What are the common gateways to cyberattacks? What are the risks associated with the Internet of Things (IoT)? What steps can organizations take to address personal cloud applications and other digital age threats?
These were just a few of the key questions that a panel of legal technology experts considered during the Relativity Fest 2016 session entitled The New IG Playbook for Addressing Threats from Personal Clouds, Cyber Attacks, and the IoT. Joining me for the discussion were Judy Selby, managing director of technology advisory services for BDO Consulting; Darin Sands, who chairs the Privacy and Data Security and eDiscovery Practice Groups at Lane Powell PC; and Donald Billings, manager of litigation and practice support at Sidley Austin.
In response to these and other key questions, the speakers provided practical guidance, much of which is reflected in the New Information Governance Playbook for Addressing Digital Age Threats. As first discussed in a recent post published on the Relativity Blog, the following are three lessons from the session.
Lesson #1: Information security should be a collaborative discipline.
Through the lens of a hypothetical company, the panel addressed the growing need for organizations to strengthen their security measures as part of their overall information governance (IG) plan. The consensus was that businesses, regardless of the nature of their enterprise, should explore holistic strategies for securing their corporate network and proprietary information.
Information security should not be isolated within the legal or information technology departments. Instead, security professionals, business units, and company executives should be jointly involved to ensure that a culture of security is established in the business. IT experts must be in place to manage the technical side of security and in-house counsel should offer guidance on the regulatory and legal implications of strong (or weak) information security. Beyond these traditional IG stakeholders, key business leaders should also be involved to ensure security measures adequately address the needs of their respective business units and teams. Once this collaborative process is established, a company can then move forward with developing appropriate security measures.
“Information security is not just an IT problem. The collaboration needs to go beyond IT and legal teams to holistically address cybersecurity.” – Judy Selby, managing director of technology advisory services, BDO
Lesson #2: Address IoT-related cyber risks.
Those security measures are particularly important given the increasing prevalence of cyberattacks. With more data, devices, and technological developments, there are any number of gateways that cyber criminals and malicious insiders can exploit. Those gateways range from email and smartphones to the IoT and external messaging and collaboration tools.
Among these, the IoT presents particularly acute cyber risks to organizations. That IoT threats have moved beyond the realm of science fiction is evidenced by the massive attack this fall on security cameras and digital video recorders. That IoT attack disabled French web hosting provider OVH and US security researcher Brian Krebs by flooding their networks with webpage requests and other data.
IoT devices require the centralization of heterogeneous networks as data is aggregated and analyzed. As a result, corporate teams should build strong security measures into these repositories. Done well, the IoT can pay off significantly: businesses currently generate more than $613 billion of profits annually from IoT devices.
“A big IoT risk is that you can take down an entire enterprise network with one breach.” – Don Billings, manager of litigation and practice support, Sidley Austin
Lesson #3: Don’t underestimate the risks of personal cloud applications.
Cloud applications are becoming increasingly common in the business world. This is particularly the case with consumer-grade clouds, which have proliferated in the workplace given their storage, software, and collaboration capabilities. Employees, however, are frequently using cloud applications in the absence or in violation of a specific policy to the contrary. While shadow cloud use can certainly cause mischief, organizations that have designed a “bring your own cloud” (BYOC) policy may be begging for trouble.
The panel unanimously agreed that BYOC policies are difficult to audit and enforce. Even when company-sanctioned personal cloud applications are used, organizations may be unable to monitor what data employees are storing in these applications. Equally troubling, organizations may not even know what data has been removed. All of this can leave a gaping hole in the company’s security plan.
“With BYOC policies, you don’t have control over data when employees leave.” – Darin Sands, shareholder and chair of the Data Security and eDiscovery Practice Groups, Lane Powell PC
IG Tips for Success
With digital age threats increasing faster than ever before, how can organizations keep their information security policies and procedures current? The panel touched on several important IG practices that organizations should consider.