Articles Posted in Human Firewall

Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry.  The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.

The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk.  Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice.  Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise).  Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.

Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.

What can cybersecurity lawyers bring to the table?

Hand-in-Glove Collaboration

Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol.  Lawyers are particularly able to address the key elements of an effective cybersecurity plan. Continue reading

human-firewall-superhero-300x166One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution.  There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security.  While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security.  And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.

The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company.  Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information.  Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.

Assessment Defines Approach

Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity.  This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated.  Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.

Continue reading

December is the month for predictions.  During this month, commentators of all sorts and in all areas predict the trends and actions that will impact us during the coming year.  While speculating the future is a questionable pursuit, we at the Cybersecurity Lawyer Forum would hate to be left out of the fun.   With that in mind, a few thoughts on what we might expect in the year to come.

National Cybersecurity Legislation

Legislation in the United States is less an exercise in establishing comprehensive systems than in reacting to events; much legislation tends to be anecdotal and designed to fit the day’s headlines.  Moreover, legislation is a curious process, and even with the Congress and White House held by the same party, legislation is hard to pass.

Cybersecurity legislation faces additional hurdles.  It is not always the highest priority for lawmakers, especially during a year when an entirely new administration must be established, and when the campaign promises of the last year did not include cybersecurity as a priority. Continue reading

3679571-business-peopleOne of the challenges – perhaps the biggest challenge – to achieving cybersecurity is complexity.  Every day we are faced with new threats as hackers display their creativity and new technologies and approaches to addressing those threats.  Governments, both U.S. and foreign, regularly propose laws and regulations better to protect us – and to confuse us.  And underlying all of it is technical language which seems designed to prevent us from understanding the challenge of cybersecurity.

It’s no wonder that one of the things our clients most often ask is where to start – what is one thing that they can do to start the process of becoming cybersecure.  And the fact is that there is one thing that will put you on the road to cyber security:  Creating a culture of security.

While many firms claim to have a “culture of security,” it’s unclear that they have made the commitment to engage every aspect of their operations, and every one of their personnel, in the goal of creating a cybersecure environment.  Cybersecurity requires a firm to create in each of its personnel a “human firewall.”

An enterprise-wide focus on security requires a focus on people, not on technology.  However important security technology may be – and we do not suggest that a company skimp on its technology budget! – most technological defenses can be overcome by individuals, whether through lack of training, negligence, or malice.  Consequently, bringing individuals into the cybersecure culture and making them stakeholders will have an immediate and measurable impact on cybersecurity efforts.

So, then, how is a cybersecure culture achieved?  A few essential steps are required: Continue reading

Digital Padlock on Circuit Background - Web Security Concept

Spring is the season for many things, including the publication of cybersecurity surveys. In the past few months, Verizon has published its Data Breach Investigations Reports, Ponemon Institute Published its 2016 Study on How Organizations Manage Data Breach Exposures, the California Attorney General published its annual California Data Breach Report, and a variety of others have published reports describing the state of cybersecurity and privacy, and the threats individuals and businesses face in online security. While the reports each contain important facts and focus on different aspects of cybersecurity, they also have some key lessons for enterprises that focus on risk reduction:

Continue reading

Businessman drawing a circle around people icons - Marketing and consumer target groups conceptIn Michael Gold’s commentary, “Still Only Human,” published in the July 18, 2016 edition of the Los Angeles Business Journal, he writes:

“Cybercrime cost the world economy about $500 billion in 2015 and this year’s numbers will be even higher. The cost of data breaches is projected to reach $2.1 trillion globally by 2019. Worldwide spending on information security is estimated to have been $77 billion last year. In the midst of these astounding numbers, the role of the “human factor” gets lost. This is a frightening fact.”

Large companies can spend a small fortune on cyber defense. But Gold points out that cybersecurity is not just a “tech” issue – it is a “human” issue, as well. One careless or uninformed employee can click on a link that gives hackers access to sensitive personal and financial data, as well as a company’s vital intellectual property.

Continue reading

Cursor Hand On Key Background Showing Blank Copy space Click Here

Cybercrime cost the world economy about $445 billion in 2014 and the 2015 numbers will be even higher. The cost of data breaches will reach $2.1 trillion globally by 2019. Worldwide spending on information security is estimated to reach $77 billion in 2015. In the midst of these astounding numbers, the role of the “human factor” has gotten lost. This is a frightening fact. Why? Because “they will click.” A breach is just one click away – a single person can and will overcome any technological safeguard. This is an unassailable reality, but one that gets mostly lip service by companies.
Continue reading