Top Cybersecurity Advice For In-House Counsel

Uploaded on 2022-12-07 in FREE TO VIEW, BUSINESS-Services-Law

Cyber attacks have unfortunately become a part of today’s business environment, making cybersecurity a key consideration for any company. Zooming in on legal departments in particular, cybersecurity has been highlighted as one of the top three issues for chief legal officers (CLOs) according to this year’s ACC Chief Legal Officers Survey.

The recent ACC Foundation Cybersecurity Report has further emphasized in-house counsel’s involvement in forming the cybersecurity strategy for their organizations, with 84% of CLOs now playing a key role in managing this part of the business. Moreover, it has shown that 38% of companies have increased the yearly spend on their approach to cyber compared to last year’s results. With this in mind, it is more important than ever for in-house counsel to understand the key aspects of cybersecurity to fulfill their duties and provide effective counsel. While this makes for a complex task, this article aims to provide practical advice on how companies can proactively mitigate cybersecurity problems in-house. 

Understand The Difference Between IT vs. Cybersecurity 

Contrary to what lawyers sometimes think, IT and cybersecurity are not the same function. IT’s focus is on keeping the business running in a quick, seamless, and efficient manner. By contrast, cybersecurity’s focus is on security. As a result, the cybersecurity function may act as a brake slowing down the business to ensure it runs in a safe manner. 

Ideally, cybersecurity and IT would be separate teams. However, this may not be an option for many small companies, where the cybersecurity function often reports to the IT head. In such configurations, the IT and business teams should be aware of the difference between the two functions, and management should support providing adequate training to the IT team. 

Start With A Cyber Risk Assessment

If you don’t have a protocol in place, consider using existing models, such as Lockheed Martin’s Cyber Kill Chain®, a framework for delineating the stages of a cyberattack, spotting vulnerabilities, and stopping the attack at the various stages of the chain. Various audit standards have also been developed that could be used to form a cyber risk assessment. 
  
Maintain Privilege Over Cybersecurity Assessments As Needed 

In theory, for privilege purposes, it shouldn’t matter whether it is internal versus outside counsel that leads the assessment. However, engaging outside counsel to do so may be better from a perception standpoint. 

If you involve a third party to conduct a cybersecurity assessment and want privilege to apply, consider these steps: 

  • Decide whether to have the assessment performed under privilege. Not all assessments qualify. For privilege to apply, there should be some element of identifying and mitigating legal risk. 
  • Have the assessment conducted under your instructions (issued in your capacity as legal counsel), with a privileged memo. 
  • Ensure that you as legal counsel are involved in strategic meetings with the forensic company. 
  • Ensure that the forensic company reaches out to you as the attorney when they need strategic guidance, as opposed to just liaising with your company’s IT team. 

Beware Of Publicly Available Sensitive Information 

Assess public information about your company’s systems. What information could malicious actors easily find online about your company’s computing and vendor management systems?  Some companies post a link on their websites for vendors to connect to the organization’s vendor management system. While this is efficient from a business standpoint, it may be risky from a cybersecurity standpoint. 

As for social media content, consider what information is available on your staff’s LinkedIn profiles, as this might describe which systems, firewall, and other computer and cyber tools your company has implemented. Implementing a social media policy that prohibits employees from posting sensitive information, such as the systems and tools your company uses, would also make for an effective solution. 

Implement Multi-Factor Authentication (MFA) 

Don’t rely on simple password access. Systems that don’t require multi-factor authentication (MFA) open your company to the risk of “password spray” attacks, in which a malicious actor targets your systems with a high volume of password guesses based on a password pattern that the bad actor has figured out. For example, for temporary password resets, many companies unfortunately use a pattern that is too easy to guess. 

To reduce this risk, put in place multi-factor authentication, where the users must input their password, then receive a text or email with a separate code that they must insert to access your systems. Another solution is to check whether your company uses easy to figure out patterns for temporary resort passwords and if so, ask the IT department to use a random password generator instead.

Robert Kang is a specialist  cybersecurity attorney and member of The Association of Corporate Counsel 

You Might Also Read: 

Cyber Effects On The Legal Profession:

 

« Proactive Security Tips For Your Business After A Security Breach
Resilience Is Essential To Protecting Critical Infrastructure »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

it-sa 365

it-sa 365

it-sa 365 is a digital platform for connecting IT security vendors and experts with those who bear responsibility for IT security in management and technology.

PlaxidityX

PlaxidityX

PlaxidityX (formerly Argus Cyber Security) is a global leader in mobility cyber security, provides DevSecOps, vehicle protection and fleet protection technologies and services.

Mako Networks

Mako Networks

The Mako System is an award winning networking and security service designed specifically for SMEs and branch offices of larger organisations.

TokenOne

TokenOne

TokenOne is a Cyber Security software company that makes it easy to replace passwords, tokens and other forms of authentication with a more secure solution.

Wayra UK

Wayra UK

Wayra UK, part of Telefónica Open Future, has been chosen to run a new cyber accelerator facility to help UK start-ups grow and take the lead in producing the next generation of cyber security systems

Neupart

Neupart

Neupart provides Information Security Management System, Secure ISMS, allowing organisations to automate IT Governance, Risk and Compliance management.

Spire Solutions

Spire Solutions

Spire Solutions is the Middle East & Africa region’s leading cybersecurity solution provider and value-added distributor (VAD).

Slovenska Akreditacija (SA)

Slovenska Akreditacija (SA)

Slovenska Akreditacija is the national accreditation body for Slovenia. The directory of members provides details of organisations offering certification services for ISO 27001.

SYSGO

SYSGO

SYSGO is the leading European provider of real-time operating systems for critical embedded applications in the Internet of Things (IoT).

Inpher

Inpher

Inpher has pioneered cryptographic Secret Computing® that enables advanced analytics and machine learning while keeping data private, secure, and distributed.

iSTORM

iSTORM

iStorm specialise in supporting organisations who require a range of Privacy, Security and Penetration testing related services.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

StealthPath

StealthPath

StealthPath is focused on endpoint protection, securing the “implicit trust” vulnerabilities of current leading information security solutions.

American Binary

American Binary

American Binary is a Quantum Safe Networking (TM) and post-quantum encryption company.

Ampsight

Ampsight

Ampsight specializes in enabling cloud integration, securing data, and navigating complications that drive critical-mission success.

RAD Security

RAD Security

RAD Security (formerly KSOC) is a cloud native security company that empowers engineering and security teams to drive innovation so they can focus on growth versus security problems.