[BreachExchange] The cyber threat

[Audrey McNeil]

http://www.legalbusinessonline.com/features/cyber-threat/72390

As the world increasingly embraces cutting-edge technology and hastens its
expansion into the digital realm, individuals and institutions alike are
more exposed than ever to cybersecurity threats. The aftermath of cyber
attacks are often messy, and can cause great financial – and arguably more
importantly – reputational damage, transforming cybersecurity into a major
business risk in 2015. And this is only likely to continue into 2016 and
beyond.

“2015 was considered the year of the data breach,” says Nimrod Kozlovski, a
partner and cybersecurity specialist at Herzog Fox & Neeman (HFN), a
full-service law firm based in Tel Aviv, Israel. “One of the clearest
trends is that cybersecurity is no longer the exclusive concern for
governments and critical infrastructure organisations, but rather for each
and every company that holds personal data of customers or sensitive data
of the business. Nowadays, it is possible to penetrate the systems of every
company that is connected to the Internet, not only by directly attacking
the company, but also through the company’s point-of-sales and third-party
vendors,” he adds.

The lion’s share of cybersecurity incidents (about 50 percent) are
malicious and criminal attacks, in which an organisation’s customer data is
stolen and then sold, says Kozlovski, citing the recent security breaches
of Target and Wyndham Hotels where tens of millions of personal and
financial information of customers were illegally accessed. “In some cases,
the company and its customers were extorted following the cyber attack.
Some of these attacks – and this is a growing and very disturbing recent
trend – include using ‘ransomware,’ which is a type of malware that
restricts access to the computer system that it infects until the company
pays the attacker the required ransom, usually in digital and anonymous
currency,” he says.

THE NEED FOR SPEED

Furthermore, research shows that the average time it takes for an
organisation to find out about a cyber breach is almost seven months, and
it takes about two and a half additional months until the completion of the
response to such event, says Gilad Majerowicz, a technology and
intellectual property partner, and co-head of the Asia practice at HFN.
This is a worrying statistic as speed is often a pivotal factor in
responding effectively to cyber breaches. The challenge is exacerbated by
the increasing cross-border nature of cybersecurity incidents, causing
further headaches for governments and businesses.

“Most of the cybersecurity work we handle has a cross-border element,
especially in cases of extortion or ransomware,” notes Kozlovski. “The
attacker knows it is almost impossible to identify them, and even if they
could be identified, in many cases they are located in one of the many
jurisdictions in which there are no specific cyber-crime laws or
cooperation with other governments,” he adds.

“Like many aspects of the information age, the cybersecurity threat does
not respect geographic boundaries or country specific legal regimes,” says
Scott Thiel, a partner at DLA Piper in Hong Kong. “Typically, our analysis
of data flows and storage architecture with our clients’ businesses reveals
surprises about the geographic scope of their operations. Understanding
this complexity is the first step in starting to mitigate the risks.
Informed decisions about rationalisation, localisation and contractual risk
transfer can then be taken,” says Thiel.

For his part, Majerowicz says that many cyber experts argue that there is
no single technical solution that would prevent the risk, and therefore
cybersecurity is becoming more of a legal and corporate governance issue.
“We should look at it in the same way as ongoing compliance actions are
taken. Proper preparation must include an entire range of compliance
actions, which address all applicable aspects that include incident
management and response policy, user education, training and awareness,
management and policies concerning user privileges, home and mobile working
and removable media controls, service providers’ due diligence, malware and
breach protection, ongoing monitoring and intelligence, secure
configuration and network security policy and cybersecurity insurance,” he
says.

LAGGING BEHIND

This is especially important in Asia, where companies are nearly twice as
likely to be targeted as companies elsewhere, according to data from a
survey by U.S. network security company FireEye in 2014. “It is vital that
companies seek to protect themselves, and develop internal processes and
protocols to ensure that where possible cybersecurity is secure,” says
Thiel.

Meanwhile, several jurisdictions in Asia have made positive strides towards
combating cybersecurity threats. In 2015, Indonesia and Singapore each
introduced cyber agencies, while Japan enacted the Cyber Security Basic
Act. “There are numerous discussions, guidelines, and legislation drafts in
many countries around the world, says Ariel Yosefi, head of the adtech and
technology compliance practice at HFN. “However, the problem is that no
jurisdiction has yet reached a point where it has one exhaustive regulatory
framework that addresses all applicable issues,” he says.

“The countries in Asia have different perspectives on cybersecurity, and I
believe Asia needs a comprehensive framework, with information sharing and
a joint security approach where you can share data and investigate matters.
I think that coordinated approach is still missing in Asia,” says
Kozlovski.

PARADIGM SHIFT

Kozlovski adds that the need for governments and companies to change their
way of tackling cybersecurity issues is due to a paradigm shift resulting
from the prevalence in cloud computing and “bring your own device”
concepts, as well as the way in which IT systems are now being created and
interconnected.

Furthermore, Majerowicz stresses that as the threat, challenges and
potential risk varies between organisations, solutions to tackle
cybersecurity issues must be tailor made. “It is essential to build a
coherent and overall compliance policy, which includes the corporate
governance procedures and policies, together with all other technical,
security and financial solutions, and assist the company with the ongoing
implementation and updating of this compliance cycle,” advises Majerowicz.

The role of the in-house counsel is becoming more important than ever in
safeguarding the business, as well as implementing suitable policies and
procedures to minimise the legal, economic and reputational risks arising
from internal threats. “The internal threats are too easily overlooked.
While the foreign malicious hacker easily springs to mind, it can be the
rogue or untrained employees who represent a major risk factor,” says DLA
Piper’s Thiel. “Another internal challenge our client’s face is identifying
appropriate internal ownership of the issue. In our experience, relevant
stakeholders need to include risk, legal, compliance, IT, HR and finance
all being supported by C-Suite level engagement and investment,” he says.

There is definitely a growing interest among corporate executives in
investing in proper training for employees and to examine how to manage and
address cybersecurity risks, both internal and external, says Kozlovski.
“Until recently, in many cases cybersecurity issues used to be a technical
matter handled by the company’s technical team. Now the board of directors
and management at large corporates increasingly want to understand this
risk, ensure that there is a detailed procedure in place to analyse and
mitigate this risk, and make sure that someone is accountable for managing
this risk within the organisation.”

AN ANALYTICAL APPROACH

As companies become increasingly embroiled in cross-border commercial
disputes, modern technology and analytics are coming to their rescue by
helping them resolve disputes in a timely and cost-effective manner, finds
Kanishk Verghese

Technology is both the cause of and solution to how we approach today’s
disputes and investigations, says Karen Chon, director of business
development at FTI Consulting. “We are observing a greater number of
corporations replacing corporate IT infrastructure with cloud- based
services and we are working with a far more mobile yet connected workforce.
It’s very well known that data volumes have been increasing for many years,
but the diversity among data formats is also growing rapidly,” says Chon.
As a response, technology itself is enabling a deeper understanding of the
matter at a much faster rate, which in turn allows organisations to develop
better strategies for handling today’s evolving corporate data landscape,
she adds.

And this is where analytics technology takes centre stage. While the use of
analytics in disputes is by no means a new phenomenon, service providers
like FTI Consulting are fashioning cutting-edge solutions that can help
mitigate risk, unearth information speedily, and reduce legal costs at the
same time. FTI’s two software platforms, Radiance and Ringtail, serve as
great examples. “Radiance is a great tool for what we refer to as
‘prediscovery’. If you have massive amounts of data stored across various
repositories, from Exchange servers to cloud-based collaboration tools,
Radiance can connect with these applications, enrich the data, and provide
powerful and dynamic analytics to key in on important data quickly,” says
Michael Mo, managing director at FTI Consulting in Hong Kong. “If the
investigation progresses to a legal matter that follows the traditional
process of review, redaction, coding, productions, and so forth, we offer
Ringtail software. Ringtail provides the most comprehensive set of legal
review and analytics features so that legal teams can quickly find, review
and produce documents for a matter,” adds Mo.

However, some legal technology solutions have led some in the industry to
voice concerns over the security of client data and other sensitive
information, particularly in relation to cloud-stored data. For his part,
Mo says that over the past three years, he has seen the industry grow more
accepting of cloud-based technology for legal matters. “Recent and
well-publicised data breaches, whether targeting retail companies or
government organisations, have taught us that data stored on-premise and
behind the firewall is not necessarily safer than data in the cloud. In
many cases, the cloud is perhaps more secure because cloud providers are
thinking about data security 24/7,” he says. That said, for clients that
are worried about data security in the cloud, FTI can provide a security
assessment of their current data environment as well as develop and
implement a data security framework that helps an organisation protect its
most valuable IP, from employee health records to customer credit card
data, notes Mo.

Nonetheless, as the volume and variety of business data continues to grow
at a rapid rate, legal teams are under mounting pressure to collect and
understand data as fast as possible. While companies and their in-house
teams in the U.S. and UK are embracing new technology and analytics
solutions to more effectively handle disputes cases, some have argued that
the legal industry in Asia has been slow to catch on to this trend.

While Asia is a few years behind North America and Europe when it comes to
the use of legal technology in disputes and investigations, clients are
gradually adopting the use of tools – such as analytics technology and
predictive coding (or technology-assisted review) – that have been used in
those jurisdictions for a while, claims Mo. “With business data growing at
its current speed and more complex global disputes and investigations
impacting the region, legal teams will feel more pressure to incorporate
such technology to do more with less,” he says. “As we see more – and
larger – cross-border disputes and investigations impacting many companies
in Asia, clients have begun to realise and understand that the use of this
technology can significantly reduce cost and generate efficiency.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160519/4c462d53/attachment.html>