Simply put, there is no silver bullet for addressing cyber threats. Successful cyber-risk management focuses on the education, training and awareness of employees, the development of policies that prioritize and address risk and the use of technologies that support organizational policies as implemented by people.
Addressing cybersecurity risk is a dynamic and perpetual process. The National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was developed primarily from industry input to help organizations manage cyber risk, is an invaluable tool for identifying how an organization currently manages cyber risk, whether there are gaps in its current program and how it can improve upon its risk management practices.
Here are three additional activities to help organizations operationalize their cyber-risk management strategies.
1. Avoid legal and IT/security silos. Collaboration between a company’s legal and IT/security departments is essential. Legal personnel must understand the cyber-related regulatory requirements applicable to their organizations, as well as their role in cybersecurity preparedness and incident response. Likewise, IT and security practitioners must be aware of the legal issues and potential ramifications of cyber events, such as network intrusions and data breaches. They must prioritize and work within the framework for attorney-client privilege and work product protection. Communication between these two groups must therefore be bidirectional. The NIST Cybersecurity Framework can be useful for creating a common language within the enterprise on cyber risk.
2. Prioritize cyber risk in vendor negotiations. Service providers and third-party IT/security products can pose significant security vulnerabilities if not appropriately managed. Executives must understand that high-profile breaches have occurred because of issues such as stolen vendor credentials and poorly secured vendor remote access. Organizations must therefore be sure to conduct thorough vendor due diligence, require service providers to comply with specified security requirements and include counsel and security personnel in negotiations. Supply chain vulnerabilities can pose the greatest risk to a company’s security.
3. Understand you will be attacked … and be prepared. Although cyber attacks are inevitable, organizations can develop and implement effective response strategies by managing and containing the incident and ensuring operations are resumed as quickly as possible. It is essential to develop and implement incident response plans and regularly test these plans to ensure they are effective and that personnel involved understand their roles and responsibilities.
Organizations must ensure their response plans are agile, flexible and focused on the current threat landscape. They should report test results to senior management and the board to ensure these executives understand the organization’s level of preparedness for a cyber-event and to ensure the lessons learned from the exercise are incorporated into the enterprise’s incident response plans.
Companies must undertake a comprehensive effort to make cybersecurity an integral part of their cultures and develop cyber-risk management strategies that evolve with changing threats. These strategies include identifying risks and implementing measures that fit with the corporate culture and align with the organization’s priorities.
Although there is no single measure that can prevent cyber attacks, implementing the activities described above will better ensure that your organization has the necessary tools in place to respond to such attacks and mitigate the resulting damage to your organization.
Kimberly (Kim) Kiefer Peretti is a partner in Alston & Bird’s Litigation & Trial Practice Group and co-chair of its Cybersecurity Preparedness and Response Team. Peretti is a former director of PricewaterhouseCoopers’ cyber forensic service practice and a former senior litigator for the Department of Justice’s Computer Crime and Intellectual Property Section. She focuses her practice on managing complex, technical electronic investigations and responses, often resulting from cyber intrusions and data breaches.
Jason R. Wool is an associate in Alston & Bird’s Technology and Privacy Group and Cybersecurity Preparedness and Response Team. His practice focuses on cybersecurity, privacy and critical infrastructure protection, and he provides advice on a range of cybersecurity topics, including compliance with cybersecurity standards, managing cyber risk, cybersecurity governance and responding to security incidents. He participated in all six National Institute of Standards and Technology workshops on the development of the Cybersecurity Framework.
Kiersten Todt is the President and Managing Partner of Liberty Group Ventures, LLC, a cyber risk and crisis management consulting firm in Arlington, Virginia. She has served in senior positions in the private sector, as well as in the White House and in the U.S. Senate, where she was a primary drafter of the legislation that created the Department of Homeland Security.
Roger Cressey is a Partner with Liberty Group Ventures, LLC. He most recently served as a Senior Vice President at Booz Allen Hamilton, supporting the firm’s cyber security practice. He has served in senior cyber security and counterterrorism positions in the Clinton and Bush Administrations, including Chief of Staff of the President’s Critical Infrastructure Protection Board and Deputy for Counterterrorism on the National Security Council staff.