WINTER 202 0 TODAY’S GENER AL COUNSEL
Cybersecurity
Creating a Healthy Cybersecurity Framework By Stefanie Major McGregor and Michael Holmes
C
32
ybersecurity continues to be a hot topic in business, and a proper framework may determine the long-term health of your organization. Although cybersecurity may seem a daunting topic to address, it can be managed in the same way you manage your personal health. Here are some diagnostic questions for your organization to consider when approaching a healthy cybersecurity framework: Do you have a detailed incident response plan for a data breach? Have you conducted a test run? Do you have a cyber insurance policy that adequately protects your organization? Do you understand its terms and
IT or CIO issue — with broad legal implications. Once digital assets have been identified and located, the organization should determine all access points and those with access. Armed with this knowledge, an organization should be able to design a security risk management framework that will mitigate the likelihood of intrusion. Establishing metrics for your framework will result in better controls and improvements over time, including monitoring the types of cyberattacks the organization is receiving — distributed denial of service (DDoS), network intrusions, data tampering/theft — and what types of endpoint monitoring and
One common mistake is not including a vendor’s subcontractors in cybersecurity best practices considerations. requirements? Have you incorporated cybersecurity expectations into your third-party vendor agreements? Have you conducted a security audit of those vendors to determine if they are following your cybersecurity practices? Much like going to your physician for your annual checkup, it is vital for any organization to conduct regular cybersecurity assessments. Cybersecurity in its simplest form is the protection of digital information from compromise through use of electronic systems and protocols to prevent loss or theft. Far more than passwords and firewalls, cybersecurity requires a close working relationship between C-suite, legal, and IT personnel to determine what the organization’s valuable digital assets are and how they are being stored. Cybersecurity is an organization-wide risk management issue — not just an
protection the organization is implementing, e.g., encryption coverage, regular patches, anti-virus/anti-malware. Training employees and organizational partners is the most critical component, as your framework is only as strong as your least security-conscious employee or vendor. INCIDENT RESPONSE
Your initial cybersecurity assessment will serve as a crucial timesaver in creating an incident response plan. Organizations should establish policies and procedures, as well as roles and responsibilities, for all members in response to cyber incidents. Common incidents — such as DDoS attacks, network intrusions, malware infections, corrupted data or loss of customer personal information — should have very well-rehearsed response procedures that can be per-
formed without consulting the manual. For less common cyber incidents, a wellcrafted response plan should model a medical emergency plan and include the following:
1
First Response: The first step should never be to determine whom to call. Have first responders and systems in place who know whom to contact to initiate response procedures. Stop the Bleeding: Once the threat is identified and the team is mobilized, stopping the bleeding is essential before post-intrusion measures can be taken. Given the sophistication of some intrusions, a thorough evaluation of whether any other remaining threats were overlooked can save the organization from having to restart the response and notification process. Diagnosis: Once the threat has been neutralized, the response team needs to diagnose which systems and data were compromised. This is an essential step, not just for the recovery process but also for legal to determine who must be notified and what must be communicated. The balance between over- and under-communication in response to an intrusion, particularly with the public, is a difficult decision and should be made with the input of all leadership. Treatment: This step is typically dependent upon established data redundancies. As with any type of medical treatment, recovery and restoration should only be attempted once the threat has been fully neutralized, the investigation and scope of the damage has been ascertained, and the system has been secured. Best practices would also suggest detailed documentation of the systems and data that were compromised in case of subsequent legal or administrative action against the organization.
2
3
4