9 Key Steps in a Proactive Cybersecurity Review

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.law.com/corporatecounsel/PubArticleCC.jsp?id=1202618903992&9_Key_Steps_in_a_Proactive_Cybersecurity_Review&slreturn=20130824161215

Imagine you are the manager of a bank that has just been robbed. The police
gather evidence from the crime scene to try to identify the robbers. Then a
federal official arrives to advise that you’re being fined for not doing
more to prevent the theft. Then some state officials arrive to say that
they’re fining the bank too, because some of your customers were residents
of their states. Then you learn that you’re being sued by the customers
whose money was taken.

For many companies in the United States, this scenario is playing out with
increasing frequency following breaches in cyberspace. Securing your
company’s network and protecting your valuable data is difficult enough in
today’s Internet-driven economy. But to be treated by regulators and courts
like an accessory to the crime after you’ve been hacked is truly adding
insult to injury.

Or rather, adding injury to injury. Because defending your company against
enforcement actions and class action litigation places financial burdens on
the company at a time when it is coming to terms with the reputational and
economic damages inflicted by the attack—and paying the costs associated
with protecting customers.

The Federal Trade Commission and many state attorneys general have already
marked their territory when it comes to data breaches, and the number of
class action suits against companies that have been victims of breaches is
growing steadily. Recent reports suggest the Securities and Exchange
Commission may be taking another step toward official rules on cyber
disclosures, which means companies could face even more regulatory
scrutiny—and shareholder litigation—in the years ahead.

In this environment, companies have to move aggressively and proactively to
prevent—and mitigate the consequences of—a breach. The single most
important step a general counsel can take is to engage in a comprehensive
review of the company’s information governance before a breach occurs. Not
only will this type of proactive review help reduce the risks of a breach,
it also will be an important part of your company’s defense in the
litigation and enforcement proceedings that are likely to follow.

Simply put, regulators and courts will be far less likely to blame the
victim company for the breach if that company can demonstrate the steps it
took in advance to protect its data and reduce its risks.

This type of review requires more than just the IT department, or even an
outside network security firm—it also involves a host of legal issues.
Moreover, in order to ensure attorney-client privilege for the results of
such a thorough review, it is best to have it commissioned by outside
counsel.

To maximize the protection for the company, the review should address the
following nine areas:

1. REVIEW PRIVACY NOTICES AND PRACTICES

Compare your privacy notice with your company’s actual practices to make
sure you’re doing what you say you’re doing. Otherwise you could be in the
sights of the FTC for deceptive trade practices.

2. REVIEW EMPLOYEE TRAINING ON CYBERSECURITY

Data security is not just about technology; it’s also about processes and
people. Your employees are your first line of defense, and one employee who
carelessly opens a spear-phishing email and allows malware to get onto your
network can undermine millions of dollars in security investments. For that
reason, reviewing and enhancing your training for employees, emphasizing
their shared responsibility for cybersecurity, is critical.

3. REVIEW NETWORK SECURITY

Technical security measures are critical components of your overall level
of protection. Here are key questions you should be asking:

What type of authentication and firewalls are in place?
Are default passwords being used? Are passwords sufficiently strong, and
are they changed regularly?
Does the network have an intrusion detection or prevention system?
Is encryption used on the network, and are mobile devices encrypted?
Is logging enabled on your network, and are logs stored for a sufficient
time? If a breach occurs, logs will be critical in determining what
happened and assessing the scope of the incident.

4. DEVELOP OR REVIEW—AND TEST—AN INCIDENT RESPONSE PLAN

If you don’t have an incident response plan, you need one. If you have one,
now is a good time to review it. Either way, that plan should be tested
regularly so you know it will work when the time comes. The plan should
make clear who will be called in to help when an incident occurs—and your
lawyer should be your first phone call. The lawyer in turn should engage a
forensics firm and other outside experts. This enables your company to
maintain the protection of the attorney-client privilege as it responds to
the incident, which will be critical when litigation ensues.

5. DEVELOP OR REVIEW YOUR RECORDS RETENTION POLICY

Make sure you store on your network only the data the company needs for
business operations; data that can be archived offline or destroyed, should
be. If it’s not stored on your network, it can’t be stolen.

6. REVIEW CONTRACTS WITH BUSINESS PARTNERS

Review your contracts with suppliers, vendors, and other business partners
to ensure that they appropriately address responsibility and liability for
data security, and that they provide for regular audits to ensure
compliance.

7. REVIEW INSURANCE COVERAGE

No security is perfect, and the costs of a breach can be catastrophic, so
checking that your insurance coverage is adequate—including response,
remediation, and litigation costs—is critical to protecting your business.

8. REVIEW COMPLIANCE WITH THE LAWS GOVERNING YOUR DATA

In addition to sector-specific federal laws and the FTC Act, nearly every
state has laws governing data privacy and breach notification. Your company
may also be subject to foreign data protection regimes. And for public
companies, the nature and adequacy of disclosures about cyber risks will be
subject to review by the SEC. In this complex legal environment, it’s
important to ensure that your information governance practices will not run
afoul of applicable state, federal, or foreign law.

9. REVIEW YOUR CORPORATE GOVERNANCE STRUCTURE RELATING TO DATA SECURITY

Data breaches pose risks to the entire company. For that reason, companies
should assess their relevant corporate governance structures. All too
often, the board will become involved after an incident occurs, but doing
so in advance will help ensure that the company is devoting sufficient
resources and attention to data protection.

No one wants to spend money to address a problem they have not yet
experienced. But most experts will tell you that there are two types of
companies: those that know they’ve had a data breach, and those that
haven’t yet realized it. Conducting a proactive information governance
review will help your company reduce the risks of a cyber incident, and
will best position the company to defend itself in litigation and
enforcement proceedings if (when) a breach does occur. The best defense
later is a proactive defense now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.