This article originally appeared in Cybersecurity Law & Strategy.
Cybersecurity is a hydra of complexity. Keeping a grasp on it requires constant re-education. What no one tells you: managing your company’s cyber vulnerability demands a willingness for personal vulnerability. Being honest about our cyber risks is painful. And scary.
“There is real fear there—and there should be fear,” said John deCraen, director of global cyber risk services at Alvarez & Marsal. “Fear is healthy. We should learn to understand what we’re facing and be honest with ourselves on how we’re doing with those risks.”
No surprise here: cybersecurity was a prominent topic at Relativity Fest 2017, where 2,000 legal professionals met in Chicago to swap ideas about the legal tech industry.
Managing e-Discovery’s Inherent Risks
There’s no getting around it: e-discovery can be risky for law firms and providers, as well as for the clients whose data gets ingested.
In his conference session, deCraen gave attendees a guided tour of provider vulnerabilities along each stage of the EDRM and how to address them. For starters, when providers import clients’ data, there’s a chance that the data is infected and can poison the provider’s own systems.
Smart organizations assume they’re importing “dirty data” and plan accordingly.
“If you’re already spending the energy using something like a FIPS (Federal Information Processing Standard)-compliant FTP, then you’re way ahead of the competition,” deCraen said.
And from client’s perspective, entrusting your company’s data to an outside custodian is risky in another way: sometimes the story begins with a big oops.
“A company came to us for help when a high-level financial manager lost an unencrypted laptop,” said Brian Blush, a director in KPMG’s forensic technology practice. “They were worried about what kind of data and personally identifiable information had possibly gotten out into the world.”
We’re human. Oops situations happen—so in addition to planning for bad actors, let’s also build in strategies for handling them.
Here are more top takeaways from cyber experts at Relativity Fest 2017.
1. One of the biggest cybersecurity hurdles isn’t technical—it’s human.
“The number one driver in most cybersecurity breaches is ineffective leadership and board culture,” deCraen said. “I find this in every organization I assess, without fail. They don’t have the budget they need; they’re woefully understaffed; they don’t have the tools or activities in place they should have.”
Even if you’ve named a diligent chief information security officer who’s on top of what your company needs, she can’t be effective without the appropriate budget, staff, and executive sponsorship when business verticals push back on cyber requirements.
The result is bare minimum compliance.
Another danger? Thinking you’re immune to a breach because of your company’s location, industry, or revenue level (or any other factor).
“Hubris is a killer,” deCraen said. “It will absolutely lead to a breach, one way or another.”
2. Reset your impression of today’s hacker.
No longer fear the lone actor in his mom’s basement, hacking just to see how far he can get. Today it’s a whole new game. There are real organizations offering real rewards for cyber attacks.
“Keep asking, ‘What am I not aware of that I could or should be? Why am I not aware of it?’” said deCraen. “Think progressively. Your enemies are.”
A healthy cyber program should pull in a diversity of expert perspectives and includes nearly 100 different activities, according to deCraen. To toss out a handful:
- Asset management and classification: catalogue your hardware, software, and data
- Data encryption: encode data at rest and in transit
- Data loss protection: prevent end users from sending sensitive information outside your network
- Indicator of compromise (“IOC”) hunting: patrol your network and operating systems for signs of an intruder
- Identity access management: perform regular entitlement reviews to ensure only the necessary people can access data; require two-factor authentication for all resource access (more on this later)
3. Compliance is not security.
“In every single incident I’ve responded to, the companies have been compliant with regulatory frameworks,” deCraen said. “If you line up these frameworks left to right, you’d be surprised at the huge gaps in required activities. That’s because when the regulations are written, they’re aiming to deal with a single problem at a time.”
Plus, in e-discovery, there aren’t specific regulations for companies that handle third-party data. Without that guidance, it’s up to you to decide you’re going to create a program to protect your clients.
Think security first and compliance will follow.
4. Two-factor authentication is non-negotiable.
With the proper intent, any hacker worth his salt can have your password in three seconds. A strong password is no longer enough. Whether we’re talking on-premises or in the cloud, two-factor authentication is a must.
“Two-factor authentication requires something you know—like a username and password—paired with something you have—like a token sent via email,” said Amanda MacAllister, infrastructure engineer at Relativity. “This is a great example of ‘defense in depth,’ the new industry standard for security. By implementing two layers of defense instead of one, an attacker must compromise both your credentials and your emails to access the system.”
5. Double down on securing systems that touch the internet—yours and others’.
The connectivity the internet offers can be a blessing and curse. Do real due diligence before you engage with third-party cloud vendors to dig into how they plan to safeguard your data.
“There are several key things you’ll want to ask about,” said Andrew Watts, vice president of information technology at Relativity. “Are they following NIST standards? Do they require background checks and security training for all employees? What measures are they taking to create a physically secure environment? Are they using multifactor authentication and rotating certificates, keys, and passwords? Do they staff a round-the-clock security team, perform regular penetration tests? Can they discuss their business continuity and disaster recovery plans?”
Another tip for your own systems:
“Create a demilitarized zone between the internet and your internal environment,” said Matt Spurr, senior lead security engineer at Relativity. “By having your external web server separated from your internal environment, an attacker would have to breach two devices to enter your network instead of one.”
6. In the event of a breach, leverage your existing e-discovery tools to assess damage and respond quickly.
Back to the earlier oops case study: KPMG’s client needed help to figure out whose sensitive data they may have lost and notify them within days or risk massive fines.
KPMG put a global e-discovery team on it and used their in-house e-discovery tools to move swiftly.
“Once we pulled down a backup copy of the laptop’s data from the cloud, we used a combination of Regular Expressions and keyword search to seek out potentially sensitive data in the set and prioritize it for review,” said KPMG’s Daniel Smith.
That alone was a lifesaver. KPMG took it a few steps further.
“We used a Q&A log to capture any questions reviewers had along the way, so we could relay them to the client,” Smith said. “We also built an overlaid application we called a ‘biography tracker.’ It allowed reviewers to log information they found by individual to give a personalized view of the depth of what was compromised.”
The reality is this: there have been more than nine billion data records lost or stolen since 2013.
“Modern enterprises are coming to accept that 100 percent cybersecurity is an impossibility,” said Judy Selby, an insurance and strategic cyber risk consultant. “Rather, it's about understanding and managing your cyber risks.”
While you’re not personally expected to be a cybersecurity expert, you are obligated to find the resources and expertise you need to secure your own and your clients’ data.
Shortchanging cybersecurity in your organization is like splurging on a meal at a high-end restaurant but not reserving enough budget to tip your waiter. If you can’t allocate the resources to do it right, do you have any business being there in the first place?