Cybersecurity breaches are becoming daily occurrences and can no longer be ignored. The threat is real and it goes beyond financial risks. In the legal profession, the reputational damage alone to a firm could be irreparable. Attackers have more resources, computing power, and coding knowledge than any single entity. In a directed attack, very few targets survive without severe problems such as data destruction or information leaks. While we read about these cybersecurity breaches and their effects on industries across the world, many lawyers are left wondering what they can possibly do against such odds.
As with any form of battle, you need a solid strategy that will incorporate the entire organization. Without a strategy, attempts to protect the information become a series of single point tactics that do not work together. Attackers rely on this to move between the protections or exploit them individually. They also rely on the fact that an organization will not be able to react in time to provide any evidence to law enforcement agencies.
Nationwide Cybersecurity Guidelines
After a series of very serious and well-publicized breaches of major retailers and banks, in 2013 President Obama issued an Executive Order titled “Improving Critical Infrastructure Cybersecurity,” which called for guidelines to help organizations implement and improve cybersecurity practices.1
Bill Brousseau, CISSP, is chief technology officer for Secure Global Solutions in Milwaukee.
In response to this executive order, the National Institute of Standards and Technology (NIST) spent 10 months with thousands of security professionals to develop a risk-based framework using common language to help organizations organize and improve their cybersecurity practices. NIST has always provided cybersecurity guidelines for different industries and organizational types; however these guidelines were often very specific to an industry and heavily IT focused. Experience has taught that cybersecurity is no longer just the IT department’s problem; it is every employee’s responsibility to protect the assets in the organization.
The NIST Framework for Improving Critical Infrastructure Cybersecurity2 fuses the best practices for cybersecurity across all industries into a single, reiterative process. There are five core functions:
- Respond; and
Using common language will allow the process to be understood and integrated throughout an entire organization. The NIST framework will help ensure that key areas of operations are no longer ignored. Unfortunately, for many organizations it also will expose items that are completely missing or were never even considered in current cybersecurity plans. This is to be expected, but keep in mind the process is meant to be repeated at regular intervals. Each time your practices will mature and improve. Repeating the process will also help engrain it into your organization so the practice becomes part of every department, applied to every new application launched, every new device installed, and every new employee hired. This training and mindset will become invaluable in the event of a breach.
Core Cybersecurity Functions
Identify. The first core function is identify. Here the framework will help you define the rules of engagement. To fully protect your firm, you must identify what you are protecting. This function does not focus only on inventories and IT devices. The identify stage starts with determining your firm’s compliance and regulatory obligations. Next you evaluate your business environment, tolerance for certain risks, and even local, state, and federal reporting requirements. By defining the playing field and all the rules, it is easier to form a solid strategy. This phase gives you a complete picture of exactly what you are protecting, where it resides, and what rules must apply for any compliance.
Protect. Now that you know the rules, the next core function, protect, will help you define tactics and procedures. Protection is not just a collection of technologies such as firewalls; it includes the controls and safeguards that combine the protective technologies into a useful system. Often, expensive firewalls or intrusion detection systems are in place, but the organization’s employees do not know how to process or react to the information provided. Employee training is a key component of the protect function that is regularly overlooked. Protect will help combine the technologies with training and maintenance to build effective practices.
Detect. Once protections are in place and employees have been trained, you need practices that will detect anomalies and issue alerts when things are suspicious. Cybersecurity events must be promptly and easily interpreted by employees. To demonstrate due diligence and compliance with most regulatory bodies, you also need to document the event and what was done to correct it. These items are key to preventing small breaches from expanding into big problems.
Respond. It is not a question of “if” but “when” a cybersecurity attack will occur. How your organization responds to an attack will directly affect the extent to which the organization preserves its data, protects its reputation, and minimizes financial losses. The core function of respond outlines practices that must be in place for you to effectively contain and reduce the impact of cybersecurity breaches.
Once a breach is detected, your staff must know how to react, and systems must be in place to maintain communication. For example, if your firm’s email server and voice systems were all down, how would key managers or partners communicate to implement your recovery plans? A response plan should include an independent service for communications in the event of a disaster and training requirements for managers. Practicing response plans and improving them as necessary are the only ways to keep them effective. Each time you will find improvements or updates for your environment to keep up with current cybersecurity threats.
Recover. After a cybersecurity event is mitigated, it is time to implement the recover functions. If recovery plans are in place and up to date, the time to restore services and normal operations will be greatly reduced. The recover functions rely heavily on proper communications, both internally and externally through public relations. If recovery plans are not defined and regularly practiced, there may not be a way back from the destruction.
The NIST framework is completely adaptable to the way you do business. As you review and refine your practices and processes, at every organizational level, the NIST framework identifies commonsense areas to address and a structure to locate and assess your strengths and weaknesses. Whether it be the hiring of new employees, storage of customer documents, or even physical access to the office, the same questions should be asked: “What are we protecting? How do we protect it? How do we detect if it is breached? How do we respond to a breach? How do we recover after a breach?”
At times, cybersecurity threats may seem insurmountable in a world where hackers hold the upper hand. Implementing expensive technologies and tactics without a solid strategy will only provide the attackers a safe haven behind a wall of noise.
To get started with the NIST cybersecurity framework, start with an executive- or partner-level sponsor. Next, use the first iteration as a baseline to assess your practices. With executive support, review the results and assign resources based on the risk tolerance and weaknesses discovered. Finally, repeat the processes regularly to update and improve based on current trends and threats. While you may not be able to prevent against every single threat, with a cybersecurity framework in place you can greatly limit the damage to your services and reputation.
1 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, 78 Fed. Reg. 11,737 (Feb. 19, 2013); www.federalregister.gov/articles/2013/02/19/2013-03915/improving-critical-infrastructure-cybersecurity.
2 National Institute of Standards & Technology, Framework for Improving Critical Infrastructure Cybersecurity, Feb. 12, 2014, www.cisecurity.org/images/frame.pdf.