It has been clear for some time that cybercrime isn’t an outlier in the spectrum of corporate risk. Yet many organizations have been slow to wake up to that reality, or having awoken, are unsure of what steps to take to manage that risk. Law firms are in the thick of it with nearly half of all firms infected with viruses, spyware, or malware last year.
Every organization with an online presence or a connection to the Internet has become the potential target of intrusion and theft. Computer hackers are specifically targeting law firms to steal intellectual property data and trade secrets.
Based on a degree of paranoia combined with a healthy dose of skepticism, here’s an approach that reflects the practical difficulty, if not impossibility, of completely securing any network against serious attack, while accepting the reality that, in spite of this, companies still have business and legal reasons for taking all reasonable measures to do so anyway. Organizations should think about cybersecurity at four levels, making the following assumptions:
- First, assume that your network is being subjected to frequent opportunistic probing if not targeted attack. Take all reasonable measures to harden the network against the ongoing attempts to break in. If an attacker is successful in gaining an initial toehold (e.g., installing a key-logger on the computer of an employee), take all reasonable measures to make it harder for the attacker to leverage that toehold into a full-blown reconnaissance of the network, resulting in the location and theft of confidential information.
- Second, assume that your defenses will fail and that an intruder will be able to get inside your network to reconnoiter or lay the groundwork to steal and exfiltrate information. Take all reasonable measures to try to detect that intrusion as early as possible so that it can be dealt with before confidential information is stolen.
- Third, assume that your intrusion detection measures will fail to alert you to the problem before an intruder succeeds in stealing confidential information. Have a response plan in place so you can react quickly and adequately to the data breach, minimize the damage to your information assets, and minimize the risk of collateral damage to your business and reputation.
- Finally, assume that the absolute worst will occur, that highly sensitive information will be stolen, and that you’ll need to defend yourself against a government investigation or in civil litigation. Have documentation ready to show that you did in fact take all reasonable measures to defend yourself and that you did respond properly when those defenses failed.
This approach is excerpted from Gabriel Ramsey and Jeffrey Cox’s article Cybersecurity Defense: Practices and Strategies in the Summer 2014 issue of CEB’s California Business Law Practitioner. That article includes specific security questions and answers for all organizations to consider.
Cybersecurity is also covered in CEB’s Internet Law and Practice in California, chapter 18 and Financing and Protecting California Businesses, chapter 13. The US Department of Justice has put out a document of Best Practices for Victim Response and Reporting of Cyber Incidents.
Other CEBblog™ posts you may find useful:
- President’s Order: Batten Down the Cyberhatches!
- Cyberattacks 101
- Protecting Company Secrets: Checklist for Making a Plan
© The Regents of the University of California, 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.