What are the common gateways to cyberattacks? What are the risks associated with the Internet of Things (IoT)? What steps can an organization take to address personal cloud applications and other digital age threats?
These were just a few of the key questions that a panel of legal technology experts considered during the Relativity Fest 2016 session entitled The New IG Playbook for Addressing Threats from Personal Clouds, Cyber Attacks, and the IoT. Joining me for the discussion were Judy Selby, managing director of technology advisory services for BDO Consulting; Darin Sands, who chairs the Privacy and Data Security and eDiscovery Practice Groups at Lane Powell PC; and Donald Billings, manager of litigation and practice support at Sidley Austin.
In response to these and other key questions, the speakers provided practical guidance, much of which is reflected in the New Information Governance Playbook for Addressing Digital Age Threats, published by the Coalition of Technology Resources for Lawyers (CTRL). The following are three lessons from the session.
Lesson #1: Information security should be a collaborative discipline.
Through the lens of a hypothetical company, the panel addressed the growing need for organizations to strengthen their security measures as part of their overall information governance (IG) plan. The consensus was that businesses, regardless of the nature of their enterprise, should explore holistic strategies for securing their corporate network and proprietary information.
Information security should not be isolated within the legal or information technology departments. Instead, security professionals, business units, and company executives should be jointly involved to ensure that a culture of security is established in the business. IT experts must be in place to manage the technical side of security and in-house counsel should offer guidance on the regulatory and legal implications of strong (or weak) information security. Beyond these traditional IG stakeholders, key business leaders should also be involved to ensure security measures adequately address the needs of their respective business units and teams. Once this collaborative process is established, a company can then move forward with developing appropriate security measures.
“Information security is not just an IT problem. The collaboration needs to go beyond IT and legal teams to holistically address cybersecurity.” – Judy Selby, managing director of technology advisory services, BDO
Lesson #2: Address IoT-related cyber risks.
Those security measures are particularly important given the increasing prevalence of cyberattacks. With more data, devices, and technological developments, there are any number of gateways that cyber criminals and malicious insiders can exploit. Those gateways range from email and smartphones to the IoT and external messaging and collaboration tools.
Among these, the IoT presents particularly acute cyber risks to organizations. That IoT threats have moved beyond the realm of science fiction is evidenced by the massive attack this fall on security cameras and digital video recorders. That IoT attack disabled French web hosting provider OVH and US security researcher Brian Krebs by flooding their networks with webpage requests and other data.
IoT devices require the centralization of heterogeneous networks as data is aggregated and analyzed. As a result, corporate teams should build strong security measures into these repositories. Done well, the IoT can pay off significantly: businesses currently generate more than $613 billion of profits annually from IoT devices.
“A big IoT risk is that you can take down an entire enterprise network with one breach.” – Don Billings, manager of litigation and practice support, Sidley Austin
Lesson #3: Don’t underestimate the risks of personal cloud applications.
Cloud applications are becoming increasingly common in the business world. This is particularly the case with consumer-grade clouds, which have proliferated in the workplace given their storage, software, and collaboration capabilities. Employees, however, are frequently using cloud applications in the absence or in violation of a specific policy to the contrary. While shadow cloud use can certainly cause mischief, organizations that have designed a “bring your own cloud” (BYOC) policy may be begging for trouble.
The panel unanimously agreed that BYOC policies are difficult to audit and enforce. Even when company-sanctioned personal cloud applications are used, organizations may be unable to monitor what data employees are storing in these applications. Equally troubling, organizations may not even know what data has been removed. All of this can leave a gaping hole in the company’s security plan.
“With BYOC policies, you don’t have control over data when employees leave.” – Darin Sands, shareholder and chair of the Privacy and Data Security and eDiscovery Practice Groups, Lane Powell PC
Bonus Tips: Guidelines from CTRL’s New IG Playbook
With digital age threats increasing faster than ever before, how can organizations keep their information security policies and procedures current? The panel touched on several important practices that organizations should consider. A few of those practices, which are detailed in the New Information Governance Playbook for Addressing Digital Age Threats, recommend as follows:
- Save time during a crisis with proper data mapping. It is important for enterprises to understand what data they generate, receive, and store. A current and accurate data map is essential after a breach or attack for an effective incident response. This practice can also enable companies to assert greater control over proprietary data and help them move toward developing reasonable information retention goals.
- Mitigate damage from an attack by proactively building a defensive plan. It is essential that organizations prepare for cyberattacks. The organization should consider retaining a consultant to assess security vulnerabilities before an attack. In addition, outside counsel and other experts should be engaged to help develop an incident response plan. This can mitigate resulting harm and provide the organization with a voice for addressing any issues.
- Develop an IoT security plan. Organizations can prepare for the 6.4 billion IoT devices that will be connected by the end of 2016 by creating concept of operations (CONOPs) documentation. This flexible governance tool should provide IoT stakeholders with a roadmap for installation, integration, and ongoing auditing of connected devices.
- Strengthen everyday security by carefully managing employee use of clouds and devices. No matter what policies have been implemented, it is essential that enterprises undertake an employee education program regarding the use of personal clouds, smartphones, and other devices. Audit, enforcement, and verification measures must then be deployed to ensure that proprietary data is not removed from the corporate network, particularly upon termination of an employee.
Philip Favro brings more than 15 years of experience to his position as a discovery and information governance consultant for Driven, Inc. Phil is a thought leader and a legal scholar on issues relating to the discovery process, the confluence of litigation and technology, and information governance. Phil also serves as the director of legal education for the Coalition of Technology Resources for Lawyers (CTRL) where he directs CTRL’s thought leadership efforts.