Many programmers and engineers possess a natural distrust of attorneys. Nonetheless, when it comes to protecting their organization's data, the attorney and the security engineer can be natural allies because of their mutual interests and similar ways of thinking.
Both want to reduce the organization's attack (or liability) surface while doing what they can to mitigate damages should something go awry. Both are paranoid about people out to get them (or, at least, get their employers). And both hold Murphy's Law as a universal truth.
Moreover, the company lawyers, whether in-house or outside counsel, have greater influence and responsibility when it comes to crafting and ensuring the enforcement of company policy. Accordingly, they are arguably the next-to-last lines of preventative defense against ransomware -- before the user himself or herself.
Below are but three things security-minded organizations can learn from -- and do with -- their legal counsel to better protect organizational data.
Plan for everything with compulsive pessimism
Good lawyers (and those inclined or destined to be good lawyers) are great "What if...?" askers -- particularly because asking "What if...?" is the very essence of effective law practice. At least one study has shown that law practice is the sole profession in the world in which pessimists generally enjoy greater career successthan do optimists. Of course, this study was conducted before the field of cybersecurity had taken off to the extent it has today. Lawyers know that just about anything can happen; so too do good cybersecurity workers. The partnership between the two roles should be natural -- and the two can work well together on meaningful data-protection compliance, tabletop exercises, and handling data-breach crises after the fact.
CISOs and InfoSec workers, therefore, are well advised to welcome teaming up with in-house counsel to construct and enforce exhaustive -- yet meaningful -- policies, procedures and solutions for data-protection training, emergency planning, disaster recovery, breach tracking and notification, and other cybersecurity issues.
No policy unenforced
If there's a policy, for heaven's sakes, follow and enforceit!
This may seem obvious, but consider the impact of social engineering. Every year, Social-Engineer, hosts a Social-Engineer Capture the Flag Contest (SECTF), in which contestants compete to obtain as much sensitive information as they can from a selection of major enterprise companies by way of social engineering. The results are often celebratory for the contestants while embarrassing for the targeted companies.
"The companies who happened to do well did so accidentally or out of ignorance in [that] they either couldn't answer the question or didn't know how, so the call shut down," said Michele Fincher, Social-Engineer.org's COO, after the 2013 SECTF -- in which tech giant Apple scored abysmally. "Very few [employees] said, 'I am not allowed to give out this information.' "
This kind of policy-enforcement failure can lead -- and, in the case of Apple, as well as others, has led -- to headline-grabbing data breaches, such as the kind Wired writer Mat Honan suffered in 2012 (the year before Apple was targeted in the SECTF). That year, hackers seized control over all of Honan's major online accounts by using social engineering to exploit mutually unsecure policy flaws at Amazon and Apple respectively -- despite not knowing the answers to Honan's security questions or other key information that only he would know. Had the company lawyers -- or HR people or other leaders with lawyer-like minds -- enforced their organizations' putatively strict policies for customer-service password resets, Honan's hack might never have happened.
Ditto when it comes to NSA employees -- approximately two dozen of whom reportedly may have voluntarily given their password credentials to leaker-to-be Edward Snowden when he simply asked for them.
Don't reuse; don't recycle
One of the biggest threats to information security is password reuse. When a breached organization's compromised user credentials are the same as the those of the employees at your own enterprise, you become all the more vulnerable -- particularly as word across the news and passwords spread across the DarkNet.
It's happened before. Last time, I wrote about how password recycling led to a major security breach at restaurant-finding service Zomato. The 2014 security breach of DropBox, meanwhile, provides a more notorious (albeit less recent) example; the cloud storage company blamed the hack on their users' password reuse across multiple services along with their own DropBox accounts.
This is where the lawyer-drafted company handbook can help -- particularly in conjunction with proper employee training.
"I wish passwords weren't reusable," lamented Patrick Hynds, Founder and President of New Hampshire-based cybersecurity consultancy DTS, in a keynote he delivered at last year's meeting of the Boston chapter of the National Information Security Group (NAISG). "So we have a format that I've used for the last 20 years, which is that in the employee handbook in every company that I've had any power over has a page -- and a brief that goes with it -- that says, 'The password you use on our network belongs to us. If you use it anywhere else and we find out, you're fired.' "
That stick, granted, is heavy indeed -- but it need never come to that. Recently, security researcher Troy Hunt released a database of 320 million compromised passwords that can be used for preventing reuse of known passwords.
In any case, strict enforceability to the point of actual employment termination is not the point; nurturing a culture of security is.
"We've never fired anybody [over it and] we probably never will," continued Hynds, "but it gets it in their head that this is not a game. It's important."
— Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine.