Law Firms Advising Companies on Pre- and Post-Breach Plans Need to be Well-Versed in Executive and Board Member Cybersecurity
by Dr. Chris Pierson, CIPP/G; CIPP/US
Economic and social prominence has always elevated the risk profile for individuals. But in today’s era of a single, digital identity, there has never been a more dangerous time to be a prominent executive or board member. Cybersecurity and privacy practice groups within law firms need to understand how risks are evolving every day.
The proof is everywhere we look. Security researchers recently released information on the first advanced persistent threat (APT) dedicated specifically to corporate espionage, RedCurl APT. There is a new kind of phishing by phone, “vishing,” being used to execute the Twitter hack that took over the accounts of people like Bill Gates, Elon Musk, Jeff Bezos and Joe Biden. A recent breach at a prominent “A” list law firm revealed embarrassing details about scores of celebrities.
Law firms advising clients on cybersecurity issues need to understand how company risks are changing. Increasingly, how well a company is prepared for, and responds to, a cyber breach impacts how the company is viewed. Is the company a victim, or is it complicit in the attack through negligence? Corporations need specialized legal counsel both pre- and post-breach, implementing updated scenarios and personnel policies. These policies need to focus on attacks on executives, not just within the four walls of the enterprise. External counsel can provide critical guidance on proactive steps companies can take to lessen these threats and help guide proper responses when breaches occur.
Understanding How The Risk to The Executive is a Risk to the Company
This focus on the individual has important ramifications for corporate security. The corporate executive is used to being in the crosshairs – of investors, the media, competitors. Now cybercriminals are targeting their personal space. With executives increasingly working remotely (often from home), they are the soft underbelly that enables attackers to breach the enterprise and secure the “crown jewels” – customer and product data as well as important intellectual property.
The vulnerabilities of working from home are sobering and illustrate why a new understanding of corporate security must be embraced. Here are some findings BlackCloak has seen onboarding clients:
- 39% have malware on their devices or their homes were wide open to the Internet
- 69% of households have a password compromised and in plain text on the Dark Web
- 75% have improper privacy settings on their devices
- 87% are without basic cybersecurity on their mobile devices
How You Can Advise Your Clients on the Risk
Corporations are starting to realize these vulnerabilities. But they need assistance in formulating new pre-breach and post-breach practices and policies. There are multiple reasons for this. For one, privacy laws make it dangerous for companies to know too much about the private lives of their executives, making legal advice necessary. Another reason is the complexity of cybersecurity laws, with issues like civil breach litigation, corporate governance and cyber insurance constantly evolving.
As a trusted advisor, cybersecurity and practice groups can bring these issues to light with their clients. Then, they may recommend a third-party solution to protect the corporate executives while maintaining the executives’ privacy. It’s often easier for third-party partners to secure and protect executives in their personal lives for two reasons: 1) they are focused on and specialize in just that, and 2) it relives the CIO or CISO of both the burden on internal resources. The extremely busy CIO or CISO worries about the efficient use of cyber/IT resources and wishes this could just be taken off his or her plate and provided as a service to the executives, much like healthcare or life insurance.
There is no separation between personal and work lives anymore. An individual’s work and private profiles have been integrated into one single digital identity. It’s easier and faster for cyber criminals to attack executives where they live, and corporations need help from external counsel to secure this soft underbelly.
Privacy professionals need to understand the home is the new battleground for cybersecurity. The more they educate and advise their clients on how to prepare and respond, the more corporate security will be strengthened.
To learn more about how we can help your Cybersecurity & Privacy Practice Group educate themselves and their clients, please request a meeting with a BlackCloak representative.
Or, join us on September 22, 2020 when we speak alongside IAPP about “Breaching the C-Suite: Attack Patterns, Mitigations, and Legal Issues.”< Back