Many seminars dealing with cybersecurity start with the statement: there are two types of entities, those which have been hacked and those which will be hacked. Such a statement strikes fear into the listener and sometimes leads to paralysis pursuant to which nothing is done to protect the files of customers and clients. There are rational ways to deal with cybersecurity issues, however, which, as they become more prevalent, will become less expensive and just another cost of doing business.
First, as with most situations, there should be a risk assessment. This is basically a four -step process. First, determine what materials need to be protected. Second, determine where the material is located. Third, identify who needs to have access to it. Fourth, evaluate the efficiency of existing restrictions on access and security programs. The first and fourth are matters for Information Technology experts. The second and third matters for entity management. As with all security exercises, the objective should be maximum security and minimum obstruction of operations.
Personally identifiable information and medical records of customers, clients, and entity personnel are the most sensitive information which needs to be protected since a breach may immediately result in legal liability. Other sensitive information would be trade secrets and for lawyers, material subject to the lawyer-client privilege.
Limiting access to who needs to know is a classic security technique which cuts down on the problem of identifying risk. For example, business records of an entity can be restricted to the business managers and their staff. Of course, directors or other executives with a legal right to view such information can be given access, if the same need to know test is applied. Other access limitations can be passwords and the more sophisticated retina or facial scans. Access is the principal part of a security plan which by its nature needs to evolve with both threats to and usage of secured materials.
Checking security plans must be a continuing exercise. Because it is of great importance, it should be assigned specifically to someone as his or her responsibility. That person does not have to be designated Chief Information Security Officer, however, the job should be taken sufficiently seriously to warrant the title. Further, results of checking the existing security plan should be reduced to writing since all aspects of the plan should be integrated into one unambiguous document. It can then be continuously reviewed and updated to address the evolving nature of threats and tools to combat them.
As a part of checking existing security programs, management should check provisions to minimize financial loss in the event of a breach. This means checking current insurance policies to address cybersecurity risks. It also means checking the cost and effectiveness of third parties enlisted to assist in the cybersecurity effort.
Verification is also a part of the process. This means verifying the plan is viable and the procedures and security equipment are still effective. Verification should not be on a schedule but should be random to avoid hackers being able to chart tests. Some entities retain ethical hackers to try to invade the security system. In assessing the risk, this may or may not be important. Installation of end-point detection on computers makes it now possible to identify threats and where they originated. It should be part of the duties of an outside security firm to constantly monitor the system, which is well within current capabilities. Another excellent addition to the security plan is periodically checking with authorized users, in order to verify that access to their computers was by an approved person. Training is another element of verification. All users should know how to recognize when they are being hacked or have been hacked.
Reporting a hacking incident is a legal requirement in many states. For example, in New York, insurers must report unsuccessful attempts to penetrate a system as well as successful ones. It is possible, as seen in the recent Capital One case, to have the ability not only to report an incident but also to see who made the penetration. This may become a requirement of incident response in the future.
Part of a security plan must be an incident response. It should have at least three elements. First, a way to contain and block unauthorized access and damage to software and hardware should be a priority. Second, preservation of any evidence for an investigation should follow. Third, an instant response should also address reducing recovery time and minimizing costs. Keeping incident response current, like the other parts of a security plan, should be an ongoing effort.
As indicated above, the reporting part of a cybersecurity plan is already a legal duty for some business entities. Lawyers already have specific requirements in the Rules of Professional Conduct to stop a breach, mitigate the damage, and notify clients if there is a loss of personal information or if it affects the lawyer’s ability to represent a client. How reporting is done in a rapid and cost-effective manner is a vital part of any cybersecurity plan.
In conclusion, if a cybersecurity plan is broken down into its elements, cybersecurity becomes just another part of doing business. Its cost becomes just another operational expense which must be addressed and included in pricing the product of the business in the computer age.