Top Cybersecurity Advice For In-House Counsel

Uploaded on 2022-12-07 in FREE TO VIEW, BUSINESS-Services-Law

Cyber attacks have unfortunately become a part of today’s business environment, making cybersecurity a key consideration for any company. Zooming in on legal departments in particular, cybersecurity has been highlighted as one of the top three issues for chief legal officers (CLOs) according to this year’s ACC Chief Legal Officers Survey.

The recent ACC Foundation Cybersecurity Report has further emphasized in-house counsel’s involvement in forming the cybersecurity strategy for their organizations, with 84% of CLOs now playing a key role in managing this part of the business. Moreover, it has shown that 38% of companies have increased the yearly spend on their approach to cyber compared to last year’s results. With this in mind, it is more important than ever for in-house counsel to understand the key aspects of cybersecurity to fulfill their duties and provide effective counsel. While this makes for a complex task, this article aims to provide practical advice on how companies can proactively mitigate cybersecurity problems in-house. 

Understand The Difference Between IT vs. Cybersecurity 

Contrary to what lawyers sometimes think, IT and cybersecurity are not the same function. IT’s focus is on keeping the business running in a quick, seamless, and efficient manner. By contrast, cybersecurity’s focus is on security. As a result, the cybersecurity function may act as a brake slowing down the business to ensure it runs in a safe manner. 

Ideally, cybersecurity and IT would be separate teams. However, this may not be an option for many small companies, where the cybersecurity function often reports to the IT head. In such configurations, the IT and business teams should be aware of the difference between the two functions, and management should support providing adequate training to the IT team. 

Start With A Cyber Risk Assessment

If you don’t have a protocol in place, consider using existing models, such as Lockheed Martin’s Cyber Kill Chain®, a framework for delineating the stages of a cyberattack, spotting vulnerabilities, and stopping the attack at the various stages of the chain. Various audit standards have also been developed that could be used to form a cyber risk assessment. 
  
Maintain Privilege Over Cybersecurity Assessments As Needed 

In theory, for privilege purposes, it shouldn’t matter whether it is internal versus outside counsel that leads the assessment. However, engaging outside counsel to do so may be better from a perception standpoint. 

If you involve a third party to conduct a cybersecurity assessment and want privilege to apply, consider these steps: 

  • Decide whether to have the assessment performed under privilege. Not all assessments qualify. For privilege to apply, there should be some element of identifying and mitigating legal risk. 
  • Have the assessment conducted under your instructions (issued in your capacity as legal counsel), with a privileged memo. 
  • Ensure that you as legal counsel are involved in strategic meetings with the forensic company. 
  • Ensure that the forensic company reaches out to you as the attorney when they need strategic guidance, as opposed to just liaising with your company’s IT team. 

Beware Of Publicly Available Sensitive Information 

Assess public information about your company’s systems. What information could malicious actors easily find online about your company’s computing and vendor management systems?  Some companies post a link on their websites for vendors to connect to the organization’s vendor management system. While this is efficient from a business standpoint, it may be risky from a cybersecurity standpoint. 

As for social media content, consider what information is available on your staff’s LinkedIn profiles, as this might describe which systems, firewall, and other computer and cyber tools your company has implemented. Implementing a social media policy that prohibits employees from posting sensitive information, such as the systems and tools your company uses, would also make for an effective solution. 

Implement Multi-Factor Authentication (MFA) 

Don’t rely on simple password access. Systems that don’t require multi-factor authentication (MFA) open your company to the risk of “password spray” attacks, in which a malicious actor targets your systems with a high volume of password guesses based on a password pattern that the bad actor has figured out. For example, for temporary password resets, many companies unfortunately use a pattern that is too easy to guess. 

To reduce this risk, put in place multi-factor authentication, where the users must input their password, then receive a text or email with a separate code that they must insert to access your systems. Another solution is to check whether your company uses easy to figure out patterns for temporary resort passwords and if so, ask the IT department to use a random password generator instead.

Robert Kang is a specialist  cybersecurity attorney and member of The Association of Corporate Counsel 

You Might Also Read: 

Cyber Effects On The Legal Profession:

 

« Proactive Security Tips For Your Business After A Security Breach
Resilience Is Essential To Protecting Critical Infrastructure »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Infinigate UK

Infinigate UK

Infinigate is a value-added distributor of IT security solutions to protect and defend IT networks, servers, devices, data, applications, as well as the cloud.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

Axiomatics

Axiomatics

Axiomatics provides dynamic authorization and access control solutions to protect critical data assets.

Stormshield

Stormshield

Stormshield is a European leader in digital infrastructure security. We offer smart, connected solutions in order to anticipate attacks and protect digital infrastructures.

AFCON Control & Automation

AFCON Control & Automation

AFCON is a leading global provider of software solutions and services for the smart management of Control & Automation systems in the age of Digital Transformation.

Lacework

Lacework

Lacework brings speed, scale, and automation to cloud security and allows security and DevOps teams to collaborate on keeping data and applications safe.

SMiD Cloud

SMiD Cloud

SMiD encryption technology has been developed following the highest security practices to allow the data availability, integrity and confidentiality.

Secude

Secude

SECUDE is an established global security solutions provider offering innovative data protection for SAP users.

Cyber Security Operations Consulting (CyberSecOp)

Cyber Security Operations Consulting (CyberSecOp)

CyberSecOp is an ISO 27001 Certified Organization which provides cyber security operations services and risk management consulting.

VikingCloud

VikingCloud

VikingCloud (formerly Sysnet Global Solutions) offers organizations an integrated cybersecurity and compliance solution to make informed, predictive, and cost-effective risk mitigation and prevention

SnapAttack

SnapAttack

SnapAttack is a collaborative platform that empowers your security team to stay ahead of threats, create robust behavioral analytics for your existing tools, and prove your program's effectiveness.

Binarly

Binarly

Binarly has developed an AI-powered platform to protect devices against emerging firmware threats.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

Agile Defense

Agile Defense

Agile Defense is an Information Technology services provider, delivering leading-edge Digital Transformation solutions to the Federal Government.

Catalyst Campus For Technology & Innovation

Catalyst Campus For Technology & Innovation

Catalyst Campus is a collaborative ecosystem to create community, spark innovation and stimulate business growth.

Ultima

Ultima

Ultima are on a mission to help businesses unlock their true potential by using the right IT to protect your company’s revenue and reputation – 24/7.