Editor’s Note: The author of this post works in-house for Microsoft and is based in Chicago.
By Dennis Garcia, Assistant General Counsel, Microsoft Corporation
Last month business magnate, investor and philanthropist Warren Buffett made this comment during Berkshire Hathaway’s annual shareholders meeting: “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.”
There is no doubt that cybersecurity is a growing concern for every organization – regardless of size or industry. So much has been written and discussed about cybersecurity over the past few years that it can be overwhelming for in-house counsel and law firm lawyers to digest the vast amount of information on this important topic.
I am a big fan of mnemonics since it is a learning tool introduced to me many years ago by a bar exam prep provider that helped me prepare for and pass the New York and Connecticut Bar Exams. Here is a simple mnemonic I developed based on the letters for the word “SECURE” to identify six practical and straightforward cybersecurity focus areas for all organizations and their legal teams:
Supply-Chain Due Diligence
As organizations focus on their customers it is natural to enlist the support of third party suppliers and vendors – many of whom will have access to highly sensitive data. High-profile data breaches affecting organizations have involved cybersecurity challenges associated with their supply-chains. Prior to working with any third party who will have access to your data, make sure your team of legal, privacy, risk-management and security professionals perform a thoughtful, comprehensive and scalable evaluation of your supply-chain’s cybersecurity practices and reputation so that you can feel confident they are trustworthy.
Educate, Educate & Educate
Similar to compliance and ethics trainings, your organization must constantly educate its employees on embracing appropriate cybersecurity practices. Such education should be mandatory, provided to every professional in your organization (including your Board of Directors), delivered online or in-person and cover key areas ranging from the importance of multi-factor authentication practices to identifying phishing/suspicious emails to using leading cybersecurity hygiene to effective password management to social engineering awareness to embracing continuous data back-up. Be sure to update such training periodically and keep it fresh and interesting so that it remains relevant to your audience.
A great first step in securing your data is to understand the landscape of the various types of data your organization generates, uses and has in its possession. Once that inventory is conducted you can appropriately classify your categories of data and then establish the appropriate rules, practices and policies to protect it. Engaging in a meaningful data classification process enables you to take stock of the different data sets to your organization, determine its value and secure it.
One of the most important lessons learned from the recent “WannaCry” and “Petya” ransomware attacks is that a leading defense against cyber threats is to use and deploy the most current system updates from technology providers. By not using updates and patches offered by technology providers, organizations are left fighting problems of the present with tools from the past. Also remember that one of the potential cybersecurity benefits in working with a highly trustworthy and reliable cloud services provider are that system updates – including security updates – are automatically pushed out to customers.
Are you and your organization truly cybersecurity-ready? Have you conducted a meaningful cybersecurity audit of your organization? Do you simulate cyberattacks against your organization’s infrastructure and employees so that you can learn from those exercises and have a more robust cybersecurity position? What is your response plan in the event your organization experiences a significant cybersecurity incident (and do you stress-test that response plan)? Given the intense competition for hiring great cybersecurity talent nowadays how do you attract, employ and retain such talent? These and so many other considerations are critical to your organization’s overall cybersecurity readiness.
Cybersecurity is truly everyone’s responsibility within your organization – regardless of an employee’s position, title or level of responsibility. More broadly we also need the technology sector, customers and governments to work together to protect against cybersecurity attacks. While cybersecurity is a shared responsibility, lawyers are uniquely positioned to play a leadership role in preventing, navigating, investigating and remediating any cybersecurity incident involving their clients.
Unfortunately, cybercriminals are getting smarter, bolder and more sophisticated every day. Be “SECURE” so that you and your organization can be more cybersecure.