Big companies are not immune from mistakes. And, throwing money at the latest technology is not always the best or most effective solution, says Claudia Rast, Practice Department Chair for the IP, Cyber and Emerging Technology Group for Butzel Long.
Rast believes companies should focus on the “360 of hard and soft solutions,” managing from the top-down, implementing training, paying attention, and knowing suppliers and clients or customers.
Security: What is your background? What are your current roles and responsibilities?
Rast: My background has always been focused on science. A Bachelor of Science in Natural Resources from the University of Michigan led to 15 years as an environmental lawyer focused on remediation technologies. This early interest in environmental forensics led to digital forensics in the 1990s and culminated in my practice combining Internet technologies, web-based commerce, privacy, data protection and intellectual property rights. I currently serve as the Practice Department Chair for the IP, Cyber and Emerging Technology Group for Butzel Long, where I lead a team of 14 attorneys.
Security: Often, the focus when trying to prevent data breaches is to buy the latest technology. Why is this not the best solution for companies of all sizes?
Rast: Designing a secure environment for a business demands a thorough knowledge of the entity’s business model and its users’ capabilities. In addition, the IT department for any company must know what the most critical and sensitive company data is and where and how it is stored. These basic understandings are often either ignored or not appreciated. Many IT departments are focused on making sure users are connected to the network and staffing the help desk. The latest and greatest technology will not protect a company if its implementation cannot be properly configured with the company’s underlying infrastructure. This is not a one size fits all environment, and many of the latest technologies require a sophisticated implementation and configuration that is beyond many IT departments. This is not to disparage or criticize IT departments — they are often overwhelmed with their day-to-day operations — it’s just that the implementation of cutting-edge technologies often demands expertise with specialized training.
Security: What should companies be focusing on? Should the primary focus of IT departments be on the perimeter, without much consideration to other “softer” non-hardware vulnerabilities?
Rast: The focus should be on the basics. The perimeter must be strong, but too often, the “soft underbelly” are the users who either are careless or ignorant when they share their credentials or click on malicious links. Threat actors don’t have to penetrate the secure outer walls of a company if they can get a user to open the door for them. Companies in certain industry groups will find useful updates on threat intelligence from Information Sharing and Analysis Centers (ISACs) that are specific to their industry. The Cybersecurity and Infrastructure Security Agency (CISA) that was established in 2018, also has many valuable and free tools for companies to use. Just go to https://www.cisa.gov/cybersecurity and review the available resources. Finally, there are a number of simple best practices that can and should be implemented as a company’s basic security framework that address both the perimeter and internal operations.
- Implement multifactor authentication (threat actors thrive when MFA is not deployed)
- Mandate Virtual Private Networks (VPNs) for remote access to company networks (critical for a dispersed and/or work-from-home workforce)
- Deploy endpoint detection and response (EDRs will detect and prevent most incidents automatically and do so 24/7/365)
- Implement Incident Response Plans (without a plan, it can be chaos)
- Encrypt confidential and sensitive data both at rest and in transit (encrypted data is useless to threat actors and a non-event under most data breach laws)
- Back up data (encrypted) and secure that backup off-site (with a good backup available, no ransom payment is necessary)
- Turn on logging (you can’t find what you can’t see) and save log files for more than 90 days
- Segment data across IT networks (don’t make it easy for threat actors to crawl across your network)
- Control access credentials to need-to-have individuals (threat actors target IT managers, with the “keys” to the network)
- Implement periodic training for all (training works, and it’s simple to do)
- Purchase a comprehensive cyber insurance policy (and pre-vet your cyber counsel and forensic team)
- Maintain physical security controls (lock your doors and lock up your sensitive equipment)
- Conduct periodic external and internal vulnerability scans (security is not a one-and-done effort and requires constant vigilance)
Security: What are some best practices to avoid a data breach?
Rast: So, implementing the best practices above is not a one-and-done deal. It requires constant monitoring of new and evolving threats (thus, the suggestion to be part of an industry group ISAC) and leadership that walks the talk. One way that our clients have found to help them manage the security monitoring and evolving threat concerns is to retain outside forensic experts to conduct periodic reviews and staged threat assessments to test the company’s defenses and risk assessment experts to provide that needed arms-length assessment of the company’s risk profile. It is also important not only to have a data protection officer as part of the C-suite team, but also for that person to have the chief executive officer or president as a direct report. The cybersecurity budget should not be a line item cost buried in the IT budget, reviewable only by the chief financial officer.
Security: What should employee training include?
Rast: Employee training can be simple — there are many third-party vendors who have training modules that take 5 to 10 minutes to view every month or so. This should be an ongoing process. Again, training — just like the implementation of security measures — is not a one-and-done deal. In addition, conducting at least one annual table-top exercise involving incident response team members is equally important. When a cyber incident does occur, you don’t want your team to fumble through the policy manual trying to determine what they should do. There is also a lessons-learned scenario after a data breach, or cyber incident does occur. On these occasions, it is instructive to deconstruct what happened, why it happened, and what measures were needed to prevent a reoccurrence.