Top Cybersecurity Advice For In-House Counsel

Cyber attacks have unfortunately become a part of today’s business environment, making cybersecurity a key consideration for any company. Zooming in on legal departments in particular, cybersecurity has been highlighted as one of the top three issues for chief legal officers (CLOs) according to this year’s ACC Chief Legal Officers Survey.

The recent ACC Foundation Cybersecurity Report has further emphasized in-house counsel’s involvement in forming the cybersecurity strategy for their organizations, with 84% of CLOs now playing a key role in managing this part of the business. Moreover, it has shown that 38% of companies have increased the yearly spend on their approach to cyber compared to last year’s results. With this in mind, it is more important than ever for in-house counsel to understand the key aspects of cybersecurity to fulfill their duties and provide effective counsel. While this makes for a complex task, this article aims to provide practical advice on how companies can proactively mitigate cybersecurity problems in-house. 

Understand The Difference Between IT vs. Cybersecurity 

Contrary to what lawyers sometimes think, IT and cybersecurity are not the same function. IT’s focus is on keeping the business running in a quick, seamless, and efficient manner. By contrast, cybersecurity’s focus is on security. As a result, the cybersecurity function may act as a brake slowing down the business to ensure it runs in a safe manner. 

Ideally, cybersecurity and IT would be separate teams. However, this may not be an option for many small companies, where the cybersecurity function often reports to the IT head. In such configurations, the IT and business teams should be aware of the difference between the two functions, and management should support providing adequate training to the IT team. 

Start With A Cyber Risk Assessment

If you don’t have a protocol in place, consider using existing models, such as Lockheed Martin’s Cyber Kill Chain®, a framework for delineating the stages of a cyberattack, spotting vulnerabilities, and stopping the attack at the various stages of the chain. Various audit standards have also been developed that could be used to form a cyber risk assessment. 
  
Maintain Privilege Over Cybersecurity Assessments As Needed 

In theory, for privilege purposes, it shouldn’t matter whether it is internal versus outside counsel that leads the assessment. However, engaging outside counsel to do so may be better from a perception standpoint. 

If you involve a third party to conduct a cybersecurity assessment and want privilege to apply, consider these steps: 

  • Decide whether to have the assessment performed under privilege. Not all assessments qualify. For privilege to apply, there should be some element of identifying and mitigating legal risk. 
  • Have the assessment conducted under your instructions (issued in your capacity as legal counsel), with a privileged memo. 
  • Ensure that you as legal counsel are involved in strategic meetings with the forensic company. 
  • Ensure that the forensic company reaches out to you as the attorney when they need strategic guidance, as opposed to just liaising with your company’s IT team. 

Beware Of Publicly Available Sensitive Information 

Assess public information about your company’s systems. What information could malicious actors easily find online about your company’s computing and vendor management systems?  Some companies post a link on their websites for vendors to connect to the organization’s vendor management system. While this is efficient from a business standpoint, it may be risky from a cybersecurity standpoint. 

As for social media content, consider what information is available on your staff’s LinkedIn profiles, as this might describe which systems, firewall, and other computer and cyber tools your company has implemented. Implementing a social media policy that prohibits employees from posting sensitive information, such as the systems and tools your company uses, would also make for an effective solution. 

Implement Multi-Factor Authentication (MFA) 

Don’t rely on simple password access. Systems that don’t require multi-factor authentication (MFA) open your company to the risk of “password spray” attacks, in which a malicious actor targets your systems with a high volume of password guesses based on a password pattern that the bad actor has figured out. For example, for temporary password resets, many companies unfortunately use a pattern that is too easy to guess. 

To reduce this risk, put in place multi-factor authentication, where the users must input their password, then receive a text or email with a separate code that they must insert to access your systems. Another solution is to check whether your company uses easy to figure out patterns for temporary resort passwords and if so, ask the IT department to use a random password generator instead.

Robert Kang is a specialist  cybersecurity attorney and member of The Association of Corporate Counsel 

You Might Also Read: 

Cyber Effects On The Legal Profession:

 

« Proactive Security Tips For Your Business After A Security Breach
Resilience Is Essential To Protecting Critical Infrastructure »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

StoneFly

StoneFly

StoneFly offers High Availability, high performance cluster and scale out storage, and backup and disaster recovery appliances.

Quaynote Communications

Quaynote Communications

Quaynote Communications is a specialist conference and communications company focused primarily on the maritime, yachting, aviation and security industries.

WISeKey

WISeKey

WISeKey is a leading cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using Blockchain, AI and IoT.

SmartCyber

SmartCyber

SmartCyber is a company specializing in custom IT projects and Cybersecurity.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

RIA in a Box

RIA in a Box

MyRIACompliance combines our team of RIA compliance experts with an online software platform to help investment advisers better manage regulatory compliance and cybersecurity responsibilities.

Navixia

Navixia

As a leading Swiss IT security specialist, Navixia offers a global and pragmatic approach to information security.

BreachLock

BreachLock

Breachlock delivers the most comprehensive Penetration Testing as a Service (PtaaS) powered by Certified Hackers and AI.

National Institute for Research & Development in Informatics (ICI Bucharest)

National Institute for Research & Development in Informatics (ICI Bucharest)

ICI Bucharest is the most important institute in the field of research, development and innovation in information and communication technology (ICT) in Romania.

SecurIT360

SecurIT360

SecurIT360 is a full-service specialized Cyber Security and Compliance consulting firm.

ZX Security

ZX Security

ZX Security is a New Zealand owned and operated cyber security consultancy.

Transatlantic Cyber Security Business Network

Transatlantic Cyber Security Business Network

The Transatlantic Cyber Security Business Network is a coalition of UK and US cyber security companies which facilitates collaboration to help address critical cyber security challenges.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

Highen Fintech

Highen Fintech

Highen is a blockchain software development company with offices in the United States and development centers in India.

Flawnter

Flawnter

Flawnter is a security testing software that finds hidden security and quality flaws in your applications.

Tech Data

Tech Data

Tech Data, a TD Synnex company, is a leading global distributor and solutions aggregator for the IT ecosystem.