Top Cybersecurity Advice For In-House Counsel

Cyber attacks have unfortunately become a part of today’s business environment, making cybersecurity a key consideration for any company. Zooming in on legal departments in particular, cybersecurity has been highlighted as one of the top three issues for chief legal officers (CLOs) according to this year’s ACC Chief Legal Officers Survey.

The recent ACC Foundation Cybersecurity Report has further emphasized in-house counsel’s involvement in forming the cybersecurity strategy for their organizations, with 84% of CLOs now playing a key role in managing this part of the business. Moreover, it has shown that 38% of companies have increased the yearly spend on their approach to cyber compared to last year’s results. With this in mind, it is more important than ever for in-house counsel to understand the key aspects of cybersecurity to fulfill their duties and provide effective counsel. While this makes for a complex task, this article aims to provide practical advice on how companies can proactively mitigate cybersecurity problems in-house. 

Understand The Difference Between IT vs. Cybersecurity 

Contrary to what lawyers sometimes think, IT and cybersecurity are not the same function. IT’s focus is on keeping the business running in a quick, seamless, and efficient manner. By contrast, cybersecurity’s focus is on security. As a result, the cybersecurity function may act as a brake slowing down the business to ensure it runs in a safe manner. 

Ideally, cybersecurity and IT would be separate teams. However, this may not be an option for many small companies, where the cybersecurity function often reports to the IT head. In such configurations, the IT and business teams should be aware of the difference between the two functions, and management should support providing adequate training to the IT team. 

Start With A Cyber Risk Assessment

If you don’t have a protocol in place, consider using existing models, such as Lockheed Martin’s Cyber Kill Chain®, a framework for delineating the stages of a cyberattack, spotting vulnerabilities, and stopping the attack at the various stages of the chain. Various audit standards have also been developed that could be used to form a cyber risk assessment. 
  
Maintain Privilege Over Cybersecurity Assessments As Needed 

In theory, for privilege purposes, it shouldn’t matter whether it is internal versus outside counsel that leads the assessment. However, engaging outside counsel to do so may be better from a perception standpoint. 

If you involve a third party to conduct a cybersecurity assessment and want privilege to apply, consider these steps: 

  • Decide whether to have the assessment performed under privilege. Not all assessments qualify. For privilege to apply, there should be some element of identifying and mitigating legal risk. 
  • Have the assessment conducted under your instructions (issued in your capacity as legal counsel), with a privileged memo. 
  • Ensure that you as legal counsel are involved in strategic meetings with the forensic company. 
  • Ensure that the forensic company reaches out to you as the attorney when they need strategic guidance, as opposed to just liaising with your company’s IT team. 

Beware Of Publicly Available Sensitive Information 

Assess public information about your company’s systems. What information could malicious actors easily find online about your company’s computing and vendor management systems?  Some companies post a link on their websites for vendors to connect to the organization’s vendor management system. While this is efficient from a business standpoint, it may be risky from a cybersecurity standpoint. 

As for social media content, consider what information is available on your staff’s LinkedIn profiles, as this might describe which systems, firewall, and other computer and cyber tools your company has implemented. Implementing a social media policy that prohibits employees from posting sensitive information, such as the systems and tools your company uses, would also make for an effective solution. 

Implement Multi-Factor Authentication (MFA) 

Don’t rely on simple password access. Systems that don’t require multi-factor authentication (MFA) open your company to the risk of “password spray” attacks, in which a malicious actor targets your systems with a high volume of password guesses based on a password pattern that the bad actor has figured out. For example, for temporary password resets, many companies unfortunately use a pattern that is too easy to guess. 

To reduce this risk, put in place multi-factor authentication, where the users must input their password, then receive a text or email with a separate code that they must insert to access your systems. Another solution is to check whether your company uses easy to figure out patterns for temporary resort passwords and if so, ask the IT department to use a random password generator instead.

Robert Kang is a specialist  cybersecurity attorney and member of The Association of Corporate Counsel 

You Might Also Read: 

Cyber Effects On The Legal Profession:

 

« Proactive Security Tips For Your Business After A Security Breach
Resilience Is Essential To Protecting Critical Infrastructure »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

CERT-In

CERT-In

CERT-In is a functional organisation of the Ministry of Information & Electronics Technology, Government of India, with the objective of securing Indian cyber space.

SecureNow Insurance Broker

SecureNow Insurance Broker

SecureNow is a commercial insurance broker based in India. Services offered include Cyber Risk insurance.

PlaxidityX

PlaxidityX

PlaxidityX (formerly Argus Cyber Security) is a global leader in mobility cyber security, provides DevSecOps, vehicle protection and fleet protection technologies and services.

FaceFirst

FaceFirst

FaceFirst provide face recognition technology solutions to detect and deter real time threats,

Iceberg

Iceberg

Iceberg has been established to provide companies with cyber security experts who will protect businesses from the unseen threat of cyber crime.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Ataya & Partners

Ataya & Partners

Ataya & Partners is a consulting company that delivers data protection, cybersecurity and IT & Digital governance services.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

National Cryptologic Foundation (NCF)

National Cryptologic Foundation (NCF)

The National Cryptologic Foundation strives to influence the cryptologic future by sharing our educational resources, stimulating new knowledge, and commemorating our heritage.

ClearVector

ClearVector

ClearVector is a leading provider of realtime, identity-driven security for the cloud.

IGI Cybersecurity

IGI Cybersecurity

IGI Cybersecurity delivers people-driven cybersecurity for personalized, resilient cyber defense focused on individualized strategy and unshakeable partnership.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.