Unprepared for a Cyberattack? The DOJ Wants to Change That

Data protection tips are virtually everywhere these days. From emails and news feeds to blog posts and reports, the world is awash in cybersecurity advice. So it's hardly surprising that the U.S. Department of Justice has released new guidelines on that very topic. The UK's National Cyber Security Centre is poised to follow suit.

But despite all the free and readily available advice that's floating around out there, studies keep popping up that say people aren't paying enough attention or have adopted a laissez-faire approach to cybersecurity.

Celebrity case in point: Kanye West, who already has been on the wrong end of several data breaches, accidentally showed the world his iPhone password during a live broadcast of his meeting with President Donald Trump.

And Kanye's not alone. A report released last month from Oregon-based ethics and compliance software and services company NAVEX Global showed that businesses also aren't doing enough to guard their valuable data.

More than 30% of the organizations that responded to the survey said they used “basic or reactive” programs to manage risks posed by contractors, consultants, data vendors, marketers and a host of other third parties that could gain access to a company's data.

The study, which involved 1,200 respondents who “influence or manage their organization's ethics and compliance programs,” also found that more than a third of the participants relied on paper records or “disparate software,” such as word processing and spreadsheets, to carry out third-party risk assessment and management programs.

The DOJ would not be impressed, but it also probably wouldn't be shocked.

The agency noted in its revised cybersecurity guidelines released last month that yet another study published earlier this year — this one surveyed nearly 3,000 IT professionals — revealed that a whopping 77% of the respondents didn't have a formal cybersecurity incident response plan.

In the revised guidelines, the DOJ stressed, for the first time, the importance of keeping senior management in the cybersecurity loop.

“This is a serious enough issue that it cannot be left to the working level for the planning to be done. And management shouldn't just get involved in the initial stage, they should be involved throughout as the plan is adopted and set into motion,” says Ronald Cheng, a partner at O'Melveny & Myers in Hong Kong and Los Angeles. He focuses on data security and privacy.

The DOJ recommended that companies spend more time planning for cybersecurity attacks, which means being more proactive about finding and patching security vulnerabilities. Using server logs and monitoring network traffic can help identify which computer systems are affected and where the intrusion originated.

“You can sum up the main difference [between the original and revised DOJ guidelines] in one word: Preparedness. This updated version has a far greater focus on what organizations should do before you experience an incident,” says counsel Samuel Cullari, a data security expert at Reed Smith in Philadelphia.

More companies are turning to incident response firms in the wake of cybersecurity incidents, according to the DOJ, which advised that businesses do their due diligence to ensure that the firms they hire are “well acquainted with forensically sound methods of evidence collection that do not taint or destroy evidence.” That's because the firms often show up before federal investigators are contacted, according to the DOJ.

Another addition to the guidelines concerns cloud storage, which the DOJ said was convenient and relatively secure though still not immune from cyber threats. It's important to ensure that a company's cloud storage is adequately guarded.

It's also smart to have an agreement with a cloud service provider that not only allows law enforcement and incident response firms to access a company's data in the event of a breach, but also requires that the provider assist in the investigation.

Here are a few other takeaways:

• Have a plan in place that includes key notification contacts inside and outside the company in order to react quickly and effectively to an incident.
• At least one of those contacts should be law enforcement, so it's a good idea to get to know a local federal agent before there's a data breach.
• Keep a written record of the company's response to the incident, which will be helpful if the investigation leads to a criminal or civil case.

*****

Phillip Bantz is a reporter for Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy. Follow him on Twitter @PhillipBantz.