Where to Start When Assessing Your Company's Risk: GCs collaborate with IT to develop a cybersecurity risk framework

Tuesday, September 26, 2017 - 15:55

Nick Barone, co-practice leader of EisnerAmper’s Consulting Group, has over 20 years of industry experience leading computer investigations and cybersecurity incidence response – breach of data and breach response. He has led teams to respond to data breaches as well as to provide proactive security services to prevent them. He formerly served in law enforcement and has worked in 44 U.S. states and 17 foreign countries over the course of his career. Barone shares his insights about how to prepare and respond to cyber risks. His remarks have been edited for length and style.

 

Let’s talk about your approach to working with companies to help them prepare for cyber risk and response.

Nick Barone:  The general approach to cybersecurity is based two ways: an industry approach and a company IT risk-specific approach. First is a cybersecurity risk framework – there are several out there depending upon the type of industry you’re in. Second, and separate from the framework, is the current state of the client’s cybersecurity program. When we’re sitting down and talking to companies about how to protect their data, we ask them, “What is your current IT security like, and what does your current IT risk program look like? Have you performed a risk analysis?” If yes, we go through the framework they’ve utilized, or if they haven’t already started a cybersecurity program, we propose a framework.

What’s the role of the general counsel and legal department in terms of this preparedness and response planning?

Barone: From my experience, the first legal role is as an adviser on compliance and legal risk issues. In other words, in-house counsel provides advice to the company to help it be compliant with various cybersecurity regulations. Second, in the area of cyber legal risk prevention, inside counsel reviews contract language to ensure that all third parties and even fourth parties who have sensitive data are in compliance with the terms and agreements of the contract. Third, Legal’s role is to guide the company in two critical areas of maintaining sensitive information: information classification and information retention (or document retention). And finally, I see inside counsel’s role as providing guidance in the event of an incident to determine how the company needs to respond – and that may include the engagement of outside counsel and regulatory response.

You spent much of your career helping companies meet regulatory requirements by creating industry-specific solutions to prevent and identify fraud. Or, should I say identify, not prevent?

Barone: Actually, it’s prevention – through the various published federal and state compliance regulations like the Health Insurance Portability and Accountability Act (HIPAA) or other types of regulations. But let me take a step back here. There are several regulations that in-house counsel or outside counsel guide companies on. These can either be federal or state regulations. It’s the role of counsel to work with IT to make sure that the company protects itself and complies with these various regulations, and also to help the company understand what process or what data is out there that they need to comply with. For example, the storing of sensitive information.

Depending on the industry, there are multiple classes of information out there. For example, medical records fall under HIPAA. Credit card data falls under the Payment Card Industry Data Security Standard, etc. And personal information is just a broad requirement. That could include the names, addresses and Social Security numbers of employees or vendors. Other areas include, for example, education – college IDs, user names and passwords and so on in the education industry.

In your experience, in terms of cybersecurity, what’s the most fruitful way for companies to spend their time? Are there certain things they shouldn’t focus on? Certain things they should? There’s a big shift toward bring your own device (BYOD) right now, for instance.

Barone: Let’s start with what the cybersecurity industry calls the Core Four, the main issues that lead to a data breach, a violation or noncompliance. They are (1) testing your network, (2) training your employees, (3) patching your network, and (4) policy and procedures.

Every security issue that comes up, like BYOD, can be traced back to one of these four leading causes of a data breach. Failure by the company to train their employees. Failure by the company to test their network. Failure by the company to patch or put in place security provisions on their network. And then finally, failure by the company to follow policies and procedures.

In terms of BYOD, there are really two forms, and sometimes people don’t realize that. One of them is pretty obvious – to be able to be in contact with the company and its operations and clients via email. The second is the storage of company data outside of the network. Those are the two root causes of challenges with BYOD.

Once you introduce a BYOD system and you have a policy in place, companies then face challenges enforcing those polices on BYOD devices The two biggest ones are control over the storage of company information on these BYOD devices, and that the use of BYOD devices, unfortunately, introduces potential malware into the environment and presents a risk that the companies cannot properly manage. Say, for example, you bring your own laptop to the office, or you work remotely so the company allows you to purchase your own laptop or to remote in with another computer via your laptop, your personal device. What happens is that the company can no longer manage its control and security.

Now, the lawyers, risk officers and our IT departments create a policy. The policies and procedures provide guidance for the proper usage of that device and what you can and cannot do. However, there’s no enforcement of that policy because there’s a lack of certain technology to enforce it. So you’re left with the voluntary actions of the employee. Now, let’s go back to the security of the device itself. Companies sometimes lack the ability to control the device and, therefore, if the device is lost or stolen, the level of security is not as high as it would be for a company-owned device.

You also lead operational fraud risk assessments as well as initiatives to identify new IT threat scenarios across industries like financial services, tech, healthcare and education. Can you talk about some of the new IT threats you’re seeing that our readers may not be aware of?

Barone: The first issue is that BYOD is contributing to more reported data breaches. That’s an emerging trend, because these devices are not, like I said, adequately secure or controlled.

The second area is phishing. Even if a company does its best to patch security holes and educate and train its employees, people still get tricked into giving up their secure user names and passwords in email scams or malware that they accidentally click on. Companies can only do so much to prevent that email from coming into the environment.

The third area, unfortunately, is personal use of company devices. The increasing use of corporate assets for personal use is resulting in people introducing malware into the system as a result of surfing on their computer during off times. Most companies have a very vague policy toward personal use of a company computer. It’s too draconian to tell somebody they can’t surf the web on their lunch hour. And Americans do spend a large amount of their personal lives on company computers because that’s where they spend the majority of their computer time – at work.

What advice can you offer in-house lawyers?

Barone: I think an area that’s coming up more and more for lawyers is understanding liability and risk – internally, it’s important that in-house counsel can effectively communicate liability and risk to the company. Often the in-house counsel, or even outside counsel, don’t really get an opportunity to weigh in much on the IT network infrastructure. That’s the domain of IT. So additions and subtractions that occur in the IT world usually don’t involve input from counsel. I believe that in-house counsel should be more involved, or at least participate in meetings where the information technology structure is being discussed. I’m working with a client right now where that is the case – they’re starting to consult and include their in-house counsel more to understand their legal and compliance obligations.

That’s really the bigger role that counsel should play: advisement on legal risk involving IT-related issues or processes. From my conversations with in-house counsel, probably one of their biggest challenges is sitting at the table with IT, because they really aren’t technically savvy – though that is changing. But a lot of them have limited knowledge of their in-house technology – so they’re relying on whatever representations the IT department is making. But that’s where lawyers can play a bigger role – advising on the technology issues as they pertain to compliance risk and liability.