Locking It #Down and Keeping Watch: A 2017 #Corporate and #Law Firm #Protection Guide

Anyone aware of current business news cannot avoid the flood of high visibility hacking and IP intrusion/theft. The issues have grown so ubiquitous that it isn’t shocking to hear U.S. companies and government agencies suffered a record 1,093 data breaches in 2016 alone, a 40-percent increase from 2015.

On average, the cost of a breach has risen to $4 million per incident—up 29 percent since 2013.  Now add state and federal regulations regarding corporate obligations to report, mitigate and protect against breaches, massive individual and class action liability, and reputational damage/loss of good will and you have a recipe for disaster.

This article discusses an effective guide to locking down and keeping watch on corporate systems and those of their outside counsel along with the mission critical IP data and personally identifiable information (PII) they contain.

Challenging Status Quo

There’s no mystery to how hackers obtain nonpublic corporate information these days. If someone wants Company X’s data, they attack both Company X’s network, its easiest points of access and that of its outside counsel simultaneously.

The reason why is simple: beyond corporate data safeguard loopholes to be exploited, corporate outside counsel are typically laggards in terms of industry standard network/cybersecurity infrastructure and protocols. Pick any day of the week and corporate outside counsel have not just one, but many corporate clients’ data within their network. Can you imagine a more target rich environment for intruders?

Those in doubt need only ask the folks from the former Mossack Fonseca law firm where the “Panama Papers” hacking occurred. Considered to be one of the largest data leaks ever, the Panama Papers hacking contained more than 11.5 million files including 2.6 terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, such as 72 current and former heads of state.

With deference to the skill of learned outside counsel who enable technology transactions (while also prosecuting, defending and litigating the complex rights of their corporate clients on the same), law firms themselves often lack the competency to securely manage complex technology infrastructure.

Recognizing this reality, hackers have made outside counsel a prime target for obtaining sensitive data they hold on behalf of corporate clients.

Changing Old Habits

Readily available solutions to computer and network security challenges range from simple user behavior modifications to more detailed, but effective, protocol changes.

Let’s begin with an example of a multi-national manufacturing concern holding sensitive IP data and PII of customers from around the world with several thousand employees operating from multiple facilities globally. Here the challenge is access to the data.  Specifically, how should we treat IP and PII access across the company?

We think the following are baseline requirements:

  • Employee training—Annual training on computer security and email policies as well as corporate compliance policies regarding intellectual property.
  • Contractors—Vetting of contractors allowed onsite. Permit minimal site access.
  • Issue corporate laptops to ensure monitoring and control of network activities.
  • Provide minimal access to computer networks with web interface.
  • Block the use of external computer and laptop ports including Bluetooth and wireless connections.

Protocol Facelift

A spectrum of steps exist for implementation of new protocols to mitigate, reduce and possibly eliminate IP theft which are worthy of exploration.

Recommended IT/Computer policies include:

  • Encrypt all hard drives.
  • Do not allow remote access (VPN) from other than company provided laptops, tablets or phones.
  • Do not allow access to internet sites such as Dropbox, Google Docs, etc.
  • Ensure only front-end web access to filter and restrict access to large back-end IP data stores.

Next, consider monitoring the following activities with all logs retained 90 to 180 days for investigative purposes:

Anyone aware of current business news cannot avoid the flood of high visibility hacking and IP intrusion/theft. The issues have grown so ubiquitous that it isn’t shocking to hear U.S. companies and government agencies suffered a record 1,093 data breaches in 2016 alone, a 40-percent increase from 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *

93 − = 85