cybersecurity

CYBERSECURITYSECURITY MANAGEMENT PARTNERS

“We live in a world where our national security is threatened by cyber terrorists, and where private enterprise is forced to respond to cyber theft of intellectual property on a daily basis. The Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, we will not stand on the sidelines.”

—Jim Darsigny, Chief Information Officer, Brown Rudnick

‘It doesn’t take a genius to walk into an unsecured office and walk out with printed information or a laptop.’ THERE

IS ALWAYS A WAY IN.”

CYBERSECURITY WILL BECOME A COST CENTERTHERE MUST BE BOARDROOM INVESTMENT

TECHNOLOGY IS VITAL

$7.5 MILLION

LACK OF SECURITY

INDIRECT• BRAND DEVALUATION

• LOSS OF CLIENTS

• LITIGATION

DIRECT• INFORMATION LOSS

• BUSINESS DISRUPTION

• REVENUE LOSS

• EQUIPMENT DAMAGES

ILTA FINDINGS

76 PERCENT OF FIRMS DO NOT USE OR REQUIRE TWO-FACTOR AUTHENTICATION.

72 PERCENT OF FIRMS DO NOT ISSUE ENCRYPTED USB DRIVES. 64 PERCENT OF FIRMS DO NOT AUTOMATICALLY ENCRYPT CONTENT-

BASED EMAIL. 56 PERCENT OF FIRMS DO NOT ENCRYPT LAPTOPS. 90 PERCENT OF FIRMS DO NOT USE ANY LAPTOP TRACKING

TECHNOLOGY. 61 PERCENT OF FIRMS DO NOT HAVE INTRUSION DETECTION TOOLS. 64 PERCENT OF FIRMS DO NOT HAVE INTRUSION PREVENTION TOOLS.

CYBERSECURITY WAR

#1

• CHINA TO US#2

• US ON CHINA

14% of respondents to an American Bar Association technology survey said their firms had experienced some type of security breach or theft this year.

FIRST STEPS IN AN ENTERPRISE SECURITY PROGRAM

HIRE CSO BUDGET FOR STAFF

TO GET SERIOUS ABOUT LAW FIRM CYBERSECURITY, ATTORNEYS HAVE TO AWAKEN TO THE REALITY OF CYBERSECURITY RISK, AND BEGIN TO EMBRACE AND COOPERATIVELY IMPLEMENT SOLUTIONS.

EXERCISE GOVERNANCE OVER DIGITAL ASSETS FIRM MANAGEMENT MUST

DEFINE SECURITY ROLES AND RESPONSIBILITIES, DEVELOP TOP-LEVEL POLICIES AND EXERCISE OVERSIGHT.

SET THE “TONE FROM THE TOP” AND ISSUE HIGH-LEVEL POLICIES REGARDING THE PRIVACY AND SECURITY OF FIRM DATA. THIS INCLUDES THE USE OF ENCRYPTION

VENDOR MANAGEMENT

INCIDENT RESPONSE

HAVING A WELL-REHEARSED INCIDENT RESPONSE PLAN IS CRITICAL. IT MUST SPECIFY WHO WILL BE NOTIFIED, WITHIN WHAT TIME FRAME, WHAT DOCUMENTATION MUST BE KEPT, WHO IS DESIGNATED TO SPEAK ABOUT THE INCIDENT AND WHO HAS AUTHORITY TO MAKE CERTAIN DECISIONS ABOUT THE INVESTIGATION

LAW FIRMS ARE THEIR OWN WORST ENEMY

LAWYER ACCEPTANCE

FOCUS

INSIDER MISUSE

COMMUNICATION MISUSE

DATA LEAKAGE DATA THEFT

CYBERSECURITY RECOMMENDATIONS

• INVENTORY THE FIRM’S SOFTWARE SYSTEMS AND DATA, AND ASSIGN OWNERSHIP AND CATEGORIZATIONS OF RISK.

• DEPLOY NEEDED SECURITY TECHNOLOGIES INCLUDING ENCRYPTION, INTRUSION DETECTION AND PREVENTION AND MONITORING

• IDENTIFY POINTS OF CONTACT WITH LAW ENFORCEMENT, INTERNET SERVICE PROVIDERS AND THE COMMUNICATIONS COMPANIES THAT SERVICE THE FIRM

• CONDUCT THIRD-PARTY VULNERABILITY SCANS,

PENETRATION TESTS AND MALWARE SCANS

IDENTIFY AND DOCUMENT SECURITY CONTROLS.

ESTABLISH SECURITY CONFIGURATION SETTINGS, ACCESS CONTROLS AND LOGGING.

DEVELOP SECURITY POLICIES AND PROCEDURES TO SUPPORT THE SECURITY PLAN AND TECHNOLOGIES.

DEVELOP CONTRACTUAL SECURITY REQUIREMENTS FOR OUTSOURCING VENDORS, CLOUD PROVIDERS OR OTHER ENTITIES

***DEVELOP INCIDENT RESPONSE, BUSINESS CONTINUITY OR DISASTER RECOVERY PLANS***

CONDUCT REGULAR REVIEWS OF THE SECURITY PROGRAM AND UPDATE AS NECESSARY.

ITEMS TO THINK ABOUTFOREIGN THREATS

FOREIGN THREATS ARE FOR DESTRUCTIVE INTENT

NOISY NUISANCE ATTACKS COMPARED TO DESTRUCTIVE

CHINESE “AXIOM” ADVANCED PERSISTENT THREAT THAT CAN BE DEVASTATING TO CRITICAL INFRASTRUCTURE

BAD ACTORS

GOING ON OFFENSE

CYBERMERCENARY LEADS YOU TO SLIPPERY SLOPE OF LIABILITY

ACTIVE DEFENSE COMPARED TO OFFENSIVE DEFENSE IS DANGEROUS

CYBER COMPETITIVE ADVANTAGE CAN LEAD YOU TO PROBLEMS WHY NOT COLLABORATE AMONG FIRMS

INFORMATION SHARING LEGISLATION IN CONGRESS

ISAC INFORMATIONS SHARING AND ANALYSIS CENTER—BE ACTIVE

WHY AREN’T WE…

FINANCIAL INSTITUTIONS SPENDING 2B IN CYBER COSTS

DIFFERENCE BETWEEN VOLUNTARY AND REGULATORY IMPLEMENTATION

NIST SENIOR ADVISOR-ADAM SEDGEWICK

ADMIRAL MIKE ROGERS

THINK ABOUT THIS!

CRITICAL INFRASTRUCTURE IN GOVERNMENT AND PRIVATE BUSINESS

CYBER THEFT NOT GOING AWAY

IMAGINE TOP 10 COMPANIES IN SAME MARKET SEGMENT BEING ATTACKED AT ONCE

One thing is very clear: Most organizations’ cybersecurity programs do not rival the persistence, tactical skills, and technological prowess of today’s cyber adversaries.

69%of US executives are worried that cyber threats will impact growth.

82%of companies with high-performing security practices collaborate with others to deepen their knowledge of security and threat trends

59%of respondents said that they were more concerned about cybersecurity threats this year than in the past

49%of all respondents have a plan for responding to insider threats.

$2,500per employeeMedian maximum amount that banking and finance organizations invest in cybersecurity.$400 per employeeMedian maximum amount that the SMB market invests in cybersecurity.

Cybercrime is a clear, present, and permanent danger. While it’s a permanent condition, however, the actors, threats, and techniques are very dynamic.”— Tom Ridge,CEO of Ridge Global and first secretary of the US Department of Homeland Security

The NIST Cybersecurity Framework may be voluntary, but it offers potential advances for organizations across industries.

RESPONSE AND RECOVERY PLAN

cybersecurity

Documents

percent of firms

national security

security plan

security policies

law firms

document security controls

needed security technologies

type of security breach