How Well Is Your Information Governance Program Working?
November 17, 2016
Proportionality at the Forefront of the Discovery Culture Change
January 5, 2017

Lessons from the Experts on Addressing Digital Age Threats

What are the common gateways to cyberattacks? What are the risks associated with the Internet of Things (IoT)? What steps can organizations take to address personal cloud applications and other digital age threats?

These were just a few of the key questions that a panel of legal technology experts considered during the Relativity Fest 2016 session entitled The New IG Playbook for Addressing Threats from Personal Clouds, Cyber Attacks, and the IoT. Joining me for the discussion were Judy Selby, managing director of technology advisory services for BDO Consulting; Darin Sands, who chairs the Privacy and Data Security and eDiscovery Practice Groups at Lane Powell PC; and Donald Billings, manager of litigation and practice support at Sidley Austin.

In response to these and other key questions, the speakers provided practical guidance, much of which is reflected in the New Information Governance Playbook for Addressing Digital Age Threats. As first discussed in a recent post published on the Relativity Blog, the following are three lessons from the session.

Lesson #1: Information security should be a collaborative discipline.

Through the lens of a hypothetical company, the panel addressed the growing need for organizations to strengthen their security measures as part of their overall information governance (IG) plan. The consensus was that businesses, regardless of the nature of their enterprise, should explore holistic strategies for securing their corporate network and proprietary information.

Information security should not be isolated within the legal or information technology departments. Instead, security professionals, business units, and company executives should be jointly involved to ensure that a culture of security is established in the business. IT experts must be in place to manage the technical side of security and in-house counsel should offer guidance on the regulatory and legal implications of strong (or weak) information security. Beyond these traditional IG stakeholders, key business leaders should also be involved to ensure security measures adequately address the needs of their respective business units and teams. Once this collaborative process is established, a company can then move forward with developing appropriate security measures.

“Information security is not just an IT problem. The collaboration needs to go beyond IT and legal teams to holistically address cybersecurity.” – Judy Selby, managing director of technology advisory services, BDO

Lesson #2: Address IoT-related cyber risks.

Those security measures are particularly important given the increasing prevalence of cyberattacks. With more data, devices, and technological developments, there are any number of gateways that cyber criminals and malicious insiders can exploit. Those gateways range from email and smartphones to the IoT and external messaging and collaboration tools.

Among these, the IoT presents particularly acute cyber risks to organizations. That IoT threats have moved beyond the realm of science fiction is evidenced by the massive attack this fall on security cameras and digital video recorders. That IoT attack disabled French web hosting provider OVH and US security researcher Brian Krebs by flooding their networks with webpage requests and other data.

IoT devices require the centralization of heterogeneous networks as data is aggregated and analyzed. As a result, corporate teams should build strong security measures into these repositories. Done well, the IoT can pay off significantly: businesses currently generate more than $613 billion of profits annually from IoT devices.

“A big IoT risk is that you can take down an entire enterprise network with one breach.” – Don Billings, manager of litigation and practice support, Sidley Austin

Lesson #3: Don’t underestimate the risks of personal cloud applications.

Cloud applications are becoming increasingly common in the business world. This is particularly the case with consumer-grade clouds, which have proliferated in the workplace given their storage, software, and collaboration capabilities. Employees, however, are frequently using cloud applications in the absence or in violation of a specific policy to the contrary. While shadow cloud use can certainly cause mischief, organizations that have designed a “bring your own cloud” (BYOC) policy may be begging for trouble.

The panel unanimously agreed that BYOC policies are difficult to audit and enforce. Even when company-sanctioned personal cloud applications are used, organizations may be unable to monitor what data employees are storing in these applications. Equally troubling, organizations may not even know what data has been removed. All of this can leave a gaping hole in the company’s security plan.

“With BYOC policies, you don’t have control over data when employees leave.” – Darin Sands, shareholder and chair of the Data Security and eDiscovery Practice Groups, Lane Powell PC

IG Tips for Success

With digital age threats increasing faster than ever before, how can organizations keep their information security policies and procedures current? The panel touched on several important IG practices that organizations should consider.

  1. Save time during a crisis with proper data mapping. It is important for enterprises to understand what data they generate, receive, and store. A current and accurate data map is essential after a breach or attack for an effective incident response. This practice can also enable companies to assert greater control over proprietary data and help them move toward developing reasonable information retention goals.
  2. Mitigate damage from an attack by proactively building a defensive plan. It is essential that organizations prepare for cyberattacks. The organization should consider retaining a consultant to assess security vulnerabilities before an attack. In addition, outside counsel and other experts should be engaged to help develop an incident response plan. This can mitigate resulting harm and provide the organization with a voice for addressing any issues.
  3. Develop an IoT security plan. Organizations can prepare for the 6.4 billion IoT devices that will be connected by the end of 2016 by creating concept of operations (CONOPs) documentation. This flexible governance tool should provide IoT stakeholders with a roadmap for installation, integration, and ongoing auditing of connected devices.
  4. Strengthen everyday security by carefully managing employee use of clouds and devices. No matter what policies have been implemented, it is essential that enterprises undertake an employee education program regarding the use of personal clouds, smartphones, and other devices. Audit, enforcement, and verification measures must then be deployed to ensure that proprietary data is not removed from the corporate network, particularly upon termination of an employee.
Philip Favro
Philip Favro
Philip Favro acts as a trusted advisor to organizations and law firms on issues surrounding discovery and information governance. Phil provides guidance on data preservation practices, litigation holds, data collection strategies, and ESI search methodologies. In addition, he offers direction to organizations on records retention policies and the need to manage dynamic sources of information found on smartphones, cloud applications, and social networks. Phil is available to serve as a special master on issues related to electronic discovery. Phil is a nationally recognized thought leader and legal scholar on issues relating to the discovery process. His articles have been published in leading industry publications and academic journals and he is frequently in demand as a speaker for eDiscovery education programs. Phil is a member of the Utah and California bars. He actively contributes to Working Group 1 of The Sedona Conference where he leads drafting teams and serves as the Steering Committee project manager. Prior to joining Driven, Phil practiced law in Northern California where he advised a variety of clients regarding business disputes and complex discovery issues. He also served as a Judge Pro Tempore for the Santa Clara County Superior Court based in Santa Clara, California.