Is Cybersecurity a Bad Word?

Fear of the unknown. Over a combined six decades of Cybersecurity work, our team has encountered one troubling constant: business and law firm leaders fear Cybersecurity risks and often exhibit extreme avoidance behaviors. But today, burying your head in the sand may be a “bet-the-company” mistake. While this nearly instinctual reaction to the unknown is understandable, it is unnecessarily reckless. With the right team supporting you, businesses and law firms can quickly, practically and affordably identify and remediate Cybersecurity risk.

Demystifying Cybersecurity. Most business security needs fall roughly into one of two basic functions: physical security of people, facilities and resources; and Cybersecurity of proprietary, privileged, and other protected data. In our experience with small to mid-sized businesses and law firms, physical and personnel security is usually well managed; but Cybersecurity—even today—ranges from ad hoc or piecemeal (often confused with, and left to, IT) to non-existent. This results in part from the relentless promotion of “FUD” (Fear, Uncertainty, and Doubt) by large Cybersecurity vendors. But Cybersecurity does not have to be frightening. At its core, Cybersecurity, like other aspects of running a successful business, encompasses basic objectives to minimize security risks—reducing your company’s exposure to critical business disruptions; legal liability; and, perhaps worst of all, damage to your company or firm reputation. Just as physical security is not as simple as putting locks on the doors, Cybersecurity is not as simple as using a firewall and a password. Rather, as with physical security, a good Cybersecurity program involves a set of coordinated mechanisms—policies, personnel and technology. Its core principles need not be beyond the comprehension or implementation of any business.

Visibility. The heart of Cybersecurity is, in essence, the head—visibility—and businesses can no longer afford to bury their heads, ignoring security gaps and indicators of attack. A business that cannot see the threats facing it can neither prevent nor plan for them. The necessary level of visibility requires (automated) monitoring of your network traffic and tracking of each device on your system (phones and tablets and computers and, yes, even printers and other internet-based communications technologies). This sounds daunting to most, but, with the right help, it needn’t be. There are convenient solutions that provide the necessary visibility to track and control network permissions; minimize attempts at infiltration; and find and fix Cybersecurity vulnerabilities that are exposing your business to attack. In the right hands, network visibility is the foundation of the basic components of Cybersecurity—Prevention, Detection, and Response.

Prevention. Cybersecurity vulnerabilities are like loose threads; pull on them long enough (repeated and proliferating cyberattacks) and the cloth will rip (a successful hack), perhaps beyond repair. To reduce the risk of successful attacks, businesses must reduce the Cybersecurity vulnerabilities that expose them to potential breaches. Put another way, the best way to defend against an attack is to stop it before it ever gets through. With the right technology and expertise, you can minimize the attacks that penetrate your firewall in the first place, and hardening your systems against common malware strains and attack vectors is more effective—and cost-effective—than businesses realize. Much of prevention is about routine—daily updates, maintained secure configurations for network devices (think, eliminating open ports to your network, as an example), and vigilantly managing Cybersecurity and software “patches” to eliminate known vulnerabilities (think, updating software applications for your network devices). Some of it also is preventing attackers, insiders (sources of a significant percentage of successful attacks) and outsiders, from operating freely in a business environment that does not incorporate appropriate permissions. Like human viruses, cyberattacks mutate daily, making yesterday’s vaccines (to torture the metaphor) useless, so prevention is a matter of vigilance. By creating and enforcing effective Cybersecurity policies and procedures, threading secure configurations with effective “patch” management, an experienced consultant helps you weave a comprehensive and effective system of prevention.

Detection. Often referred to as Event Management, detection is the identification and assessment of activities in a technical environment (network) through review and analysis of logged system information that is gathered by software. Aggregating system information and providing you with actionable information requires both automation and expertise. Properly configured by trained experts, system monitoring information can be used to trigger alerts or alarms when something unexpected happens on a network—a new or unauthorized device accessing the system, for example. Even the best automated monitoring systems, however, create many false positives and volumes of data that do not actually indicate a breach underway. An experienced security administrator knows how to assess and address such alerts and alarms, separating the harmless chaff from the actionable wheat. The right consultant can analyze aggregated system information and provide the type of situational awareness that solidifies a detection regime. Few IT employees are qualified for, or have the time to perform, this vital work.

Response. Because attack techniques are constantly morphing, even the best Cybersecurity monitoring systems will, on a long enough timeline, fail. When this happens, only a robust response plan can mitigate the risk of legal and reputational liability and loss of vital protected data. Speed is the key to success in heading off significant harm. Poorly defined responsibilities for response and the lack of adequate knowledge to carry out the response measures in a timely fashion are the prime causes of response delay (and likely failure). A robust strategy and plan to respond to myriad forms of Cybersecurity incidents must be executable, efficient and frequently tested. An expert security consultant can review existing response plans (or help you create them, if they do not exist) to fortify your response with a combination of options and controls that allow a rapid response to deny access, quarantine users or devices, block or send users to an outside network, etc. Ideally, your response plan will incorporate both manual and automated responses to improve response time and to minimize the impact of any incident. The ability to rapidly restore a business to its normal operations is paramount, but only after an expert security analyst determines that the remedial measures will hold and the network is secure.

The Flatwater Advantage. Flatwater is a different kind of expert consultancy. The history and experience of our unique, multidisciplinary team include the initial development of Cybersecurity law and of government and private Cybersecurity compliance regimes; the first extensions of the attorney-client privilege to Cybersecurity activities conducted by non-attorney consultants; and the crucial function of “translating” and facilitating discussions between technology experts, Cybersecurity professionals, compliance officers, and internal and outside counsel, and business decisionmakers. Flatwater has based its consultancy on this foundational principle—that lawyers and businesses need translation from the emerging digital languages to the languages of law and business. Without employing frightening and confusing jargon or voluminous (and, without translation, meaningless) technical reports, we provide realistic assessments of Cybersecurity vulnerabilities and risks and create carefully-tailored actionable response plans consistent with a customer’s business needs and budget. Our team employs a singular focus—helping you understand the Cybersecurity posture of your client or business and enhance it to acceptable levels under applicable legal and compliance regimes. Building and executing a reasonable plan is significantly easier and cheaper than most businesses believe, and doing so is quickly becoming a business necessity across all sectors of the economy. From governance and compliance advice; to monitoring of networks and vulnerabilities; to risk assessments and the development of plans with specific and achievable actions and milestones; to transactional Cybersecurity for M&As and other business deals, Flatwater offers consulting services that render the turbulent waters of Cybersecurity navigable.

2019 © Vident Partners.