Cyber attacks: it’s no longer a case of if, but when!
In the most recent ACSC Annual Cyber Threat Report, during the 2020–21 financial year, there were over 67,500 cybercrimes reported to ACSC, an increase of nearly 13% from the previous period. This equated to one reported every 8 minutes.
Within the increase is malicious actors deploying targeted phishing, spear phishing, ransomware attacks, as well as the exploitation of software vulnerabilities, cyber threats will continue to pose a significant threat to business and Government operations in 2022. In this intense cyber threat environment, the in-house legal department must champion cyber security strategies and cyber awareness across their organisations.
Here are the Top 7 Cyber Security Tips for In-House Lawyers:
1. Review your systems and processes to know your risk areas
Understanding “what are the crown jewels of my company?” and defining the critical assets will provide an insight into what parts of your organisation a cyber criminal might target and the resultant risks. This will be unique to every organisation and could include manufacturing, supply chain, customer databases, payment systems, data, and even rogue employees.
Ideally, put together a multidisciplinary team at the outset that includes legal, IT and operations functions, to conduct a detailed analysis of systems and processes and identify risk areas.
Having legal involved in the planning and risk analysis encourages knowledge transfer and the development of appropriate strategies and plans for prevention and remediation.
2. Cyber security awareness training for all employees
Information security awareness training is a crucial aspect to the prevention of most cyber threats. However, with criminal activity in the cybersphere evolving incredibly quickly, training should be ongoing, not just an annual ‘tick and flick’ exercise. Make cyber awareness a regular agenda item at team meetings and encourage the sharing examples of recent phishing emails, dubious text messages or scam phone calls received by team members. Normalising the open discussion of high frequency and high risk cyber threats will assist in educating employees and establish standard routines and procedures to ensure all instances are appropriately identified and reported.
It is important to note that bad actors will target new employees who may not be familiar with company protocols, so ensure that cyber awareness training is conducted immediately when on-boarding a new team member.
3. Use best practice password security protocols
According to Dr Ian Levy, NCSC Technical Director, “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.”
Password best practice:
- Use complex passwords
- 10 characters long with a combination of letters (both upper and lower-case), numbers and special characters
- Use a space in a password for a higher level of security
- Use unique passwords for each device / platform
- Never leave passwords written where they can be seen
- Do not save a copy of your password on your desktop
- Use a non-browser based password manager to securely store your passwords
Password security is one of the first lines of defence to protect your organisation, systems, and data from a cyber breach.
4. Be clear on who your stakeholders are in the case of a cyber attack
When a cyber attack is happening is not the opportune time to identify who should be involved in managing the incident. It is important to plan and identify in advance who needs to be ‘in the tent’ when an incident occurs. A cross-section of key personnel with unique skill sets will bring the best value to handling an attack. Consider including members from the following:
- IT
- In-house legal
- Compliance, risk, and privacy
- Executive leadership team
- Board members
Consider the role of external providers who will have more technical expertise, whether they are hired per incident or placed on a retainer, establishment in advance allows for quick action.
- Cyber security breach coach
- Digital forensics investigators
- Lawyers
- Consultants
- PR specialists
Key stakeholders that are often overlooked are internal staff, customers, and the general public, so ensure that these are identified and considered.
5. Have an Incident Response Plan and test this regularly
Have a detailed Incident Response Plan that includes procedures, roles and responsibilities, detection and analysis, containment, response, and post-incident analysis. More than simply an operational or technical matter, the Incident Response Plan must align with organisational priorities and its risk profile.
The plan should also consider:
- How will key personnel access the plan if physical or digital access is prevented? For example, at Lawcadia we utilise the Lawcadia platform’s crisis management workflow which digitally maps our ISO 27001 Crisis Management plan and automates each phase and step, right down to the agenda items
- Who should/must be notified or informed across stakeholders including employees, clients, customers, and media channels
- Regulatory reporting requirements
- The role of legal professional privilege and how, where or if it should be utilised
Just as the organisation will conduct a regular fire drill, conduct regular cyber drills and simulations to test the plan.
6. Review your Cyber Insurance Policy
Cyber insurance is a must-have for all organisations, and it is important to clarify the policy inclusions and limitations. Review coverage for:
- Data restoration
- Cyber extortion
- Ransomware payments
- Digital forensics consultants
- Legal costs
- PR
- Credit monitoring
- Business interruption
- 3rd party compensation claims
- Fees and penalties
- External investigations
If an attack happens, what are you able to draw down from your policy immediately to assist with mitigating the consequences?
7. Know your cyber security supply chain
Understanding your own cyber risks is one thing, but does your organisation evaluate and monitor the cyber security and data privacy practices of its 3rd party providers across the supply chain?
51% of organisations have experienced a data breach caused by a third-party, according to recent studies.
Part of the procurement processes for all 3rd party providers should involve defining and assessing risk as well as negotiating and clarifying that they meet all the standards set by your organisation for cyber security, auditing, privacy, and compliance. Plus, have provisions in place for if a breach occurs, including a compensation clause and a service level agreement (SLA).
It is in your organisation’s best interests to perform constant checks to ensure that suppliers are adhering to those required standards.
Conclusion
Whilst there is no silver bullet to guarantee the prevention of a cyber attack, an organisation can and should take all steps available to make it harder for cyber criminals to infiltrate. Further, a thorough and tested response plan for when a cyber attack happens will help to ensure that timely, appropriate and measured action is taken to minimise adverse consequences.
Stay on top of this space by subscribing to the following online resources:
