Editor: In your experience handling cybersecurity issues, what are the primary risks that organizations face?
Garrett: Most organizations today have some valuable confidential information or intellectual property that makes them vulnerable to a cyber attack. Indeed, companies are under constant assault from hackers and inside threats. These risks are not static and vary significantly depending on Internet connectivity and infrastructure complexity. In this difficult environment, it is paramount that companies have an in depth understanding of the digital threats they face and draw on the expertise of trained professionals – in this instance, lawyers – to manage the substantial legal risks that those threats also create.
Editor: What are the key elements of a cybersecurity incident response plan?
Garrett: Data breaches are emergent, often chaotic, situations, and as a result, the first and most important step is to have a formal, written plan in place prior to a breach. You don’t want to try to build the plane in the air. It’s critical that the plan define the roles and responsibilities of the response team so there’s no confusion about who is responsible for what. Critically, the plan should establish clear action items necessary during the first 72 hours of a breach, including notifications to internal and external resources who will lead the investigation.
A good incident response plan should also include an educational component designed to train employees to identify and report breaches. Employees are on the front line of a company’s cyber defense, and prompt notice of a breach can often significantly mitigate any damage.
Editor: Take us through some of the first steps in responding to data breaches.
Garrett: I tell clients to treat the network infrastructure like a crime scene: Take steps to preserve evidence. When a breach is detected, organizations obviously want it to stop as quickly as possible, so their first inclination is to shut off access to their network, but a system shut down may compromise crucial volatile evidence stored in the system’s memory. We typically advise against shut downs and instead suggest taking steps to cut off external access to the affected systems, isolating them to the greatest extent possible, while preserving evidence for the subsequent investigation. Many sophisticated organizations have trained internal resources to handle such tasks, but it’s also something a firm like Stroz Friedberg specializes in.
Another recommended early step is to change all administrative encryption keys and passwords – the keys to the kingdom. This step alone certainly doesn’t guarantee that a hacker won’t have continued access to a network, but it is a low-cost, easy-to-execute measure that can mitigate the ongoing loss of information.
Editor: What are your recommendations to clients in their efforts to detect cybersecurity issues? Does your prior experience as senior corporate counsel for Oracle inform this advice?
Garrett: It goes without saying that cybersecurity is complex and difficult. There is no silver bullet or software product that can provide full and guaranteed protection. Companies need to take a comprehensive, risk-based approach that considers both external and internal threats. Focusing exclusively on network-type controls, such as firewalls and data loss protection (DLP) tools, is a big mistake.
Working in-house gave me a strong appreciation for the fact that, while cybersecurity threats are ubiquitous, a company’s ability to respond depends significantly on the resources available and the organization’s tolerance for risk. The right approach must balance resources with the company’s risk threshold and culture. In-house counsel have a vital role to play in assessing the risks and resources and presenting options to the board and senior management. Clearly, developing a viable risk-based plan is not a one-size-fits-all process; it requires a collaborative approach throughout the organization, often in concert with external advisors.
Editor: Tell us about your role as an external advisor.
Garrett: Stroz Friedberg has been involved with some of the most cutting-edge data breaches in recent years. Certainly, we advise on the technical facts and leverage our extensive knowledge of methods of attack, but our experts, some of whom held prior roles in law enforcement, also serve as trusted advisors to help companies develop a response plan; often we do this following a breach investigation, and more and more frequently it’s as a proactive, defensive initiative.
My personal approach includes being mindful of the emotional component. Data breaches are crimes, and clients are victims who are understandably upset, and therefore, may need help with distinguishing productive goals from the natural desire for retribution. Having a legal backround, I also help with addressing the complex legal ramifications in investigating incidents.
Editor: Do you encounter resistance when proposing security risk consulting projects as a preventative measure to your clients?
Garrett: Yes, sometimes. These projects necessitate bringing a critical eye to a company’s security posture. They are often seen as an evaluation of the IT team’s job performance. Now even the best IT professionals can make mistakes, or perhaps they’re not trained in information security. There is some natural resistance to outsiders coming in with a critical view. It’s just human nature.
Resistance also comes from a common misperception that a security risk assessment will be disruptive to the company’s operations. This is just not true. Some organizations simply elect to bury their heads in the sand, whether or not they do it consciously, which is a huge mistake. But as I tell my clients, simply because an organization hasn’t had a breach doesn’t mean it isn’t vulnerable.
We go to great lengths at Stroz Friedberg to address our client’s concerns and remind the IT team that our job is to collaborate with them and collectively work to minimize the security risks. I tell clients frequently to think of security risk assessments as insurance policies. Most companies or law firms understand the need to manage risks in part with insurance. Of course, getting just the right coverage – just like getting the right information security defenses – depends on a thorough understanding of the relevant risks. You cannot accomplish that unless your eyes are wide open.
Editor: Please talk specifically about internal risks. Certainly, there is much in the current media to warn of them.
Garrett: Speaking generally, the Snowden case shows us the extent of damage that an insider with authorized access can cause. Insiders pose unique threats, primarily because it’s difficult to detect when information leaves a network if no one is breaking in from the outside.
Too often organizations implement network controls, such as Intrusion Detection Systems (IDS), and then assume everything is okay. This is another area where a risk-based approach is essential. We often speak to clients about the need to compartmentalize information. What is the critical information that needs protection? Who absolutely needs access to it? And who should not have access to it? Often these criteria are not explicitly matched up and are not reflected within a company’s network architecture, much less monitored or audited.
The insider problem is also emblematic of the key role that physical security plays. Part of the problem with the insider threat is identifying security anomalies since insiders have legitimate access to resources. A holistic approach is necessary to correlate physical and IT data to help identify anomalous behavior and also deter individuals from acting badly.
Editor: How would you summarize the key regulatory issues in connection with cybersecurity?
Garrett: The statutory and regulatory provisions potentially implicated by cybersecurity are varied and complex. State data breach notification statutes may be triggered when a breach occurs, with some states imposing tight timeframes for notification to regulators and affected individuals. Any business that handles credit card information may have PCI-DSS obligations. The U.S. Department of Health and Human Services issued new HIPAA rules in January that broadened the definition of “business associates,” thereby requiring compliance even by organizations that don’t primarily handle personally identifiable information (PII), including potentially law firms. The SEC has provided staff guidance pertaining to the cybersecurity-related disclosures of public companies. The FTC has been much more active in recent years in bringing enforcement actions in instances involving privacy interests. Even state regulators have jumped into the fray. Last year, the California Attorney General brought a high-profile action against Delta Airlines alleging that Delta’s mobile app violated California privacy laws.
It’s safe to say that this very brief summary represents a costly and multifaceted regulatory burden. Those costs, however, are dwarfed by the potentially devastating financial consequences that companies face in the wake of an actual breach.
Editor: Let’s turn now to a discussion of organizational policies and the proactive side of managing cybersecurity issues.
Garrett: Obviously, it is critical to have an information security policy, and we suggest one that is detailed and outlines specific standards against which an organization can be measured. Other workplace policies play an equally important role in cybersecurity, including acceptable use policies and social media use policies. In fact, hackers are increasingly using social media to gather intelligence about an organization and its employees and to actually distribute malware.
Interestingly, such policies can create tension between security initiatives and the desire to foster an open corporate culture. Social media are regularly used for recruiting and marketing purposes, and naturally those interests collide with the limiting aspects of security controls. A successful organization will find the right balance between promoting its culture while being mindful of information security concerns.
Editor: Tell us how Stroz Friedberg helps companies achieve the myriad goals we’ve been discussing.
Garrett: Experience is key. Having completed hundreds of data breach projects, we are a repository of information about attacks and techniques from both sides. This means we can very quickly determine what happened and how to deal with the full spectrum of issues: managing the crisis itself, dealing with regulatory compliance and law enforcement issues, and helping companies develop policies and technical defenses that meet their needs and budget constraints.
Stroz Friedberg is unique for its multi-disciplinary approach. Along with my own expertise in tech and IP litigation, our team consists of professionals who formerly served as federal cyber crime prosecutors, in law enforcement, and in the military. My colleagues are some of the world’s top security experts, and we will bring in any combination of team members to seek the truth so that we can properly address the challenges our clients are facing.