Awareness of cyber risk is increasingly catching the attention of boards of directors and senior executives. For Electronic Transaction Consultants (ETC), cybersecurity has been a top risk priority for a long time. As a leading provider of smart mobility solutions, including electronic tolling solutions, we manage back-office systems and roadside systems for many prominent state tollways. That means we are dealing with personally identifiable information, payment data and a range of other sensitive data that we need to keep secure.
Regardless of the sector a business operates in, I would argue that cybersecurity is now a primary risk. The frequency of attacks and the aggressiveness and skill of the threat actors perpetrating them has grown exponentially. Threat actors are hitting ever larger targets, and the widespread use of cryptocurrency has aided the ability of threat actors to obtain money. In the absence of national or global legislation that restricts the ability of companies to pay ransom, threat actors will always be able to find an opportunity. But it is worth remembering that most of this crime is opportunistic. From the threat actors’ perspective, cybercrime is a business – potentially a very lucrative one. For general counsel, reducing these opportunities is essential.
It behooves any GC to understand what protections they have in place and to test whether they are adequate in the current threat environment. Lawyers may not feel cutout for this, but their ability to spot gaps in a defence strategy – even if only at a conceptual level – is often hugely important. Fortunately, many of the most effective steps an organisation can take do not rely on a high degree of technical familiarity with IT systems.
There are steps that organisations can take to enhance their cybersecurity regime, including using Endpoint Protection, implementing remote monitoring, tracking and remediation. Updating remote access protection, installing virtual firewalls and multi-factor authorisation are all very important as well. Of course, you don’t want to stop your company doing business, so even with things like multi-factor authentication you need to think about how often it is required and whether it needs to cover every device or network.
In a hybrid or work-from-home environment this is especially important. Again, there are simple tools that can make a big difference. Office 365 Advanced Threat Protection helps to detect and block potentially malicious files from entering document libraries or team sites, or locking the file and preventing anyone from accessing it once it’s been identified as malicious. Also, these files are included in a list of quarantined items, so members of the security team can download, release, report or delete them from the system.
The other element that GCs must keep in mind is training, whether for their own team or the organisation more broadly. First, regular training is essential. If you only train once a year [the message] loses its impact and offers minimal protection. The form of the training is also important, and it pays to get creative. There are services available that do mock attacks with a fake phishing email sent around, and then if someone clicks on the link in error, they must take a remediation course and will ideally not make the same mistake again.
Of course, even the best protections and training cannot prevent a cyber incident from occurring, and having a robust response plan is essential to any cyber risk framework. A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry, and you should have a cyber response committee within the company. Everyone on this should know they’re on the team and know exactly what to do when an attack occurs. That response plan should be periodically tested in a mock attack, so it becomes part of the team’s muscle memory.
Cyber rigor, like any other part of a company’s overhead, can be seen as a non-essential cost. It is not. If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. A cyber incident is already an event requiring an 8k event form be filled out within three days, but it is increasingly becoming a potentially catastrophic reputational risk.
Ask yourself: Do you want this on the front page of the Wall Street Journal, New York Times or the Washington Post? Do you want to have to answer to your board of directors, or to the securities regulators or to the investors or to the general public? If not, then taking the risk seriously now is the best defence.