• No results found

The Practical Realities of Cybersecurity

N/A
N/A
Protected

Academic year: 2021

Share "The Practical Realities of Cybersecurity"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

The Practical Realities of

Cybersecurity

Best practices for crafting policies and procedures to protect

your company

Andrew Morentz, Member

Telecommunications Law Professionals PLLC

email [email protected] | phone (202) 789-3115

*This presentation is not intended to be, nor does it constitute, legal advice to you, and is intended only as an informational presentation of current issues and best practices. Should you have specific questions that require legal advice, please contact an attorney.

&

(2)

Intro to Cybersecurity:

Where do the risks arise?

 Cybersecurity is not simply having a password on your company email account, it involves a number of data breach risks, including

 Active hacking or outside attacks

 According to a 2013 Center for International & Strategic Studies report:  90% of successful attacks required only the most basic techniques  85% of breaches took months to be detected (5 months on

average)

 96% of successful attacks could have been avoided simple or intermediate cybersecurity protocols

 Un-secure disposal of documents, computers or electronics

 Point-of-sale security, including employee theft of consumer data

 Email security, either hacked servers or accidentally mis-routed emails

 A simple “Whoops!” – lost/stolen laptops, tablets, hard drives, devices, etc.  Malware downloaded through the Internet

(3)

Intro to Cybersecurity:

Where do the risks arise?

 Risks also arise from not fully understanding cybersecurity weakness and prevention best practices

 For example, CSIS estimates that 75% of attacks use publicly-known

vulnerabilities in commercial software – attacks that could be prevented by regularly patching and updating software

 Another study found that antivirus software missed as much as 95% of malware within a few days of its introduction without such software being updated

 Many companies also have an incomplete understanding of what constitutes an effective cybersecurity program

 45% of companies surveyed believed they employed adequate protections, while a follow-on review showed that only 10% were actually doing so

 Only 50% of companies use automated intrusion detection tools

 While only 33% of companies use robust identity and account management systems

(4)

Beyond the Politics: Why should

cybersecurity matter to me?

 Most industry stakeholders are well aware of the current debates raging

on in Congress and in administrative agencies, including at the FCC

 What constitutes critical infrastructure? Are communications

networks included?

 FCC cybersecurity interest

 Executive Order on cybersecurity

 Political and policy debates are interesting and important, but provide

few near-term incentives for companies to act

 Beneath the high-level debates lies the practical reality: cybersecurity

risks exist, and laws and regulations, at both the state and federal level,

are being enforced against companies right now.

 Companies should be aware of the laws as they exist today, and would be

well-served have comprehensive policies in place to protect against

(5)

Beyond the Politics: Why does

cybersecurity matter to me?

 Federal Agencies Have Been Active in Cybersecurity Issues

 FCC – An FCC working group recently issued a report on how the NSA’s cybersecurity controls should apply to communications companies, but could not reach consensus; however the FCC remains actively engaged

 Customer Proprietary Network Information (CPNI)  Telephone Consumer Protection Act (TCPA)

 FTC – Has enforced cybersecurity breaches using its authority to regulate “unfair or deceptive trade practices” under Section 5 of the FTC Act

 Most investigations end in consent decrees that require the adoption of expansive cybersecurity policies

 These consent decrees can last as long as twenty years (see In re: HTC America, Inc.)

 FTC’s authority to bring such actions is currently subject to challenge (FTC v. Wyndham Worldwide Corporation, et al.; motion to dismiss briefed in June with oral argument requested)

(6)

Beyond the Politics: Why does

cybersecurity matter to me?

 Federal Agencies (cont.)

 SEC – Issued non-binding guidance in October 2011

 Detailed six areas where reporting of cybersecurity risks and incidents may be appropriate in SEC filings

 Companies have taken varied approaches to risk and incident reporting  Although this is SEC guidance only, it demonstrates that the agency is

engaged

 Senator Rockefeller sent a letter in May 2013 urging the SEC to update its cybersecurity guidance, and the SEC is considering the request.

 HHS – HHS has been active in enforcement actions for the release of health-related information under its HIPAA authority.

 Less important for communications providers, but displays the general federal government trend of engagement and enforcement

(7)

Beyond the Politics: Why does

cybersecurity matter to me?

 State Agencies and Attorneys General

 State Notification Requirements – States require varying degrees of notice regarding the intentional or unintentional release of Personal Identifying Information (“PII”)

 Under most state laws, PII usually includes:  Social security number

 Driver’s license number

 Financial account or credit card number

 However, under some broader state laws PII can also include:  Email address

 Any information allowing access to financial resources  Certain health information

 Wide-ranging Massachusetts law (201 CMR 17.00) requires compliance if a company is storing PII of even one Massachusetts resident!

 Companies should be aware of the laws for each state in which they operate or have customers

(8)

Beyond the Politics: Why does

cybersecurity matter to me?

 Civil Litigation

 Plaintiffs have been successful at bringing claims for statutory damages against companies under federal and state cybersecurity statutes, including

 Telephone Consumer Protection Act  Electronic Communications Privacy Act  Video Privacy Protection Act

 Children’s Online Privacy Protection Act

 Class Action Litigation

 There has also been a rise in class action litigation against companies by

groups of plaintiffs seeking to recover for alleged data breaches and violation of alleged consumer privacy rights

 Resnick, et al. v. AvMed, Inc.

 In re: Sony Gaming Networks and Customer Data Security Breach Litigation

(9)

OK, I get that it’s scary out there.

How do I manage my risk?

 Risk Mitigation Techniques

 Training, training, training. Social engineering – the process of manipulating individuals into downloading malware or providing security information – can often foil even the most robust IT security system.

 Train your employees regularly on how to spot these phishing-type scams, and ensure that they understand your core security principles  Use application “whitelisting” for your networks to prevent unapproved

programs from being downloaded and installed

 Eliminates the cat-and-mouse game of identifying malware

 Frequently patch operating systems and the most commonly used programs, like Adobe, MS Office and web browsers to mitigate security weaknesses  Minimize the number of users with admin privileges

 Use traceable user accounts for all employees, and regularly monitor network use logs

 Limit the ability of employees to access or alter networks to a need-only basis

(10)

OK, I get that it’s scary out there.

How do I manage my risk?

 Risk Mitigation Techniques (cont.)

 Manage third-party vendor risk by:

 Having strong due diligence procedures in place

 Generate protocols for routine monitoring and auditing of third parties  Obtain insurance against vendor liabilities

 Run regular cybersecurity event simulations

 If the practice becomes routine, your employees will be ready if and when a breach takes place

 Secure all of your networks, including WiFi networks, devices on mobile networks, and implement internal network controls, such as firewalls

 Maintain stringent physical access controls to electronic resources and data centers

(11)

Cybersecurity Best Practices

How does my policy stack up?

 Do you have a comprehensive plan in place?

 This is the most important question to ask yourself

 Many companies have a series of varied and individual (and sometimes conflicting!) policies and procedures for IT and data security

 Make sure that you have a comprehensive, documented plan in place, or an overarching and easily-accessible policy that brings together and references all cybersecurity policies from across your company in a consistent manner

 What does a top-notch cybersecurity policy look like?

 While all cybersecurity policies will have some, if not many, elements in common, the first and most important step is to conduct an inventory of your business

 What type or types of data do you handle?

 Is some or all of the data you handle covered by statute?  How is your data managed and protected?

 Who has access to the data – when and how?

 Answering these high-level questions will provide you with the tent

(12)

Cybersecurity Best Practices

How does my policy stack up?

 What does a top-notch cybersecurity policy look like? (cont.)

 Once you have conducted an inventory of your business and determined the cybersecurity risks that you face, the next step is to implement policies to mitigate those risks

 A robust cybersecurity plan will typically include  Privacy and data security policies

 Identify the data you collect – Who has access? How is it secured?  Procedures to protect against internal and external scams and fraud  Network security

 External and internal networks

 Inward and outward facing website security  Email security

 Mobile device security

 Keeping mobile devices free of malware

(13)

Cybersecurity Best Practices

How does my policy stack up?

 What does a top-notch cybersecurity policy look like? (cont.)

 Physical and operational security

 Securing access to sites where data is stored

 Assess the information that cyber criminals may be able to obtain about the location of your data and your security protocols

 Protect payment information

 At the point-of-sale, whether in person or online

 Develop policies restricting access to payment information  Thoroughly vet all employees and vendors

 Standardize the employee and vendor due diligence process  Employ regular testing and auditing procedures

 Develop incident response and reporting protocols

 Establish clear roles and responsibilities for employees at all levels  Have clear points of contact and guidelines to ensure seamless

cross-group collaboration during cybersecurity incidents

 Conduct a post-mortem meeting to learn from each incident

(14)

Cybersecurity Best Practices

How does my policy stack up?

 Run regular simulations to test your policies in action

 Regular cybersecurity incident simulations allow you to find any break points in your policies before an incident occurs

 In the event that a true threat is identified and classified, employees will know who to contact, and teams will already be in place

 Employees will become familiar with the process and “muscle memory” will kick in during the chaos of a real cybersecurity incident

 Document the result of these simulations for discussion and study on how to improve your cybersecurity incident response

 Back up your data

 The simple step of backing up important data in a segregated area will allow your company to restore operations quickly in the event of critical data loss

 Engage in continuous risk monitoring

(15)

Where do I go from here?

 Take stock of your current policies

 Develop any missing policies or protocols

 Ensure cohesiveness of all interlocking policies

 Run a cybersecurity incident simulation

 Analyze any weaknesses and improve

(16)

Questions?

 I am glad to answer any questions about how you can make your

cybersecurity policies work for you and for your company

 Contact information:

Andrew Morentz

Telecommunications Law Professionals PLLC

Email:

[email protected]

References

Related documents

• Lack of attention to security, availability, integrity, change management and authentication in design, testing, deployment and operation of some existing SCADA networks

sensitive information or even allows screen sharing on their machine leading to exploitation and fraud. New malware programmers are using sophisticated methods that evade Anti-

With an increase in awareness of threats, the adoption of security often comes after a data breach or security failure has taken place5. Understanding the source of any threat

“assess cybersecurity preparedness in the securities industry and [will] obtain information about the industry’s recent experiences with certain types of cyber threats.” As part

The objective is to establish a Digital Threat Detection Model to mitigate cybersecurity risks in organizations by evaluating the influence of cybersecurity

* Identity Theft Resources Center 2014 Data Breach by Category Report.!. Cost of Cyber

Supply Chain Technology: Open technological framework; uses internet standards HTML, XML, WAP Flexible optimization functions for optimally coordinated logistics chains

Disclosures Silent About Cybersecurity Risks: Where a company’s disclosures do not reference cybersecurity risks, the SEC may request that the registrant provide appropriate