Companies that read the news understand that it is not a question of “if” their networks will be attacked, it is a question of “when.” What can be less clear in an organization is who owns protecting against a cyber attack, who needs to be informed once an attack is detected and who drives the response and mitigation process.
The Office of the General Counsel should be proactive in helping the organization navigate this treacherous domain, working closely with the IT team and the company’s leadership.
General Counsel Trap No. 1: “I Let My IT Guys Deal with Those Types of Acronyms”
Some business teams might think that if the IT department understands the difference between a DDoS (distributed denial of service) and an APT (advanced persistent threat) attack, that is sufficient. I disagree. IT teams are often working tirelessly to keep the networks running with the speed and functionality demanded by the business.
However, protecting against an attack can require that the IT department put in place safeguards that directly contradict many IT departments’ charters: enabling fast and flexible networks. Some IT folks feel conflicted about whether they should prioritize security over functionality, especially when the business is screaming for more functionality.
An enlightened IT team may adopt a security initiative on its own volition, but IT will need support from the broader business leadership to make this initiative successful. As corporate counsel, we should not wait for our IT department to prioritize and propose mitigation for cybersecurity risk.
We also shouldn’t beat them up for not having it done already. The Office of the General Counsel should bring IT to the table and help them be successful in this critical risk-management initiative, for all the reasons we help our clients anticipate, understand and mitigate other important business and legal risks.
We need to understand the IT jargon, educate ourselves on the risk and determine how we raise awareness and effectively champion the security cause within our organizations, partnering with and supporting IT.
General Counsel Trap No. 2: “If Something Bad Happens, Our Guys Know Who to Call”
Mike Tyson is reputed to have said: “Everyone has a plan until they are punched in the face.” People behave unexpectedly in moments of crisis and when they feel threatened. A perfectly rational helpdesk operator may panic and raise issues to all the wrong people when a critical system appears to be down or when a security vulnerability appears to be exploited.
Without clear (preferably written) guidance on who your incident response team is, and how to contact them in the middle of the night, you never know who a good corporate citizen might contact. Or worse. They might not call anyone and allow the attack to persist.
As any good general counsel and crisis manager can attest, informing the business early and often regarding who to call if there appears to be an attack can help ensure, and expedite, the appropriate response. Identify your incident response team, including outside advisors you might need to engage, publish their numbers internally and train – early and often.
General Counsel Trap No. 3: “We Let IT Solve IT Problems”
We have read the news, time and time again. A breach followed by a lawsuit. Lawyers who are paying attention understand that cybersecurity risk management is a legal concern, and not just IT’s problem. So… who is the commander-in-chief when the inevitable occurs?
There is no one-size fits all answer, but the incident response team needs to identify this person immediately (ideally in advance of an incident, such as in the incident response plan documents) and allow them to coordinate the response efforts according to the plan. In addition, this leader needs to know when to involved counsel. The answer could be that counsel is involved in any potential security breach incident, or it could be that the leader uses his or her well-informed discretion.
I opt for the former approach, unless circumstances mandate otherwise. Preserving evidence or identifying the perpetrator may require that IT does things that are counter-intuitive for some IT professionals. The incident response leader also needs to ensure the team is being mindful of legal obligations that are triggered by some breaches, including breach notification requirements and contractual obligations.
Counsel should be working closely with IT as the organization determines the action it will take in the moments, hours, days and weeks after a breach.
The Office of the General Counsel should become as conversant with its IT staff as it is with its board. It is always better to be proactive in developing these relationships with IT so that you have context for each other (and all the acronyms and jargon we all use) before an incident is discovered.
For example, the general counsel should know what the 20 critical security controls are for an effective cyber defense, and so should her team. The general counsel should know how many of those controls are implemented by your company, and how mature your security posture is in IT, R&D and other key areas of the organization. Follow the recent developments in the FTC v. Wyndham case, to understand the standards to which an organization will be held if there is a security breach.
One of the best parts of serving as General Counsel is knowing who in the organization is doing what and connecting with the organization’s critical talent. This will also enable you to know who you can call in the middle of the night when you need to take care of the business.
- Target and the Security Liability Blame Game
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
- The Role of Security in Creating a Standard of Due Care
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock