No, cybersecurity is not that easy, but it should be. Because having looked at the newspapers it is clearly not easy, or people just are not communicating well about the basics.
Lastly, let’s not forget, no-one has solved the supply chain problems in this country that plague its industrial base, and most every industrial sector. Digitalization is good. No, it’s great! Outsourcing creates great opportunities. It also creates risk that most companies need help even understanding let alone dealing with and managing.
I talk with lots of friends daily on things like the above. I stated to one over the weekend, “It seems like we have made little progress since 2013 (and “name that breach”). He stated to me, “Paul, things have gotten worse since 2013. Not better.” It was hard to argue with him. Things are not good.
There are lots of issues here, too many to discuss in 1000 words – let alone 1500. And I am not here to dwell on the bad stuff either. That is not me. That is not what the CyberAvengers stand for (a group of superhero friends of mine who you might see frequently on social media). Let’s try to fix some of these issues. Today. Now. Here are ways to do so:
1
Let’s stop treating cybersecurity like a “black swan,” infrequent event. It is far from it. It is no different than other recognized forms of corporate risk: financial risk, liquidity risk, fire risk, or currency risk. Cyber is a daily risk that needs to be dealt with daily. In the culture of the company. No more lip service. No more, “I am not a target” baloney. If you have data, you are a target. If you think you haven’t been hacked already, think again. You have been. You are being hacked now. Treat Cybersecurity with the respect it deserves. Like that million dollar contract or client you cannot afford to lose. As we know from the AMCA breach, if you lose on cybersecurity, you can lose on everything. Cyber is corporate risk, entity risk, regulatory risk and D&O risk all rolled into one. The consequences of potentially messing up are, well….., disastrous.
2
Let’s stop vendor, nerd and tech speak. Let’s speak English to each other. Me to the CEO of a new client, “does your company regularly back up its network, once a week, and store the back up media onsite, off site and in the cloud?” “Well, Paul, I am not really sure.” Oh boy, Red alert, alarms flashing, bad answer. If the CEO can’t answer, and the IT Director can’t, or won’t answer, I call in the cavalry for the CEO. IT people not only need to speak English to corporate people, lawyers do too. Lawyers have to advise clients not just on what to do, but how to do it and who can do it. We lawyers need to extend ourselves so we can to help others in their time of need. So we can help our country in its time of need.
3
All companies should consider adopting the NIST cybersecurity framework before others make that decision for them – yes I mean, Congress, the regulators, or all of the above. The Framework fits in with item 2 – it is in plain English. Lay people can understand it and appreciate it. Question for the CEO, “when was your last vulnerability assessment?” “Well Paul, I don’t know what one really is, but I think we are ok.” Red lights again. Alarms. Do your assessment. You won’t regret it. Your company won’t regret it. And your Board of Directors will say, “Job well done!”
4
Remember that #thebasicsmatter. More than you ever know. Phishing training on a quarterly basis? Not perfect, but highly effective. And it doesn’t cost much. #Patching? #PatchIt regularly. Especially critical CVE’s within 72 hours. It’s a must do. Not a nice thing to do when you have the time or you can afford it. #BackItUpX3? You mean: on site, on segmented basis, off site (fully segmented) and in the cloud? Yes, that is what back it up X3 means. The cyberavengers have a good chart on this stuff. It’s free. Please take a copy. Bring it to your office and give it to your CEO. Yes, vendors, it is NOT PERFECT. But it’s a good start. It follows the NIST Framework. And it’s in English – https://www.thecyberavengers.com/wp-content/uploads/2017/10/The-CyberAvengers-Easy-To-Do-List.jpg
I could go on and on about the benefits of machine learning anomaly detection (great to have), encryption and micro-tokenization (really great to have) and identity and access management solutions (which, today, are almost a must have). But I won’t. They cost money. And many companies don’t have a lot, or if they do, don’t know how to spend it wisely.
#thebasics matter. Start with the above. Rinse and repeat. Mic drop.
About Paul
Paul Ferrillo is a Shareholder in Greenberg Traurig’s Cybersecurity and Privacy Group. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation…
