help, companies should not wait until a cyberattack to figure out those first critical steps.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Not thoroughly training their employees. Attackers love tricking people into clicking on malicious links. Training employees on how to spot tactics can stop an attack cold. Employees are the eyes of a company! Having protocols in place for what an employee should do when they think something is awry is also key. Phishing scams and the like are not going away, they are only getting more and more sophisticated because a majority of cyberattacks can be traced back to human error.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Increase awareness. The more people understand about cyberattacks and the damage they can cause the more incentivized they will be to prevent and minimize them. The possibility of regulatory fines, litigation exposure, loss of business, and more can certainly motivate a company to prevent cyberattacks.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

1. Limit employee access to information. Ideally employees should only be able to access information that they need to do their job. Adopting a need-to-know approach can reduce the chances that an employee inadvertently provides cyber criminals with access to sensitive information. It can also reduce the risk of an inside threat like a disgruntled employee who could otherwise access and steal valuable data.

2. Do not assume vendors are secure. Preventing a cyber attack requires a company to do its due diligence with vendors it gives its data to. What does the contract between your company and the vendor say about their cybersecurity practices and when was it last updated? Is the vendor regularly patching security vulnerabilities? If a vendor is not willing to provide information on how they keep your company data secure that is a red flag.

3. Invest in employee training. Human error is a common gateway for a cyberattack. Despite this some companies skimp on training to save money, but in the long run the cost of a cyberattack outweighs the cost of training, which does not have to be fancy or time intensive. The possibilities are endless. You can send employees information about the latest cyber scams and how to avoid them by email. Other companies do lunch-and-learns. The bottom line is some form of training can fit into any budget and your business will be better off for having it.

4. Audit your company’s cyber protection. From penetration testing to vulnerability assessments, a company should review the cyber protection it has in place at least annually and after a major cybersecurity incident. By identifying any weaknesses and taking the appropriate steps to rectify them, a company can prevent a cyberattack which is better than defending against one. Being proactive with cybersecurity is also a factor that regulators and enforcement authorities, like an attorney general, will look at if they receive complaints from customers following a cyberattack, if your company reports a data breach, and many other similar situations. These offensive steps can also help your company achieve certain compliance standards such as SOC2. In short, there are many benefits to investing in cybersecurity.

5. Use multi-factor authentication. Multi-factor authentication is a verification process that requires an account holder to provide at least two types of proof of identity to access their account. Adding one more layer may not sound like a lot, but it can significantly increase the difficulty of compromising an account because, for example, a password alone will not get a cyber attacker in. Organizations should consider implementing multi-factor authentication across all systems to maximize its benefit.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 

A movement of introspection. From someone who majored in philosophy, I turn to the reader who can answer for themselves what is the greatest good they can create.

How can our readers further follow your work online?

Connect with me on LinkedIn www.linkedin.com/in/carolineamorgan or visit my bio at Culhane Meadows PLLC https://www.culhanemeadows.com/attorney/caroline-a-morgan/ .

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Thank you for having me!

Read the entire article HERE to learn more.


About Culhane MeadowsBig Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in eleven major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2022 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.


The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.

*Culhane Meadows is ranked by U.S. News/Best Law Firms in Technology Law, Bankruptcy/Reorganization Law, and Information Technology Law. This website and the communications herein may be considered attorney advertising. Previous results are not a guarantee of future outcome. This website is for informational purposes only and does not constitute legal advice. The information herein is not intended to create an attorney-client or similar relationship. Until you establish such a relationship and receive an engagement letter, you have not hired a Culhane Meadows attorney nor become a client of the firm. Whether you are a new or existing client of the firm, Culhane Meadows must determine that there is no conflict of interest and that it is willing and otherwise able to accept the new engagement before representing you on a new matter. Only if and after Culhane Meadows has informed you it is willing and able to accept your new matter should you send the firm any information or documents that you consider private or confidential. Such information will not be treated as private, confidential or otherwise protected from disclosure until Culhane Meadows has communicated in writing that it is willing and able to accept your new matter and provide you with legal counsel. Whether you need legal services and which lawyer or law firm you select are important decisions that should not be based on this website alone.