Three Lessons for a Proactive Approach To Cybersecurity

It is clear now that these are not isolated events. This is a strategic campaign targeting third-party vendors and government agencies that have undoubtedly stood out in hacker probes as having both inadequate security and high-value, data-rich environments.

What can we learn from these and other recent incidents?

Lesson 1: Pay Close Attention to Service Providers

Third-party vendors are an increasingly common attack vector and have played a role in many prominent breaches over the last few years, including Target, Home Depot, AT&T, Goodwill and Bank of America. Clearly, companies are not adequately scrutinizing their service providers' security measures.

And don't be fooled into thinking your contracts with third parties will protect you from liability if a serious breach originates outside your own firewall. You own the data, and the security of that data is ultimately your responsibility. To wit, Target's CEO was the one who was called to testify before a congressional committee ' not the HVAC vendor that compromised Target's network. Target also was compelled to provide detailed documentation of the steps it had taken to protect sensitive data prior to and immediately following the attack.

Cloud providers and other third-party vendors may share some of the culpability after an incident, including a portion of the damages. But when it's your data that is exposed in a serious breach, you will be the target of lawsuits ' not your vendors. Plaintiffs will assert that you failed to perform due diligence on the companies with which you do business and neglected to provide sufficient oversight over the course of those engagements. Claims can range from negligence, breach of contract and breach of fiduciary duty to invasion of privacy, consumer fraud and deceptive business practices. Is your company in a strong enough position ' legally and financially ' to combat those claims?

Also, be especially careful about the law firms with which you work. Many companies have third-party policies that cover law firms, but they may not have strict policies to cover the firm's vendors. Although some firms have prioritized information security initiatives, such as implementing managed security services or obtaining ISO 27001 certification, on balance, lawyers have been notoriously slow to keep up with technological changes that affect their business.

The law is clear, however: Lawyers have an unequivocal duty to exercise reasonable care to protect the confidential information entrusted to them. They also have an explicit ethical obligation as competent legal professionals to understand the technologies they work with. Furthermore, regulations are increasingly specific and far-reaching about the processes and protocols law firms and other organizations are obligated to follow in order to protect personally identifiable information (PII). The standard of care is rising, and companies are well advised to assess whether their law firms are able to meet the challenge.

Lesson 2: Throwing Money At the Problem Isn't Enough

The importance of this lesson becomes clear when we digest the fact that shortly before the Target breach, the company had purchased a $1.6 million malware-detection tool and had a team of security professionals continually monitoring its systems around the clock. JPMorgan Chase & Co., at the time of its own breach, was already spending a whopping $250 million per year on cybersecurity. These examples and others indicate the problem is not a lack of awareness or an unwillingness to make cybersecurity a budget priority. In fact, most enterprises are spending mightily to prevent and detect threats, but that doesn't seem to have slowed the frequency of reported breaches nor diminished their severity.

The truth is that no cybersecurity program can guarantee that hackers won't get into your system. The gap between breach and detection is growing steadily, and this is because most organizations have invested more heavily in prevention and detection technologies, which are really only able to prevent and detect what you tell them to. Given that close to 80% of breaches involve weak or stolen login credentials, and with the increasing volume of new and evolving malware, relying on technologies that can only identify known threats is not the most effective risk mitigation strategy. Instead, companies need to start with the assumption that breaches will happen, and then develop detailed incident response plans that will minimize the impact of an incident. Having a solid incident response plan in place can mean the difference between experiencing a minor breach and suffering a major, newsworthy event.

Lesson 3: A Quick Response Is Key

When you study the timelines of some of the most egregious data breaches, weeks or even months went by between the first signs of infiltration and decisive steps to assess the initial damage, notify regulators and customers, prevent further intrusion, and begin remediation. Perhaps worse, companies often fail to document remediation steps once the process begins, which will almost always come back to haunt you once regulators and class action lawyers have you in their sights.

The failure to respond quickly, effectively and defensibly to an attack will almost certainly magnify its deleterious effects ' interrupting everyday business activities, increasing costs, causing brand damage and customer churn, increasing the scrutiny of regulators, and increasing the potential for major legal problems down the road.

A Proactive, Risk-Based Approach to Cybersecurity

What steps can you take now to protect your company? Understand that cybersecurity is not just an IT problem; it's a companywide issue. Engage stakeholders across the entire enterprise, including representatives from IT, security, legal, compliance, HR and C-level executives to collaborate on risk management and develop an incident response plan. Creating a culture of security starts at the top and requires genuine commitment from executives, influential leaders in the organization and even the board of directors. The objective should be to create a companywide culture of security in which employees at every level understand the potential threats to your business and the importance of respecting security policies and procedures. Employees also should be familiar with common attack vectors and the nature of the data you need to protect, so they are better able to recognize anomalies and potentially suspicious activity.

Adopting a risk-based approach to cybersecurity will help you identify which threats pose the highest level of risk and prioritize them accordingly. To begin, ask yourself and your colleagues these simple questions:

• What data is most sensitive, and where is it?
• Who has access to it?
• What specific threats to that data are most likely to occur?
• How vulnerable are you to those specific threats?
• How can you best allocate budget dollars to maximize protection against the top-priority threats and minimize risk and disruption across the enterprise?

Yes, advanced tools will be an important part of the equation for many companies, but you must make sure you have sufficient access to skilled experts ' either as internal resources or through a managed service contract ' to implement and maintain those tools effectively.

Once you have gone through the process of answering and discussing these basic questions, you are well on your way to developing an effective incident response plan. Such a plan will clearly define roles and responsibilities when there is an alert or a clear attack, and specify when to engage outside experts such as forensic investigators or legal experts specializing in cybersecurity and defensible response tactics. It also will define the protocols for handling disclosures and notifications. Many large enterprises are in a state of nearly continuous incident response, and that can actually be a good thing. The more experience your team has responding to minor incidents, the more effective they will be when a serious attack occurs.

All of this holds true for the third parties that handle your sensitive data. A vendor's incident response plan should not only cover the same bases, but it should readily integrate with your own plan so that coordination does not become a barrier in the early hours and days of a security event.

The nature of effective cybersecurity is evolving. The focus has shifted from prevention to preemption. Smart companies will continue to seek better technology, with an emphasis on improved, context-aware, anomaly detection techniques leveraging multiple layers of analytics and visualization.

But technology alone cannot mitigate the many potential threats to your data. Behavior also needs to change. Companies that are serious about mitigating risk will establish programs requiring regular collaboration across business units to identify the most important threats, thorough vetting and monitoring of third parties that access or handle the most vulnerable data, and the development of detailed incident response plans that enable faster and more effective reactions to emerging threats.

Jason Straight is senior vice president and chief privacy officer of UnitedLex. He has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Prior to joining UnitedLex, Straight held numerous leadership positions at a leading global investigations and cybersecurity company. He is a frequent speaker and author on topics relating to data privacy, cybersecurity, data breach response and computer forensics.

Do you know where your client's or organization's data is? It's not a rhetorical question ' it's a serious issue that should be at the core of any cybersecurity assessment. Many IT and security departments may have all sorts of sophisticated tools and processes for securing data in-house, but what about service providers who have access to the network? What about outside law firms handling the data on their own premises or in the cloud? And what about the vendors that those firms use?

Cybersecurity has been elevated to a top priority in today's corporate boardrooms, as news of major data breaches has become commonplace over the last few years. The scope of some of those breaches has reached catastrophic proportions, and recent discoveries illustrate the systematic approach of hackers' third-party vendor attack strategy.

For instance, in a recent article renowned cybersecurity expert and journalist Brian Krebs analyzed the successful attack patterns on several large organizations. See, “Catching Up on the OPM Breach,” Krebs on Security. Since July 2014, Chinese hackers have breached and stolen data from the U.S. Office of Personnel Management (OPM) and its third-party vendors. First they targeted OPM's background check provider USIS; then after OPM replaced that provider, hackers breached the new background check provider, Keypoint ' apparently to capture data on federal employees applying for security clearance. Then came the Anthem breach; shortly thereafter were the lesser-known breaches of two Blue Cross subsidiaries that happen to serve federal employees.

It is clear now that these are not isolated events. This is a strategic campaign targeting third-party vendors and government agencies that have undoubtedly stood out in hacker probes as having both inadequate security and high-value, data-rich environments.

What can we learn from these and other recent incidents?

Lesson 1: Pay Close Attention to Service Providers

Third-party vendors are an increasingly common attack vector and have played a role in many prominent breaches over the last few years, including Target, Home Depot, AT&T, Goodwill and Bank of America. Clearly, companies are not adequately scrutinizing their service providers' security measures.

And don't be fooled into thinking your contracts with third parties will protect you from liability if a serious breach originates outside your own firewall. You own the data, and the security of that data is ultimately your responsibility. To wit, Target's CEO was the one who was called to testify before a congressional committee ' not the HVAC vendor that compromised Target's network. Target also was compelled to provide detailed documentation of the steps it had taken to protect sensitive data prior to and immediately following the attack.

Cloud providers and other third-party vendors may share some of the culpability after an incident, including a portion of the damages. But when it's your data that is exposed in a serious breach, you will be the target of lawsuits ' not your vendors. Plaintiffs will assert that you failed to perform due diligence on the companies with which you do business and neglected to provide sufficient oversight over the course of those engagements. Claims can range from negligence, breach of contract and breach of fiduciary duty to invasion of privacy, consumer fraud and deceptive business practices. Is your company in a strong enough position ' legally and financially ' to combat those claims?

Also, be especially careful about the law firms with which you work. Many companies have third-party policies that cover law firms, but they may not have strict policies to cover the firm's vendors. Although some firms have prioritized information security initiatives, such as implementing managed security services or obtaining ISO 27001 certification, on balance, lawyers have been notoriously slow to keep up with technological changes that affect their business.

The law is clear, however: Lawyers have an unequivocal duty to exercise reasonable care to protect the confidential information entrusted to them. They also have an explicit ethical obligation as competent legal professionals to understand the technologies they work with. Furthermore, regulations are increasingly specific and far-reaching about the processes and protocols law firms and other organizations are obligated to follow in order to protect personally identifiable information (PII). The standard of care is rising, and companies are well advised to assess whether their law firms are able to meet the challenge.

Lesson 2: Throwing Money At the Problem Isn't Enough

The importance of this lesson becomes clear when we digest the fact that shortly before the Target breach, the company had purchased a $1.6 million malware-detection tool and had a team of security professionals continually monitoring its systems around the clock. JPMorgan Chase & Co., at the time of its own breach, was already spending a whopping $250 million per year on cybersecurity. These examples and others indicate the problem is not a lack of awareness or an unwillingness to make cybersecurity a budget priority. In fact, most enterprises are spending mightily to prevent and detect threats, but that doesn't seem to have slowed the frequency of reported breaches nor diminished their severity.

The truth is that no cybersecurity program can guarantee that hackers won't get into your system. The gap between breach and detection is growing steadily, and this is because most organizations have invested more heavily in prevention and detection technologies, which are really only able to prevent and detect what you tell them to. Given that close to 80% of breaches involve weak or stolen login credentials, and with the increasing volume of new and evolving malware, relying on technologies that can only identify known threats is not the most effective risk mitigation strategy. Instead, companies need to start with the assumption that breaches will happen, and then develop detailed incident response plans that will minimize the impact of an incident. Having a solid incident response plan in place can mean the difference between experiencing a minor breach and suffering a major, newsworthy event.

Lesson 3: A Quick Response Is Key

When you study the timelines of some of the most egregious data breaches, weeks or even months went by between the first signs of infiltration and decisive steps to assess the initial damage, notify regulators and customers, prevent further intrusion, and begin remediation. Perhaps worse, companies often fail to document remediation steps once the process begins, which will almost always come back to haunt you once regulators and class action lawyers have you in their sights.

The failure to respond quickly, effectively and defensibly to an attack will almost certainly magnify its deleterious effects ' interrupting everyday business activities, increasing costs, causing brand damage and customer churn, increasing the scrutiny of regulators, and increasing the potential for major legal problems down the road.

A Proactive, Risk-Based Approach to Cybersecurity

What steps can you take now to protect your company? Understand that cybersecurity is not just an IT problem; it's a companywide issue. Engage stakeholders across the entire enterprise, including representatives from IT, security, legal, compliance, HR and C-level executives to collaborate on risk management and develop an incident response plan. Creating a culture of security starts at the top and requires genuine commitment from executives, influential leaders in the organization and even the board of directors. The objective should be to create a companywide culture of security in which employees at every level understand the potential threats to your business and the importance of respecting security policies and procedures. Employees also should be familiar with common attack vectors and the nature of the data you need to protect, so they are better able to recognize anomalies and potentially suspicious activity.

Adopting a risk-based approach to cybersecurity will help you identify which threats pose the highest level of risk and prioritize them accordingly. To begin, ask yourself and your colleagues these simple questions:

• What data is most sensitive, and where is it?
• Who has access to it?
• What specific threats to that data are most likely to occur?
• How vulnerable are you to those specific threats?
• How can you best allocate budget dollars to maximize protection against the top-priority threats and minimize risk and disruption across the enterprise?

Yes, advanced tools will be an important part of the equation for many companies, but you must make sure you have sufficient access to skilled experts ' either as internal resources or through a managed service contract ' to implement and maintain those tools effectively.

Once you have gone through the process of answering and discussing these basic questions, you are well on your way to developing an effective incident response plan. Such a plan will clearly define roles and responsibilities when there is an alert or a clear attack, and specify when to engage outside experts such as forensic investigators or legal experts specializing in cybersecurity and defensible response tactics. It also will define the protocols for handling disclosures and notifications. Many large enterprises are in a state of nearly continuous incident response, and that can actually be a good thing. The more experience your team has responding to minor incidents, the more effective they will be when a serious attack occurs.

All of this holds true for the third parties that handle your sensitive data. A vendor's incident response plan should not only cover the same bases, but it should readily integrate with your own plan so that coordination does not become a barrier in the early hours and days of a security event.

The nature of effective cybersecurity is evolving. The focus has shifted from prevention to preemption. Smart companies will continue to seek better technology, with an emphasis on improved, context-aware, anomaly detection techniques leveraging multiple layers of analytics and visualization.

But technology alone cannot mitigate the many potential threats to your data. Behavior also needs to change. Companies that are serious about mitigating risk will establish programs requiring regular collaboration across business units to identify the most important threats, thorough vetting and monitoring of third parties that access or handle the most vulnerable data, and the development of detailed incident response plans that enable faster and more effective reactions to emerging threats.

Jason Straight is senior vice president and chief privacy officer of UnitedLex. He has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Prior to joining UnitedLex, Straight held numerous leadership positions at a leading global investigations and cybersecurity company. He is a frequent speaker and author on topics relating to data privacy, cybersecurity, data breach response and computer forensics.