"The message here is please think before you click," said RayKelly, vice chairman of K2Intelligence.

If anybody would know, it's Kelly. Formerly the longest-servingcommissioner of the New York Police Department (NYPD), he has seenthe damage that outside threat actors can have on organizations.And as the keynote speaker at ALM's cyberSecure event in New York onSeptember 27, he said that cyber attacks are among the mostdangerous attacks he has ever seen.

"Yes, the threat may change, but our vigilance is as strong asit's ever been," he explained.

Comprehensive business continuity plan needed

From experience, Kelly noted that vigilance from corporate legaldepartments requires a two-pronged approach. First, companies needa team, either internally or externally, that can respond quicklywhen suspecting a breach. Second, organizations need a comprehensive business continuity plan forcybersecurity defense.

Both the team and the plan need to encompass the entireorganization, he cautioned. "Cyber has to be everyone's problem andeveryone's concern, from the IT center to the executive suite.Particularly the executive suite." If cyber isn't a priority fromup top, he added, "it won't be effective for very long."

Once that tone from the top is set, it's incumbent on businessesto respond with a practical action plan. Kelly laid out his ownplan in four distinct steps, which he said was designed to roll outimmediately. The first step is to recognize the threat, thoughKelly added that this is easier said than done.

"Those high profile reports are chilling. But the everydayreality of cybercrime happens far from public view," Kelly said."This is mostly about money, scamming and squeezing it away frompeople who have some."

Second, Kelly reiterated that the cyber plan should start at thetop. He explained that this not only means carrying out a plan, butthe overall organizational attitude towards stopping cyber threats.While some may feel being breached is inevitable, Kelly said,"Don't accept that, because that attitude becomes a justificationfor accepting intrusion from cyber criminals."

The third step in Kelly's plan is to ally with knowledgeableprofessionals. Cybersecurity can be a daunting task,especially for lawyers that often need to focus on other parts ofthe practice.

Threats are constantly changing

"The threats are constantly changing, and few organizations havethe expertise," he advised. "Usually this means bringing in outsideexperts. Go for the best; it's money well spent."

Finally, he explained that organizations should be monitoringtheir defenses constantly. He noted that businesses cannot rely ongovernment alone, many software products provide only basicsecurity, and the threats are constantly evolving.

"This one will not be won overnight. … It requires constantmonitoring. This is not a fix it and forget it problem," Kellysaid.

While this four step plan may seem simple, each step can providepitfalls for even the savviest businesses. As Kelly noted, somehave said that it's not a matter of if you're going to be breached,but when. And for many organizations, true cybersecurity protectionwill not happen without a change in mindset.

"We have to shift our thinking from building walls to managingrisk," Kelly said. "Because guess what, those walls don't workanymore."

Related: 11 things to consider when crafting a cyberinsurance policy