In episode two of this two-part series, host Charles Volkert, executive director of Robert Half Legal, and industry experts, Thomas Barnett, Rocco Grillo and Joel Wuesthoff, discuss the key components of a comprehensive cybersecurity plan, how companies can determine their readiness, and what many organizations ignore or overlook with data security management.
Listen to part one of the program here.
Thomas Barnett, Special Counsel, eDiscovery and Data Science, Paul Hastings http://www.paulhastings.com/professionals/details/tombarnett
Rocco Grillo, Managing Director, Global Leader, IR & Forensics Investigations, Cybersecurity & Privacy Services, Protivit http://www.protiviti.com/en-US/Pages/Professional-Bio-Rocco-Grillo.aspx
Joel Wuesthoff, Esq., senior director, consulting solutions, Robert Half Legal http://www.roberthalf.com/legal/client-services/ediscovery-services/team/our-leadership-team/joel-wuesthoff-esq
Charles Volkert, Esq., executive director, Robert Half Legal http://www.roberthalf.com/legal/client-services/ediscovery-services/team/our-leadership-team/charles-a-volkert-iii-esq
Advertiser: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession relating to hiring, staff management, and more. With leading experts in the field, Robert Half Legal provides lawyers, paralegals and support staff, to law firms and corporate legal departments on a project in full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.
Charles Volkert: Welcome back to part 2 of our cybersecurity discussion on the Robert Half Legal Report. With us today are Thomas Barnet, Rocco Grillo, and Joel Wuesthoff. Rocco, what are some of the key factors to be addressed in a comprehensive security plan?
Rocco Grillo: I think one of the first pieces we talked about is preparation. But having that repeatable process or framework. We go into an investigation and are searching for the unknown; that proverbial needle in a haystack. And further to that, a lot of times companies may identify the particular issue and they’re quick to get into containment mode. While containment is important and we want to isolate the problem and in many instances separate it from the rest of the network itself so we can resume normal business operations, that key piece before containment is identification. We need to know what has happened. Almost in the sense of police officers, recreate the crime scene. We need to identify what happened. We may identify a particular area of compromise if we focus on that and isolate that particular area and don’t have the full picture of what’s occurred, we may overlook some critical factors. And while we may be addressing a particular compromise, there may be other factors; that may be a diversion. And the attacker may be in a different part of the environment in stealth mode, harvesting and gathering data, unknowingly to the company itself. And as the attention is focused on the obvious, the overall compromise or attack is still ongoing. So it’s critical that we identify what’s going on holistically. From there, the eradication process further to recovery. When is the breach over? When can we resume normal business operation? And as I mentioned earlier, lessons learned. As long as we want to get past this, get back to our normal business operation. There’s a lot of lessons learned there, a lot of critical information that we’ve identified. And as I said earlier, things that went well and as much as we want to say everything went well in our response, there’s areas we need to improve on, we need to take advantage of that. So I think that process, from end to end, from being prepared to containing the issue, to recover and all the ways to lessons learned is the key to an overall comprehensive incident response plan.
Joel Wuesthoff: And I’ll just add, one of the things I think all of us come across are key stakeholders within the enterprise within the corporation who have so much knowledge about an institution and how things are done but fail to document those because they just don’t have the time or for other reasons. And I think the key part of having a comprehensive documented security plan is to reduce the outliers, reduce all the information being stored in someone’s brain, particularly when that person leaves. A few things we mentioned before, we talked about the inventory of the information system, where data is located, where your systems are, where all the controls and permissions are and what they are. A need to know basis most clients are familiar with with that concept in general. It’s important to keep data systems updated with the most current software patches and antivirus software. My question or one of our questions may be is what does that mean and how quickly do you have to patch your systems, so what’s a reasonable response in that regard. And the last two or three, strong encryption protocols for stored data included in the Cloud and data that’s transmitted over wire to wireless systems. And then finally to have an incident response and recovery plan that is tested. We talked a little bit about teams and testing those teams on a regular basis to make sure that an organization is not just document ready, but reality ready and proactive and be able to handle something on the 24/7 365 days a year basis.
Rocco Grillo: Joel, one other piece to add off the stakeholder and the testing from, I think, the theme we’ve heard about is preparation, but the awareness of the plan. Because in a lot of instances, we can have the most mature plan in the world. But at the same time, if one, the stakeholders aren’t aware, and two, the end users aren’t aware. There’s instances where an end user may be in a situation where someone may be trying to get information out of them through a social engineering tactic. While the employee may stop the person or thwart that effort, they need to know who to call or have in points of escalation that if that should happen to an employee, they need to know that there’s a process in place of someone they should contact. Because in many instances, if they turn that attacker away, nine times out of ten, they may go and try to hit up another employee as to whether or not they’re going to give out the information. We had a couple of other situations where the effectiveness of the plan from an escalation standpoint was taken into account. The security organization, or even the IT organization, responded effectively to the breach. But executive management, while they were stakeholders, they weren’t aware of the responsibilities. So it’s not just about I’m on board and I know that we have a plan. They need to know what their role is. Another situation that a company had was come and have us took a look at a post mortem standpoint is the operations team responded effectively to the plan from an operation standpoint or a technical standpoint. But it took the organization days until senior management was notified about what happened. As much as the IT organization responded effectively, think of the impact of notification, especially to external parties. If senior management or executive management or legal, for that matter, wasn’t made aware until days later. So again, different pieces that need to be taken into account. Not only the stakeholders being involved, but at the same time the awareness component that comes in to play. And really, it’s ultimately down to preparation, which comes through a repeatable process that’s continuously tested.
Thomas Barnett: One point I’d like to emphasis that Rocco and Joel both hinted at that I think is very critical and with respect to the role of outside counsel is communication. Rocco just mentioned communication within the organization. Obviously, extremely crucial, and that can have legal ramifications as well. One of the very important aspects that needs to be integrated into part of the plan is the external communication approach. Who talks for the company? Who can speak on behalf of the company? What can they say? How is it discussed about what level of disclosure is required by law? What is appropriate? What makes sense? We’ve had cases where people and companies are so alarmed and so worried bout the bad press they may be getting that they quickly want to jump out there and say things are under control, they’re better, they’re solved. That may be the case, but it may not be the case, and you can get into even more trouble by making pronouncements that the issue is over when it’s not over. It can hurt the reputation and have all sorts of legal implications. So I think the communication plan, who notifies who when, who speaks for the company, what’s the process for determining the actual status so that the communications are meaningful and also crafted in such a way that protects the company. I think it’s a very, very critical aspect of any plan.
Charles Volkert: Great information. And when we think about the integral part of security management planning, could you outline, all of you maybe chime in here, but maybe Rocco kick us off. Could you outline some of the actions to take when the breaches occur? Can you discuss some of the key components that should be included in the effective incident response and recovery plan?
Rocco Grillo: I think the first piece we’ve heard throughout the communication and points of escalation, which ultimately involved the appropriate stakeholders. But going back to it, I think one of the earlier questions we asked is how do we know for sure if we’ve been compromised or what should we do if we’ve been compromised. We want to recreate the crime scene or the scene of the compromise. And to that end, it starts with technology, but it’s also processed. One of the first things we ask for are the logs. Companies need to monitor who’s going in and out of their network, who’s accessing their data. And again, as much as various individuals are permitted, if we see an anomaly in the logs, obviously we’ve identified an issue. Once we identify the issue, then we go into the repeatable process that I mentioned earlier and carry this through step by step to containment, to isolate it and remove the compromise from our environment and put in protections in place to prevent either the hacker from coming back, or at the same time preventing as best that we can from the same issue occurring again. And from there, go through the steps I mentioned earlier: what went well, what didn’t go so well, and it’s an ongoing process. Unfortunately, it’s not one of those issues that we put to rest and we’re all set. Unfortunately, for compromised entities that we see, and in a lot of instances, now the victim of compromise has the big antlers and there’s a lot of instances where the same attackers or other attackers will come back and try to commit the same attack again. So again, it’s ongoing due diligence to prevent this from happening again.
Charles Volkert: That’s great. Anything to add from Joel or Tom or did that list cover it?
Joel Wuesthoff: Absolutely, I just think it obviously has to be extended. We’re increasingly seeing the same type of scrutiny of our services and our process and our information infrastructure with our large financial banks, hospitals, healthcare type institutions and law firms where they’re asking us to submit similar documentation. The chain of data flow isn’t broken at any particular point. So those are the same issues and oftentimes the same feed or adjacent see the clients making those a priority.
Rocco Grillo: I think another key piece that we want to consider in this, especially from the legal standpoint, is public disclosure. That is something that really needs all the stakeholders to weigh in on. Because one, from an IT perspective, we want to know facts. What did we actually lose? Do we need to disclose publically? And in many instances, we’ve seen companies disclosure too soon. And it’s not to say that withhold information, but at the same time, get the facts and report on this from a factual standpoint. All too often, a company may disclose that we’ve had X amount of data compromised or X amount of records compromised, only to come back days or weeks later having to repeat that the compromise is much larger. So again, as much as we want to do the right thing, we need to make sure factually we’re correct with the information we’re discolsing.
Thomas Barnett: One other component of that, which I wholeheartedly agree with and think is especially important in the legal department and the outside counsel area is the things that are said really need to be scrutinized because they can have an effect in legal proceedings, whether they’re civil lawsuits, potentially shareholder suits, customer class actions, or governmental actions, regulatory enforcement or criminal enforcement. So how you say things and what you say needs to be highly thought out and scrutinized. Obviously, everybody wants to be disclosing and say what’s going on and Rocco made great points about knowing where you’re really at before you talk. But there also are significant legal ramifications for what you say, how you say it and when you say it that need to be considered in conjunction with legal.
Charles Volkert: Thanks to each of you for that great content. Let’s go ahead and take a quick break before we resume.
Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that could adapt to changing workload levels, realize significant cost savings, and improve the overall management of Human Resources. We offer a wide range of resources to assist hiring managers at job candidates; including our annual salary guide, industry leading workplace research, and valuable interactive tools. For more information, call us at (800) 870-8367, or visit RobertHalfLegal.com
Charles Volkert: Welcome back to the Robert Half Legal Report. With us today are Tom Barnett, Rocco Grillo, and Joel Wuesthoff talking about data breaches and cybersecurity. Slightly switching gears, how can companies determine their readiness to withstand a cyber attack? I know each of you have touched on it, but is there a short list that you all could give us for that help?
Rocco Grillo: Sure. I think one of the first pieces is having a response plan, and as much as we have a plan to respond the repeatable process, how mature is it and do we have the right stakeholders involved and a lot of that starts with the tone at the top and having governance around it. This isn’t just an IT or security issue. It is an enterprise and risk management issue, it is a business issue. We’ve seen some of the high profile breaches in the media or in the newspapers that point out the impact of this and it immediately becomes a business issue, becomes a reputational issue. To your question itself, how can we understand how ready we are. Well, for starters, there’s a lot of different frameworks that help us build security governance and help establish that tone at the top. But back to a lot of the pieces that we’ve spoken through this overall discussion, preparation is key. Having that plan in place that goes hand in hand with being prepared, but also testing. I said earlier, we’re never going to have a crystal ball to predict the future, but we can play out different scenarios from a risk standpoint. What’s the likelihood that a particular attack or a particular compromise may occur at our company? And carrying that out through simulated exercises, tabletop exercises, gives us a sense of what would happen if we were compromised and it helps companies prepare to respond to the breach.
Thomas Barnett: I want to expand on something Rocco said that i think is very interesting and important: the different between threat and risk. Almost anything is a risk. There’s a risk if you walk outside that you could get struck by lightning. But that doesn’t mean you want to expand a bunch of resources to make sure that doesn’t happen because the actual threat level is fairly low. So I think it’s important for companies to really assess what are their actual threats, what’s the level and the ranking of the actual threats they have versus just the generic catalogue of every possible risk. And if that goes to what kind of company they are, what kind of information they have, different companies have different types of information that might be sought after. There’s a certain level of risk that everyone needs to worry about, and certainly we’ve talked about some of that. But I also think it’s important for companies to understand what kind of information they have, who’s likely to want it, and what can they do to protect it. Because you can’t protect against every single risk equally. You need to prioritize them and devote your resources and time and energy into the ones that you determine are really the biggest threats.
Joel Wuesthoff: And I don’t know if this has come up in the context of our discussion but it certainly bears repeating that there are standards in the marketplace. There’s cyber security framework, there’s ISO standards, there’s SSAE 16 70; they’re all to Tom’s point. They’re not one size fits all and you do have to do the heavy lifting, it’s adjusting and aligning. Your particular threat profile, your litigation profile, your exposure, your scope, your width to the threat assessments out there making a call. So those do exist, but most of them do contain many of the things we addressed today and it’s up to the decision makers and the internal counsel, outside counsel and the rest of the C suite and IT staff to do a thorough evaluation and build a case for proceeding in one direction or another.
Charles Volkert: And Joel, as a followup to that based on your experience, what do legal organizations tend to ignore or overlook when it comes to security management?
Joel Wuesthoff: Certainly with respect to legal organizations, I think that there’s been a historic tendency to ignore or overlook the importance of security management when it comes to their own operations. Tom’s mentioned a number of those issues as had Rocco. It may be a cultural gap, but I think that gap is closing where law firms are not early adopters or tech heavy. So I think what the law firms like Paul Hastings are taking steps to make sure that they’re looking both at the client risk and their own risk and third party risk are relating to security management. So I think that’s where we’ve seen more of a holistic and personnel lack of emphasis historically which I think is changing fairly rapidly. And I think it’s important to know that certain statistics that are in the marketplace that something like one in three companies surveyed by Protiviti’s IT study implicated that they don’t have a written information security policy. 40% of surveyed participants said that the organizations don’t have a data encryption policy. And one in four companies noted that they don’t have an acceptable use of records retention destruction policy. And Tom mentioned earlier that one of the key decision makers and influencers in these discussions are records managers. So you have a number of different developments in the marketplace, breaches, et cetera. Yet we still find a fair amount of companies that are not taking what I think all of us here would consider to be reasonable, prudent, and I would say necessary policy, documentation, but also taking those documentations and making sure that they’re operationalized and they could be repeatable, as Rocco was emphasizing.
Thomas Barnett: One area that’s embedded in what Joel just said I think that’s an important area worth calling out is the aspect of ediscovery or subpoena compliance in the context of a lawsuit or an investigation or governmental subpoena. It’s a situation where you often have highly critical, highly sensitive, confidential information that’s part of the company that they are then transferring to the law firm who will transfer it to an outside vendor, and then it could be reviewed by contract attorneys. There are a lot of handoffs going on, and many times data’s moving around like that, it’s a very important situation you need to look at closely. And sometimes, there’s so much emphasis on cost savings and negotiating the rates with ediscovery vendors, let’s say. I think sometimes the security aspects of that can be overlooked a little bit. So I think it’s very important to understand these risky areas of data transfers of information, lots of different people getting their hands on it, having it go through many transformations. That’s an area that could build more attention and that’s something we certainly do at Paul Hastings. We have very straightened security requirements and testing that we do with our third party vendors. The challenge comes in sometimes when the clients have their own list and they may or may not have gone through that level of security testing and auditing with their providers.
Charles Volkert: That’s great and thanks to all of you. Before we wrap up, what kind of advice would you give senior counsel that you may be addressing regarding some of these potential pitfalls and risks? And maybe we’d start with you, Tom.
Thomas Barnett: When we think about the high level advice and what we want people to think about and take away is that achieving a high level security and effective security plan in process, is not essentially a matter of getting a checklist and checking it off. It’s really an ongoing process that needs to be developed, educated throughout the organization, refreshed and updated. Keep in mind that there different are changes happening in the outside world as far as the different threats and risks. And really that it’s an ongoing business process and exercise, not something that can just be put in place and walked away from. Rocco’s talked a lot about testing, that’s extremely important. Practicing, updating, figuring out who are the right people to understand and be involved in the process. And really making it something that crosses many, many different lines within the company; not just legal and IT, which are considered some of the more obvious ones.
Charles Volkert: Excellent advice, Tom, thank you very much. Rocco?
Rocco Grillo: Sure. There’s a handful of things that we could put out there, Chad, a lot of them we’ve covered already. But to that end, to wrap up, being aware, and that starts with that top down approach. Not just the executive management, not just IT or legal, but everyone from end to end. Being proactive and ultimately being prepared. This is a continuous process. Continuous due diligence and from a preparation standpoint, continue to test and refine areas of improvement. Another area is – I think we’ve talked about this throughout the presentation – is partnering. There’s multiple stakeholders. This isn’t a time for someone to shoulder it all on their own, whether they’re trying to do it on their own or at the same time being the hero or the firefighter. Ask for help both internally with stakeholders as well as externally. There’s a lot of threat intelligence organizations. There’s a lot of proactive organizations that provide information from a threat intelligence standpoint. At the same time, working with your peers. Again, in many instances, while attackers may target a particular company or industry, if it’s affecting one company or one industry, there’s a good chance that they’re going to target other companies in the same industry. So to that end, I think a combination of all of these are essential in responding to breaches.
Charles Volkert: Thank you, Rocco. And Joel?
Joel Wuesthoff: I would certainly endorse Rocco and Tom’s comments. I think I’d just add or reinforce to this is such a fast moving industry and the impact is so enormous that there needs to be knowledge management and acquisition. Obviously not just at the senior level, but at the user level; ongoing reinforcement of importance of security and privacy and putting in place at an employee level the tools and the knowledge that they need to have. And secondly at the senior level, make sure that there is a senior level persons oversight over this particular space, has the sufficient expertise to know what needs to be done, has the authority to implement it, and then force the plan that the team develops and hold who’s accountable for the information security program in its practice. I think that’s what we’re seeing in the marketplace as these positions tend to become more critical to the organization’s success and risk management.
Charles Volkert: Thanks, Joel. Well, we’ve reached the end of our program. Special thanks to Tom Barnett, Rocco Grillo and Joel Wuesthoff for joining us today and providing their expertise and insights. Before we close, I want to let the audience know how they can contact each of you. Tom, could you provide the listening audience with your email address?
Thomas Barnett: Sure, thanks Chad. So it’s [email protected].
Charles Volkert: Great. And Rocco?
Rocco Grillo: Sure, thanks, Chad. It’s [email protected]
Charles Volkert: Thanks, Rocco. And Joel?
Joel Wuesthoff: Sure. My email is [email protected].
Charles Volkert: Again, thanks to each of you. And our listeners can reach me at [email protected]. I’d also like to mention a few professional privacy and security associations that offer educational resources, information, and best practice to help firms and companies better manage security risks. The first is the International Association of Privacy Professionals, the AIPP. The second is the Information Systems Security Association, or ISSA. And the third is ABA’s Privacy and Information Security Committee, and the ABA Cybersecurity Handbook, a Resource for Attorneys, Law Firms, and Business Professionals. You also can visit RobertHalfLegal.com to learn more about our legal consulting solutions. Download our research and subscribe to our legal blog for weekly updates on the legal job market, and other important industry developments. Thanks for listening today, and join us next time on the Robert Half Legal Report as we cover another great topic impacting legal management and legal careers.
Advertiser: The views expressed by the participants of this program are their own, and do not represent the views of, nor are they endorsed by, Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Thanks for listening to this podcast. Robert Half Legal connects the most highly skilled candidates with the best positions in the legal profession. join us again for the latest information in the latest edition of the Robert Half Legal Report, here on the Legal Talk Network.
[End of Transcript]