The Practical Realities of
Cybersecurity
Best practices for crafting policies and procedures to protect
your company
Andrew Morentz, Member
Telecommunications Law Professionals PLLC
email [email protected] | phone (202) 789-3115
*This presentation is not intended to be, nor does it constitute, legal advice to you, and is intended only as an informational presentation of current issues and best practices. Should you have specific questions that require legal advice, please contact an attorney.
&
Intro to Cybersecurity:
Where do the risks arise?
Cybersecurity is not simply having a password on your company email account, it involves a number of data breach risks, including
Active hacking or outside attacks
According to a 2013 Center for International & Strategic Studies report: 90% of successful attacks required only the most basic techniques 85% of breaches took months to be detected (5 months on
average)
96% of successful attacks could have been avoided simple or intermediate cybersecurity protocols
Un-secure disposal of documents, computers or electronics
Point-of-sale security, including employee theft of consumer data
Email security, either hacked servers or accidentally mis-routed emails
A simple “Whoops!” – lost/stolen laptops, tablets, hard drives, devices, etc. Malware downloaded through the Internet
Intro to Cybersecurity:
Where do the risks arise?
Risks also arise from not fully understanding cybersecurity weakness and prevention best practices
For example, CSIS estimates that 75% of attacks use publicly-known
vulnerabilities in commercial software – attacks that could be prevented by regularly patching and updating software
Another study found that antivirus software missed as much as 95% of malware within a few days of its introduction without such software being updated
Many companies also have an incomplete understanding of what constitutes an effective cybersecurity program
45% of companies surveyed believed they employed adequate protections, while a follow-on review showed that only 10% were actually doing so
Only 50% of companies use automated intrusion detection tools
While only 33% of companies use robust identity and account management systems
Beyond the Politics: Why should
cybersecurity matter to me?
Most industry stakeholders are well aware of the current debates raging
on in Congress and in administrative agencies, including at the FCC
What constitutes critical infrastructure? Are communications
networks included?
FCC cybersecurity interest
Executive Order on cybersecurity
Political and policy debates are interesting and important, but provide
few near-term incentives for companies to act
Beneath the high-level debates lies the practical reality: cybersecurity
risks exist, and laws and regulations, at both the state and federal level,
are being enforced against companies right now.
Companies should be aware of the laws as they exist today, and would be
well-served have comprehensive policies in place to protect against
Beyond the Politics: Why does
cybersecurity matter to me?
Federal Agencies Have Been Active in Cybersecurity Issues
FCC – An FCC working group recently issued a report on how the NSA’s cybersecurity controls should apply to communications companies, but could not reach consensus; however the FCC remains actively engaged
Customer Proprietary Network Information (CPNI) Telephone Consumer Protection Act (TCPA)
FTC – Has enforced cybersecurity breaches using its authority to regulate “unfair or deceptive trade practices” under Section 5 of the FTC Act
Most investigations end in consent decrees that require the adoption of expansive cybersecurity policies
These consent decrees can last as long as twenty years (see In re: HTC America, Inc.)
FTC’s authority to bring such actions is currently subject to challenge (FTC v. Wyndham Worldwide Corporation, et al.; motion to dismiss briefed in June with oral argument requested)
Beyond the Politics: Why does
cybersecurity matter to me?
Federal Agencies (cont.)
SEC – Issued non-binding guidance in October 2011
Detailed six areas where reporting of cybersecurity risks and incidents may be appropriate in SEC filings
Companies have taken varied approaches to risk and incident reporting Although this is SEC guidance only, it demonstrates that the agency is
engaged
Senator Rockefeller sent a letter in May 2013 urging the SEC to update its cybersecurity guidance, and the SEC is considering the request.
HHS – HHS has been active in enforcement actions for the release of health-related information under its HIPAA authority.
Less important for communications providers, but displays the general federal government trend of engagement and enforcement
Beyond the Politics: Why does
cybersecurity matter to me?
State Agencies and Attorneys General
State Notification Requirements – States require varying degrees of notice regarding the intentional or unintentional release of Personal Identifying Information (“PII”)
Under most state laws, PII usually includes: Social security number
Driver’s license number
Financial account or credit card number
However, under some broader state laws PII can also include: Email address
Any information allowing access to financial resources Certain health information
Wide-ranging Massachusetts law (201 CMR 17.00) requires compliance if a company is storing PII of even one Massachusetts resident!
Companies should be aware of the laws for each state in which they operate or have customers
Beyond the Politics: Why does
cybersecurity matter to me?
Civil Litigation
Plaintiffs have been successful at bringing claims for statutory damages against companies under federal and state cybersecurity statutes, including
Telephone Consumer Protection Act Electronic Communications Privacy Act Video Privacy Protection Act
Children’s Online Privacy Protection Act
Class Action Litigation
There has also been a rise in class action litigation against companies by
groups of plaintiffs seeking to recover for alleged data breaches and violation of alleged consumer privacy rights
Resnick, et al. v. AvMed, Inc.
In re: Sony Gaming Networks and Customer Data Security Breach Litigation
OK, I get that it’s scary out there.
How do I manage my risk?
Risk Mitigation Techniques
Training, training, training. Social engineering – the process of manipulating individuals into downloading malware or providing security information – can often foil even the most robust IT security system.
Train your employees regularly on how to spot these phishing-type scams, and ensure that they understand your core security principles Use application “whitelisting” for your networks to prevent unapproved
programs from being downloaded and installed
Eliminates the cat-and-mouse game of identifying malware
Frequently patch operating systems and the most commonly used programs, like Adobe, MS Office and web browsers to mitigate security weaknesses Minimize the number of users with admin privileges
Use traceable user accounts for all employees, and regularly monitor network use logs
Limit the ability of employees to access or alter networks to a need-only basis
OK, I get that it’s scary out there.
How do I manage my risk?
Risk Mitigation Techniques (cont.)
Manage third-party vendor risk by:
Having strong due diligence procedures in place
Generate protocols for routine monitoring and auditing of third parties Obtain insurance against vendor liabilities
Run regular cybersecurity event simulations
If the practice becomes routine, your employees will be ready if and when a breach takes place
Secure all of your networks, including WiFi networks, devices on mobile networks, and implement internal network controls, such as firewalls
Maintain stringent physical access controls to electronic resources and data centers
Cybersecurity Best Practices
How does my policy stack up?
Do you have a comprehensive plan in place?
This is the most important question to ask yourself
Many companies have a series of varied and individual (and sometimes conflicting!) policies and procedures for IT and data security
Make sure that you have a comprehensive, documented plan in place, or an overarching and easily-accessible policy that brings together and references all cybersecurity policies from across your company in a consistent manner
What does a top-notch cybersecurity policy look like?
While all cybersecurity policies will have some, if not many, elements in common, the first and most important step is to conduct an inventory of your business
What type or types of data do you handle?
Is some or all of the data you handle covered by statute? How is your data managed and protected?
Who has access to the data – when and how?
Answering these high-level questions will provide you with the tent
Cybersecurity Best Practices
How does my policy stack up?
What does a top-notch cybersecurity policy look like? (cont.)
Once you have conducted an inventory of your business and determined the cybersecurity risks that you face, the next step is to implement policies to mitigate those risks
A robust cybersecurity plan will typically include Privacy and data security policies
Identify the data you collect – Who has access? How is it secured? Procedures to protect against internal and external scams and fraud Network security
External and internal networks
Inward and outward facing website security Email security
Mobile device security
Keeping mobile devices free of malware
Cybersecurity Best Practices
How does my policy stack up?
What does a top-notch cybersecurity policy look like? (cont.)
Physical and operational security
Securing access to sites where data is stored
Assess the information that cyber criminals may be able to obtain about the location of your data and your security protocols
Protect payment information
At the point-of-sale, whether in person or online
Develop policies restricting access to payment information Thoroughly vet all employees and vendors
Standardize the employee and vendor due diligence process Employ regular testing and auditing procedures
Develop incident response and reporting protocols
Establish clear roles and responsibilities for employees at all levels Have clear points of contact and guidelines to ensure seamless
cross-group collaboration during cybersecurity incidents
Conduct a post-mortem meeting to learn from each incident
Cybersecurity Best Practices
How does my policy stack up?
Run regular simulations to test your policies in action
Regular cybersecurity incident simulations allow you to find any break points in your policies before an incident occurs
In the event that a true threat is identified and classified, employees will know who to contact, and teams will already be in place
Employees will become familiar with the process and “muscle memory” will kick in during the chaos of a real cybersecurity incident
Document the result of these simulations for discussion and study on how to improve your cybersecurity incident response
Back up your data
The simple step of backing up important data in a segregated area will allow your company to restore operations quickly in the event of critical data loss