This is not the year of cybersecurity as some might suggest. It is the year of cyber-resilience. This is a matter for employment lawyers to understand as a core part of their employment litigation risk management role.
In this somewhat longer piece, I will cover:
- Cyber-Resiliency: Definition
- The Cyber-Resiliency Imperative In General
- The Cyber-Resiliency Imperative For Employers
- Cyber-Resiliency in Practice
Cyber-resilience is the ability of an organization to continue doing its work – serving customers, keeping colleagues working– in the face of ongoing or even successful cyberattacks/data breaches.
Consultants Booz Allen Hamilton describe resiliency as follows:
Traditional cyber defense strategies, such as firewalls and intrusion-detection systems, are no longer enough. Cyber attacks are now so numerous and sophisticated that many will inevitably get through. That means organizations must have cyber resilience – the ability to operate in the face of persistent attacks. Resilience enables the government to continue to provide services to the public, and industry to continue to serve employees and customers while fending off or reacting to cyber attacks.
Simply, responsible employers are realizing that their systems will be subject to attack, and, despite best (even reasonable) efforts, many employers will find their systems penetrated. Every business is susceptible, especially from the activities of insiders (intentional or not).
The Cyber-Resiliency Imperative (In General)
Admiral Michael Rogers, who has the twin titles of National Security Agency Director and U.S. Cyber Command Commander, argued for the centrality of cyber-resilience to any adequate cybersecurity plan. Enterprises should
…not only focus on trying to ensure that no one gets into [y]our systems, but quite frankly… assume that someone will. And the question becomes, how are you going to operate and remediate at the same time? That’s resiliency to me, the ability to do both simultaneously.
[It is really worth the time to read Admiral Rogers’ speech, which can be found here].
The Cyber-Resiliency Imperative (For Employers)
The recent Sony attack demonstrates the significant concern that an enterprise as an employer must have this area. According to the New York Times and others:
- At the very start of the attacks, Sony’s technicians seriously discussed taking the company offline.
- When employees arrived at work, they were confronted with disturbing images on their screens, placed by the hackers.
- In response to the employee’s discovery, “Sony shut down all computer systems shortly thereafter, including those in overseas offices, leaving the company in the digital dark ages: no voice mail, no corporate email, no production systems.”
- “A handful of old BlackBerrys, located in a storage room in the…basement, were given to executives.”
- Using “hastily arranged phone trees,” text messaging became a key mode of communication.
- “Administrators hauled out old machines that allowed them to cut physical payroll checks in lieu of electronic direct deposit.”
According to KrebsOnSecurity:
According to multiple sources, the intruders … stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information.
Indeed, sometimes employee data is the primary subject of an attack. Back to Krebs:
The scammers in charge of [a] scheme [Krebs uncovered] have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.
Sony is facing a number of suits from employees relating to what they believe is Sony’s failure to protect their private information. And the litigation exposure that appears to have narrowly avoided – cutting checks for payroll, for one instance – is a great lesson.
Accordingly, just as employment lawyers need to have an active role in cybersecurity planning, they need to have an active role in cyber-resiliency planning as well.
Cyber-Resiliency in Practice
While I will write a more complete piece on this topic, here are some initial thoughts on building a resiliency plan. The one overarching point is that this is a matter that management has to take seriously. Accordingly, cyber-resiliency has a significant organizational politics component to it (as do all risk management and mitigation efforts).
According to Symantec [.pdf]:
The process can be best thought of as a framework with five pillars: prepare/identify, protect, detect, respond, and recover. Using this framework, you can evaluate each pillar of your organization’s cyber security strategy.
Symantec further notes that
When a breach occurs, the only way to proactively and effectively minimize its damage is to have the necessary detection and response policies, processes, and technologies in place.
- Know what data you have, where it is, what is important, who are its stakeholders, what the consequences of loss would be.
- This requires that management (not just IT) has situational awareness about the state of the network, its equipment, its vulnerabilities and about the various consequences of particular data sets being stolen. This is part-and-parcel of a solid data governance plan.
- Create a system for monitoring the evolving threat, data and stakeholder environment. Threats, people and data pools change rapidly and so your plan needs the ability to adapt and grow with the organization.
- Know your redundancies. Can your organization cut payroll checks manually? Can your organization reach key decision makers in a crisis if mobile devices are off-line? Cyber-resiliency should be seen as a core part of your whole business continuity program (and if you do not have a BC program, it is time to ask why).
- To the extent possible, resiliency and the ability to remediate damage should be a part of the procurement and development system. It should also be a part of your network development strategy.
- Prioritize key vulnerabilities and highest risk areas and structure a security plan around them first. Again, this is not a decision for IT alone – it is a highest-level management-level problem.
- Security is as much about process as it is about anything else. Simple solutions are often not done because there is no process to ensure they are done:
– Work to segregate networks to prevent more universal damage once an attacker is inside (in my opinion, there is no reason why an exploit that attacked Sony’s development system was also a gateway to their Human Resources systems).
– Ensure anti-virus software is uninstalled, used and is up-to-date (It cannot stop everything, but it is certainly a start).
– Use available patches to patch your vulnerabilities. There is no excuse not to.
- Ensure systems are in place for early detection of intrusions and detecting their progress or operation. Says expert Jon-Louis Heimer:
Some of these breaches had been in process for quite some time. Initial system compromises sometimes occurring months before the breach became a known threat. Some of these breaches had been reported by malware and IDS systems but ignored.
- Simply, early detection means significantly lower costs in the event a breach does happen.
- Have a response plan. While every security-related possibility cannot be anticipated, a detailed playbook with management buy-in can make a critical difference. At the very least, it keeps the initial decision-making in management’s hands, rather than at the technical level. Such a plan is a key part of a data security efforts.
- In forming those plans, determine who needs to be in the decisional loop, when are they brought in and by whom? This involves analyzing the whole range of stakeholders and deciding where and when they are to be brought in.
- Have a plan to call law enforcement. It sounds simple, but deciding when to bring in the authorities can be quite complicated in an organization, especially when the organization is highly stressed.
- With plans in place, the pathway to recovery is underway before an attack begins or matures.
- Have agreements with relevant vendors, etc., to ensure you can take immediate steps in a cost-effective manner.
- Build relationships with people in the remediation space. Knowing how to reach your insurer, outside legal counsel, equipment providers, etc. and having them know who you are is a key to rapid response. The same holds true with law enforcement. Knowing who to call – and having them know you – may be critical.
Back to Admiral Rogers on security breaches: “That is not a discussion that I want to wait until game day, as it were, to suddenly start to have. Hey, I’m here to help fill in the blanks.”
More on this topic in the future.