This morning we kicked off the Association of Corporate Counsel's annual Cybersecurity Summit by moderating a panel on Employee Training.
Our experts discussed training programs, network design, and what to do with limited resources and big threats.
Below are some key takeways and quotes, but it doesn't do justice to the ground that was covered. At the bottom of this article you'll find links to the panelists if you would like to continue the conversation.
The hour-long discussion generated lots of good insights, including:
"Normally what we find is the user is the weakest link. I would say in 95% of ransomware attacks we see, the hackers utilize user credentials and weak passwords and the user did not have MFA, which could have prevented the attack. You want to make yourself the hardest target by using things like MFA, complex passwords, and following policies and procedures."
- Billy Evans
"An incident can be really traumatizing, but in a surprising number of cases you get resistance [about implementing more stringent security measures], usually from senior leadership. They'll say 'oh, that will be really inconvenient for people, we'll just train them better.' You can lead a horse to water, but you can't make it turn on MFA."
- Jena Valdetero
"I think many of these comments go to the pace of work. People don't even stop to think 'why would my boss ask me to buy 10 gift cards?' And that's human behavior, which is hard to train."
- Amy Yeung
"Tech staff should be doing system monitoring and have backups that are tested. Because if you haven't tested the backups, you don't actually have backups. For users, you have to tell your IT staff is something happens. Don't hide it because you think you'll get in trouble or you think can fix it... Pick up the phone and call your IT team right that second."
- George Lyle
"We did an audit one time and looked at all the passwords and the CEO's password was 'cat.' You have to have buy-in from the top."
- Billy Evans
"When you have a finite budget, training is important but technical measures is where you should focus your resources."
- Jena Valdetero
"Set expiration dates, or at least a reminder, on network access for your vendors. We all have vendors that come in for one-time or consulting work, but access continues even after the work is done. Set it so that it has to be an intentional affirmation that they should continue to have access."
- Amy Yeung
"We try to remove humans from the equation. So one of the ways we do that is role-based access. If someone doesn't need access to it, they don't have it. And if they ask for access and can't produce a good business case for it, the answer is 'no.'"
- George Lyle
The importance of a proactive plan for an cyber incident response cannot be overstated.
Insurance providers, consultants, IT forensics firms, outside counsel, and eDiscovery vendors are all commonly engaged. For example, at Proteus our data breach response service focuses primarily on analyzing compromised databases and developing required disclosure programs.
A small team of complementary experts can be the difference between a frustrating hiccup and a disaster for a firm's reputation and bottom line. If you have questions about your firm's response plans, let me know. We can help.