Questions every general counsel, executive, and board member should ask about cybersecurity
General counsels, executives, boards of directors, and other risk managers are discussing IT risk at a level that we may not have seen since the Y2K crisis of the late 1990s. The topic of cybersecurity is dominating legal trainings and conferences around the country with titles like, “What to do When You Get Hacked” and “How to Respond to a Cyberattack.” These trainings generally start with the assumption that a network security breach has occurred. For a legal training, this makes sense, because a breach is the point at which lawyers generally get involved in cybersecurity. However, I am sure that many general counsels would like to understand why these attacks have become so prevalent and are so hard to stop. More importantly, they would like to understand what puts their networks at risk.
During my relatively short tenure as the Chief Legal Officer of Zscaler, I have been lucky to watch many of our brilliant people develop solutions to help secure networks. While my understanding of what they do and how they do it is fairly rudimentary, I have developed a better understanding of some of the questions that should be asked in order to understand the risks associated with any organization’s network security.
I think that an inquiry must start with, “What is my network?” Long gone are the days when a corporate network was part of the infrastructure of a physical building or campus, resembling your plumbing or electrical systems. The modern corporate network is an amorphous collection of hardware, software, and services spread across multiple locations and often operated by personnel outside your organization. Your network today may include traditional hardware (routers, servers, and company computers), Internet of Things (IoT) devices (thermostats, printers, copiers, security cameras, and even coffee machines), employee-owned devices (mobile phones and tablets), outsourced network services (Amazon Web Services), internal software applications (internally hosted CRM products and databases), company-approved and purchased SaaS solutions (NetSuite and Salesforce), and “shadow IT” applications (non-company–approved SaaS offerings, such as personal email).
After you understand what makes up your network, the next question is, “Who is using my network?” The nebulous and complex modern network is accessed by a wide variety of users, including employees, contractors, customers, suppliers, and visitors. Many of these users may access your network from a variety of locations. They are also accessing both your internal corporate infrastructure and your outsourced network services and SaaS applications.
A final basic question is, “What are the risks we are facing?” Just as IT infrastructure has changed, so too has the threat landscape. In addition to sophisticated hackers who seek to disrupt your business for political purposes or to embarrass your organization, many malicious users are simply looking for a quick payout. While companies continue to fall victim to sophisticated attacks, many more are being hit with cheap, off-the-shelf malware that requires no coding or special expertise. These attacks may seek to steal credit card numbers or information that can be used for identify theft. Organizations are also falling victim to “ransomware” attacks, in which malicious software shuts down a computer or device until a payment is made.
After you have answered the three threshold questions of “What is my network,” “Who is using my network,” and “What are our risks,” you can start to ask more specific questions, such as the following:
- How is user access to applications and data managed?
- Who determines who has access to our network?
- Are employees blocked from accessing potentially dangerous websites?
- Is network security consistent across all company locations?
- How is our networking equipment kept up to date?
- Are mobile employees protected when they access internal applications or SaaS products from their homes, airports, coffee shops, shared work spaces, etc.?
- Do employees know how to spot phishing and more targeted spear phishing attacks?
- How many attacks does the company experience each day/week/month and how many are successfully blocked?
After asking and understanding the answers to these questions, you will be in a much better position to ask the most important question of all: “What resources does IT need to improve security and how can we support the IT team?”
Having a plan for and taking the proper actions after a breach is critical, but it is no longer enough. By understanding what makes up our network, who is using it, and the risks we face, general counsels can partner effectively with and support IT teams to better protect the data and assets of our organizations.