Top Cybersecurity Advice For In-House Counsel

Uploaded on 2022-12-07 in FREE TO VIEW, BUSINESS-Services-Law

Cyber attacks have unfortunately become a part of today’s business environment, making cybersecurity a key consideration for any company. Zooming in on legal departments in particular, cybersecurity has been highlighted as one of the top three issues for chief legal officers (CLOs) according to this year’s ACC Chief Legal Officers Survey.

The recent ACC Foundation Cybersecurity Report has further emphasized in-house counsel’s involvement in forming the cybersecurity strategy for their organizations, with 84% of CLOs now playing a key role in managing this part of the business. Moreover, it has shown that 38% of companies have increased the yearly spend on their approach to cyber compared to last year’s results. With this in mind, it is more important than ever for in-house counsel to understand the key aspects of cybersecurity to fulfill their duties and provide effective counsel. While this makes for a complex task, this article aims to provide practical advice on how companies can proactively mitigate cybersecurity problems in-house. 

Understand The Difference Between IT vs. Cybersecurity 

Contrary to what lawyers sometimes think, IT and cybersecurity are not the same function. IT’s focus is on keeping the business running in a quick, seamless, and efficient manner. By contrast, cybersecurity’s focus is on security. As a result, the cybersecurity function may act as a brake slowing down the business to ensure it runs in a safe manner. 

Ideally, cybersecurity and IT would be separate teams. However, this may not be an option for many small companies, where the cybersecurity function often reports to the IT head. In such configurations, the IT and business teams should be aware of the difference between the two functions, and management should support providing adequate training to the IT team. 

Start With A Cyber Risk Assessment

If you don’t have a protocol in place, consider using existing models, such as Lockheed Martin’s Cyber Kill Chain®, a framework for delineating the stages of a cyberattack, spotting vulnerabilities, and stopping the attack at the various stages of the chain. Various audit standards have also been developed that could be used to form a cyber risk assessment. 
  
Maintain Privilege Over Cybersecurity Assessments As Needed 

In theory, for privilege purposes, it shouldn’t matter whether it is internal versus outside counsel that leads the assessment. However, engaging outside counsel to do so may be better from a perception standpoint. 

If you involve a third party to conduct a cybersecurity assessment and want privilege to apply, consider these steps: 

  • Decide whether to have the assessment performed under privilege. Not all assessments qualify. For privilege to apply, there should be some element of identifying and mitigating legal risk. 
  • Have the assessment conducted under your instructions (issued in your capacity as legal counsel), with a privileged memo. 
  • Ensure that you as legal counsel are involved in strategic meetings with the forensic company. 
  • Ensure that the forensic company reaches out to you as the attorney when they need strategic guidance, as opposed to just liaising with your company’s IT team. 

Beware Of Publicly Available Sensitive Information 

Assess public information about your company’s systems. What information could malicious actors easily find online about your company’s computing and vendor management systems?  Some companies post a link on their websites for vendors to connect to the organization’s vendor management system. While this is efficient from a business standpoint, it may be risky from a cybersecurity standpoint. 

As for social media content, consider what information is available on your staff’s LinkedIn profiles, as this might describe which systems, firewall, and other computer and cyber tools your company has implemented. Implementing a social media policy that prohibits employees from posting sensitive information, such as the systems and tools your company uses, would also make for an effective solution. 

Implement Multi-Factor Authentication (MFA) 

Don’t rely on simple password access. Systems that don’t require multi-factor authentication (MFA) open your company to the risk of “password spray” attacks, in which a malicious actor targets your systems with a high volume of password guesses based on a password pattern that the bad actor has figured out. For example, for temporary password resets, many companies unfortunately use a pattern that is too easy to guess. 

To reduce this risk, put in place multi-factor authentication, where the users must input their password, then receive a text or email with a separate code that they must insert to access your systems. Another solution is to check whether your company uses easy to figure out patterns for temporary resort passwords and if so, ask the IT department to use a random password generator instead.

Robert Kang is a specialist  cybersecurity attorney and member of The Association of Corporate Counsel 

You Might Also Read: 

Cyber Effects On The Legal Profession:

 

« Proactive Security Tips For Your Business After A Security Breach
Resilience Is Essential To Protecting Critical Infrastructure »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BakerHostetler

BakerHostetler

BakerHostetler is one of the largest law firms in the USA We have five core practice groups including a specialty practice team in Privacy and Data Protection.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

IQ Solutions

IQ Solutions

IQ Solutions is a Digital Integrator and an ICT Services Provider, focusing on innovative Cyber Secured ICT managed solutions tailored to the needs of the Maritime Industry.

Shift Technology

Shift Technology

Shift Technology provides insurance companies with an innovative SaaS solution to improve and scale fraud detection.

Uleska

Uleska

Uleska is a scalable platform that provides automated and continuous software security testing whilst translating cyber risk.

Slovenska Akreditacija (SA)

Slovenska Akreditacija (SA)

Slovenska Akreditacija is the national accreditation body for Slovenia. The directory of members provides details of organisations offering certification services for ISO 27001.

Dice

Dice

Dice is a leading recruitment platform, helping technology professionals manage their careers and employers connect with highly skilled tech talent in specialist areas including cybersecurity.

SilverSky

SilverSky

SilverSky offers a comprehensive suite of products and services that deliver unprecedented simplicity and expertise for compliance and cybersecurity programs.

MetaCert

MetaCert

MetaCert’s Zero Trust browser software reduces the risk of organizations being compromised with a phishing-led cyberattack by more than 98%.

Arkphire

Arkphire

Arkphire provide solutions across every aspect of IT to help your business perform better.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Noblis

Noblis

Noblis is a dynamic science, technology, and strategy organization dedicated to creating forward-thinking technical and advisory solutions in the public interest.

Patriot Consulting Technology Group

Patriot Consulting Technology Group

Patriot Consulting's mission is to help our clients manage cybersecurity risk through secure deployments of Microsoft 365.

AnzenSage

AnzenSage

AnzenSage is a cybersecurity advisory consultancy specializing in security risk resilience for the food sector: agriculture, food manufacturing, food supply chain, vineyards, and wineries.

Onum

Onum

Onum helps security and IT leaders focus on the data that's most important. Gain control of your data by cutting through the noise for deep insights in real time.