Cyber law attorney Doug Meal shares the 5 most common pre-breach cybersecurity mistakes companies make and how to avoid them.
How can your organization protect itself from legal exposure in the event of a Cybersecurity Breach?
In Atlanta last week, the Cyber Education Foundation hosted the Symposium on Cyber Culture and Team Building. Cybersecurity is about culture, team-building, and eliminating the silos. This full-day workshop helped prepare executives for what is already viewed as inevitable: a significant cybersecurity event.
The Cyber Education Foundation founder and Idenhaus Board Member Michael Daugherty invited Cyber Law attorney Doug Meal to speak at the event. Doug, who recently joined Orrick Herrington & Sutcliffe LLP, is an established leader in the field of Cyber Law. He has handled the legal proceedings from several of the world’s largest breaches, including Sony and The Home Depot. Based on his experiences, Doug presented the legal exposure that affects companies when they incur a significant cybersecurity event and he provided practical tips on how to address cybersecurity event, both before, and after, the fact.
Before we dive into Doug’s material, let’s take a moment to think about what’s going on in the industry. Gartner estimates that $14,000,000,000 was spent on security in 2018 and this number is increasing. Yet, 66% of companies are still breached, and worse, get breached an average of five times or more. You hear about it every day. So, what has changed? Well, 90% of companies are using the cloud and 81% have adopted DevOps. Organizations are storing more data than ever before but they no longer using a single server to protect resources. Today, that server has been replaced with tens or even hundreds of microservices or containers. The number of things businesses have to protect has grown exponentially, which has expanded attack surfaces for hackers. The problem is pervasive, and the criminals are incredibly successful in the attacks they generate.
What should organizations do to protect themselves from the problem and the exposure that comes with a significant cybersecurity event? Although perfect security doesn’t exist, there are common mistakes companies make time and time again. Doug has seen these mishaps occur both pre-breach and post-breach. In this article, we will highlight common pre-breach mistakes. Part 2 of this series will highlight legal exposure associated with common post-breach mistakes. (Subscribe here.)
Here are the 5 most common pre-breach cybersecurity mistakes companies make prior to a significant cybersecurity event.
1. Pre-Breach Mistake: Insufficient information security independence
Most large organizations have their information security function either embedded within or reporting up to the IT function. Doug emphasizes that this is a suboptimal structure that should receive more consideration. Here’s why: IT’s job is production and anything that interferes with production is a problem. In many organizations, Information security (IS) is at odds with IT because InfoSec projects aren’t aligned with IT goals and may even work to slow down IT production.
“Information security is sometimes at odds with IT’s goal because many things that IS wants to do may slow down IT. The risk is that the calls will get made in favor of IT and against IS.”
– Doug Meal
2. Pre-Breach Mistake: Poor use of outside assessors
Organizations often use an outside assessor to help them think about and improve information security, which is generally a good idea. In Doug’s experience, he sees three things that happen.
First, the type of assessment that’s selected isn’t the right assessment for the problem, meaning that the organization hasn’t fully considered its security exposure and what really needs to be assessed.
Second, the assessment results are presented and they aren’t acted upon; nothing happens internally as a result of the assessment. This is a significantly larger problem than the wrong type of assessment being performed. When there is a cybersecurity event, the very first request from regulators and lawyers is: “Please provide us with a copy of each and every outside security assessment you had performed from day one to the date of the event.” If your organization had assessments that revealed multiple issues and suggestions to improve your security posture and you did nothing to address the findings, that creates a very problematic situation.
“In half the cases we work, the regulator is building his or her case off of some pre-breach, outside assessment that was done and wasn’t acted upon by the company.”
– Doug Meal
Finally, the third issue that comes up is not doing assessments under attorney-client privilege. Organizations should strongly consider having the outside assessment done this way. If the assessment is performed under attorney-client privilege, it’s not a document that has to be turned over to regulators or lawyers. Otherwise, you’re just handing your adversary a blueprint to bring a case against you. This is an opportunity that company after company misses. It’s not hard to do and it can save your organization when an event occurs.
3. Pre-Breach Mistake: Touting your information security
Liability doesn’t just come from what an organization did or didn’t do; it also comes from what an organization said about its information security posture.
“We see this time and again that what hangs somebody up, is a claim that’s based not on alleged bad security, but on alleged deceptive statements about security.”
– Doug Meal
Where this comes up frequently is in things like privacy policies that people have on their website where they say things about what they’re doing from an information security perspective. They make things that are close to being promises to consumers about what they’ll do in terms of protecting the information they collect from consumers.
4. Pre-Breach Mistake: Bad incident response planning
The problem isn’t that organizations don’t have an incident response plan, it’s that they have a poor plan.
First, these incident response plans are way too complicated. They try to anticipate every possible scenario and then create an elaborate flow chart. When an event actually hits, the plan is way too cumbersome so the team doesn’t follow the response plan. This is not good from a regulatory perspective. Request number two is going to be, “Show me your incident response plan and document for me how you followed the plan when this event occurred.” If you have a plan that is that rigid and too detailed, it works against you.
“The right kind of plan is a plan that is focused not on the detail of the process, but more on identifying the people who were going to run the process and then giving them the discretion to tailor the process to the particular event in a way that makes sense.”
– Doug Meal
You can have a great incident response plan that is three or four pages long; very, very simple. Get the right people in place and then trust them to make the right decisions in the context of the particular event.
5. Pre-Breach Mistake: Bad insurance planning
The issue these days isn’t that cyber insurance isn’t being bought; it’s that the wrong cyber insurance is being bought. The core problem is that there is a mismatch between the insurance purchased and the actual risks that the company is insuring against. We see this over and over again in wholly different contexts where there’s just a bad match between the policy that was bought and the risk that actually is incurred when the event occurs.
“I would say easily a half the cases we work—and we’re working for major, major American companies—there’s somebody very, very unhappy at the client about the extent to which their cyber policy actually responds to the event and they’re very surprised that it’s not responding in the way they thought it would respond.”
– Doug Meal
As organizations mature their Cybersecurity capabilities, the importance of managing legal risks by structuring their planning for and response to a breach is of paramount importance. None of the insights shared here are difficult to implement, yet too many organizations are unaware of the legal risks they expose themselves to by not being thoughtful in how they structure their assessments, policies, and communications. Actively engaging legal counsel for assessments and incident response teams provides another level of protection from regulators and class action lawsuits. Simplifying incident response plans and streamlining policies and communications, offer a straightforward approach to mitigating a substantial amount of your legal risk.
Read part 2: Reducing Your Legal Exposure After a Cybersecurity Incident
An IAM Assessment is a quick, expert evaluation of your environment that identifies and addresses the most common issues organizations face when implementing a solution.
This is ideal for organizations that:
- Are struggling to get their IAM solutions deployed
- Have a misalignment between their processes and technology
- Have an immature IAM solution with too many workarounds
- Companies that want to accelerate their IAM programs
Click here to learn more about the IAM Assessment.
Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us
