March 2019

As many of you know, I prefer a diverse mix of questions in each addition of Ask The Expert. But on occasion I get one question that leads to multiple answers and takes up an entire column. That’s what we have today.

The advice and insights you’ll be reading about, apply across the board and can help everyone from your legal team to your newest hire. So, take a moment and explore these seven key points. These aren’t obtuse theories. Instead they’re solid strategies and tactics you can start using today.

Management has asked our legal team to take a more active part in our cybersecurity program. What would you recommend we do to help make our organization more secure, legally?

What a great question. There are seven items I recommend immediately. A strong legal stance on cybersecurity can significantly impact your organization. Let’s not waste a minute getting started.

1. Train Employees Well – Turn employees from high risk to high reward. Train team members how to recognize social engineering schemes, where a combination of phishing e-mails and personal phone calls are used in an attempt to gain access to data, be it personal, financial, trade secrets or more. Review your employee policies, protocols and training methods. Keep your strategies and tactics flexible and adaptive, because criminals are developing new attack methods targeting employees daily.

2. Implement Cyber Fraud Controls – Highly developed cyber fraud threats are on the rise. Criminals posing as legitimate vendors or partners will submit fictitious invoices or account inquiries in the hopes of compromising your defenses. Once compromised, expect wire transfers and/or direct deposit transfers to begin. Work closely with accounting to make sure controls are being carefully followed, particularly when a change of payment inquiry is made. Implement precise procedures and monitor if and how they are being used. Review procedures and keep communication open with your AP teams.

3. Secure Online Accounts – Legal needs to play a critical role in determining account access policies. Review password policies with an emphasis on role-based and access-based restrictions. Also consider whether multi-factor authentication is appropriate for these types of accounts and if such a change would work within your environment.

4. Initiate Proactive Threat Hunting – As professional criminals and nationally sponsored bad actors continue to escalate their attacks on U.S. organizations, often by using human infiltration, it is imperative that legal and security develop on-going investigative procedures to monitor existing employees, new hires and potential hires for possible corruption. At the same time, intrusion detection and breach assessment measures should be fine-tuned and closely monitored.

5. Incident Response Planning And Practice – More and more companies are using table top exercises to hone incident response measures. However, special attention and practice needs to be given as to when and how non-IT Management and Executive Management are informed of a breach. Additionally, legal should be involved in incident response exercises, while also reviewing past breaches to determine if procedures were followed accurately and in full accordance with regulatory standards.

6. Don’t Let Vulnerability And Patch Management Programs Grow Stale – Cyber criminals evolve and change methods quickly. You can leave nothing for them to exploit. Legal and information security should incorporate on-going programs to identify vulnerabilities and patch them efficiently, within organizational guidelines. By doing so, management can accurately assess risk and evaluate whether an increase in cybersecurity measures is needed.

7. Know What Data You Have And Where It Is Stored – Many companies are unaware of just how much data they have and where everything is stored. Make a strict accounting of what you have, where it lives, and how accessible it is. Legal should review data retention strategies with top management and determine the viability of data held for long periods. Remember, criminals can’t steal what they can’t see and can’t find. Sometimes it’s better to be ruthless with data that’s valuable but no longer fully necessary, than to store assets that could become liabilities.

These seven steps could easily be expanded upon, but space simply doesn’t allow. The good news is that everything presented here is actionable. You could start improving or updating your procedures and strategies the moment you stop reading.