Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

October 2018
The ABA offers information designed to protect companies (and law firms) from the ever-shifting onslaught.
By David Hechler
SINCE JUNE the American Bar Association has been holding a series of monthly webinars it calls “Cybersecurity Wake-Up Call: The Business You Save May Be Your Own.” The fifth and final installment will be held on Wednesday, October 17.
     What are they like? Each takes on a different aspect of this complex and fast-changing subject. I took in the August offering, which was called “While You Were Sleeping: Ever-Changing Cybersecurity Threats and What You Need to Know Now.” It presented a good overview of the current landscape.
     It’s hard to believe that there are lawyers in the United States who are unfamiliar with this subject. But if some of them have been sleeping (as the webinar’s title suggests), this would a good place to visit to start catching up. In fact, the material would help any lawyer review, reflect and prepare for the challenges ahead.
     There was nothing slick or fancy about the webinar. There were times when the delivery was a little unpolished. But it packed a lot of good information. One of its strengths was that, though it aimed to cover the gamut, it didn’t assume that everyone in the audience was an expert who read about cybersecurity every day and knew all the jargon.

Surveying the Landscape
Its greatest strength was the panel of experts who covered the content. Not only did they know the subject, they knew how to talk about it in a way that made it accessible to almost anyone.
     For example, Scott Charney introduced the topic by talking about the changes he’s seen in his doctor’s office. Record keeping used to involve pens and paper. As technology progressed, assistants input the doctor’s notes into computers, where it was stored. Now, of course, the whole process is electronic. This is great, said Charney, a vice president for security policy at Microsoft, unless it crashes or is stolen—which leaves doctors wishing they had their handwritten notes back.   
     The panel next discussed the threat landscape companies are confronting. Robert Litt, of counsel at Morrison & Foerster and former general counsel for the Office of Director of National Intelligence (DNI), noted that for the past decade or so cybersecurity has been high on DNI’s annual list of worldwide threat assessments.
     The countries that have been identified most prominently for high profile attacks are, he said, North Korea for the Sony and WannaCry attacks; Russia for its interference in the 2016 U.S. presidential election; China for its theft of records from the U.S. Office of Personnel Management; and Iran for unleashing distributed denial of service (DDOS) attacks on U.S. banks.  

Reflecting on Vulnerabilities
But it isn’t only the very big players who find the internet an attractive place to stage operations. “The internet is a terrific place to commit crimes,” said Charney. It’s a global community with a lot of rich people. You can attack anyone anywhere, and the odds of anyone identifying you and bringing you to justice are very small.  Motives range from a desire to embarrass to a need for cash to a thirst for corporate trade secrets or military intelligence, Charney noted.
     Litt talked about the internet of things and the gaping vulnerabilities of many devices. There are now 20 billion consumer-connected devices, he said. Not only are there few available protections to secure them, they can be weaponized by hackers who have the ability to turn them into botnets for additional attacks. He suggested a simple defense that companies ought to consider. If a device like a refrigerator or a coffee machine is vulnerable to attack, perhaps the best solution is not to connect it to the internet in the first place.
     Paul Rosenzweig talked about the propensity of lawyers to bring their own devices to work. It’s a particularly large problem at law firms, said Rosenzweig, founding principal at Red Branch Consulting and a former deputy assistant director for policy at the Department of Homeland Security. Firms often allow it, yet, he noted, “your network is only as secure as the least secure device that’s part of it.”
     The webinar’s moderator, Lucy Thomson, took the panelists through a number of other vulnerabilities that companies face. A founding principal at Livingston and a member of the ABA Cybersecurity Legal Task Force , she turned next to the question of what lawyers can do to help protect their companies.

Managing Risks
The panel focused first on large organizations.  The advice for them was to adopt a comprehensive risk management program and implement it. The focus of such an effort should be on protection, detection and response, Charney explained.
     At one time companies typically devoted 90 percent of their resources in this area to protection and 10 percent to response, he said. But the growing realization that over time “everyone is subject to a successful attack” has led companies to shift resources toward detection.
     When a breach is detected, he continued, responses must be comprehensive. It’s not just an IT matter. A company must decide whether to notify regulators and contact law enforcement. If customer data has been compromised, it must consider public announcements and possibly a public relations campaign.
     These days, there’s another risk in failing to have a risk system in place. It can be used against a company in court, Rosenzweig pointed out. Plenty of information is now available to help companies assess and reduce their risks, he said, and failing to tap into it can be viewed as akin to malpractice.
     Smaller companies may not have the resources to do all the things that larger companies can, but there’s still plenty they can do. Using cloud services can amount to an upgrade in security, Charney said, because cloud providers are likely to be much stronger in this area than a small law firm or business is. Companies should also ensure that they are receiving automatic software updates, which often patch security vulnerabilities, and that they require consumers to sign into accounts using multifactor authentication, which is harder for hackers to crack.
     Litt summed up the key takeaway on security. Reasonable security requires a process, he said. And someone with authority needs to have responsibility for that process.

What About Training?
During the question and answer period at the end of the presentation, Ruth Hill Bro , the ABA Cybersecurity Legal Task Force co-chair, asked the panel what a good training program looks like for law firms, companies and government agencies.
     Rosenzweig answered first. “Good training for security is like good training for anything,” he began. But in this area, he said, it’s not usually very effective. Why not? “Most companies fail because they do an onboarding exercise and then they have a periodic refresher once a year. And the answers to the questions are obvious. In between, nobody pays too much attention.”
     He recommended a solution: outsourcing training to a company that does it professionally and continuously. There are many that charge moderate prices and can tailor their offerings to a company’s or a law firm’s needs, he said.
     Charney issued a warning: “It’s important that everyone be subject to the training.” Sometimes executives skip it, he noted, “even though the phishing attack might go to the executive.” Alternatively, sometimes only the company’s most important employees receive the training and the administrative assistant, who has access to all of their emails, is bypassed. Even though “if she gets phished, the CEO loses everything.”
     The bottom line: Litt suggested that companies think carefully about their own particular needs. What does your company require? What threats are you most concerned about? The best training, he said, is not generic. It should be designed to meet the needs of your people and your company.

Companies that pick and choose who receives employee training may miss key players.