Cybersecurity – how can an organisation protect itself?

Cybersecurity – how can an organisation protect itself?

13998514 - digital binary data protected by the security systemWhen it comes to cybersecurity, it is not a question of ‘if’ but ‘when’ a cyberattack will happen. So how can an organisation best protect itself? On 21 June 2016, the ³ÉÈËÓ°Òô In-house Advisory Board met to discuss the challenges of cybersecurity and the role of education and communication in helping to prepare against a threat.

The session, facilitated by Marc Dautlich, partner in the TMT group and Head of the Information Law team at Pinsent Masons, opened with an exploration of how cybersecurity attacks range in scale and how that affects an organisation’s response. It is crucial to be able to deal with any attack in such a way that financial and reputational damage is kept to a minimum.

Education and communication

The Board members discussed the importance of running simulations and awareness campaigns to educate employees as the first line of defence. Such initiatives help the organisation prepare as much as possible for a cyberattack, and can include, for example, sending fake phishing emails to ascertain employees’ responses. Can they detect a threat? Do they know what to do and who to report it to?

Privilege

Organisations often commission a report to fully understand a cyberattack. The Board considered whether the cloak of legal privilege should be thrown over such commissioned reports in terms of their vulnerability to future disclosure to third parties. Privilege is a huge issue and needs to be considered early on. This can be a problem as the underlying facts and extent of an incident aren’t always known in the very early stages.

Preparing for a cyberattack

Many elements of a response plan can be pre-prepared. The main recommendation discussed by the Board was to run simulations for the executive response team. Knowing what to expect and how people react allows an organisation to formulate more effective communication and reporting processes. In many cases, a cyberattack involves an organisation’s supply chain and it is important to understand the implications of this. It is one of the most vulnerable channels and presents significant risks.

Public relations

PR responses can be written in advance, but there still needs to be a response plan to deal with situations as they develop. It was recommended that organisations consider the question ‘What do you want your customers to do in response to notification of the problem?’. Is there an action they should take (for example, change their password) or is it the case that they just need to be informed?

It is possible to make a much more credible PR statement if the organisation can show that it had not been careless and had taken the appropriate precautions (eg by ensuring it has a compliant culture, the right policies and training).

Conclusions

The overwhelming takeaway from the Advisory Board meeting was that organisations can never rehearse or prepare too much for a cyberattack. The most important measures to set in place include:

  • Identifying key stakeholders
  • Identifying an overall decision maker/lead
  • Creating a risk register
  • Ascertaining legal liability of third parties (for breach of contract and/or negligence)
  • Making time to assess the situation and your organisation’s response
  • Being custodians of reputation.

 Read a full summary of the ³ÉÈËÓ°Òô In-house Advisory Board meeting here


Related Articles:
Latest Articles:
About the author:

Sophie is Head of Learning & Development at F-LEX Legal - an award winning legal tech startup helping law firms and organisations manage a flexible work force and supporting lawyers to make smarter life/work choices. 

As part of her portfolio career Sophie runs various learning and development and networking forums for in-house lawyers and mentors junior lawyers.  These include Flying Solo for small and solo legal teams and Aspire for junior in-house lawyers which she runs for ³ÉÈËÓ°Òô UK.  She also works with schools and organisations to promote social mobility within the legal profession, working with The Social Mobility Business Partnership and Aspiring Solicitors. 

She trained as a lawyer in the City and worked as an in-house lawyer for 10 years including as Head of Legal for Virgin Radio and Ginger Media Group.  

Outside of work she is happily married with three sons and enjoys morning walks along the beach with her two dogs.