Minimizing cyber risk through effective governance

Andrea L. D’Ambra, US Head of Technology and US Head of eDiscovery and Information Governance, Norton Rose Fulbright, and Susana Medeiros, Associate at Norton Rose Fulbright

content-image

Andrea L. D’Ambra, US Head of Technology and US Head of eDiscovery and Information Governance, Norton Rose Fulbright, and Susana Medeiros, Associate at Norton Rose Fulbright

Given the rising reputational and monetary costs of the average cyber event globally ($4.35 million) and in the United States ($9.44 million) and the challenges with getting cyber insurance to cover these costs, companies are placing increasing emphasis on minimizing their cyber security risk. Having shepherded many companies through the aftermath of a cyber breach, we have a number of recommendations on how companies can minimize the impact of a cyber event by investing in information governance programs—particularly those with automated disposition and retention components.

Policies and procedures remain essential.

Information governance has been a key tool for managing an organization’s data for decades. Key components of a successful information governance program are implementing (and enforcing) policies, procedures, and training around records retention and, ultimately, the timely disposition of an organization’s documents past their retention period. An effective information governance strategy will make efforts to dispose of information that is no longer needed and is not subject to preservation obligations. Such a program necessarily reduces a company’s cyber risk because a threat actor cannot steal that which no longer exists on the company’s systems.

Beyond the theft and misuse of data beyond its retention period, companies face real regulatory risks today.

Regulators expect companies to implement procedures to minimize sensitive data as part of their cybersecurity program. For instance, the FTC recently fined CafePress $500,000 in connection with their failure to secure consumer Social Security numbers in a 2019 breach, ordering the company to institute an information security program that must include, among other items, implementing policies and procedures “to minimize data collection, storage, and retention, including data deletion or retention policies and procedures.” This mirrors similar fines and enforcement actions by other regulators, such as the New York Attorney General and the French data protection regulator.

However, it is not enough to adopt policies and procedures to address the over-retention of documents. For many years, companies have drafted such policies and perhaps even held yearly housekeeping days where employees are supposed to destroy documents outside their retention period. In our experience, however, little was done to enforce such policies (particularly before the profusion of ransomware events over the last two years), and oftentimes the policies are outright ignored because employees either did not understand them or were too busy with their regular duties to take time to clean out their document repositories. For these reasons, in addition to the automation discussed below, we recommend that companies regularly audit compliance with their information governance policies.

Identify high-risk locations

All data is not made equal. Your efforts to minimize cyber risk should focus on business areas, data systems, and locations that are most likely to present risks to your organization based on regulatory requirements in your jurisdiction and industry, contractual requirements from your customers, and reputational and competitive considerations. This may include locations likely to contain the following:

● Personally Identifiable Information (PII) or Personal Health Information (PHI) of your employees or customers. Such data is subject to state, federal, or even international reporting and notification obligations if accessed or acquired in a security breach.

● Former and older customer or employee data. This can include data that is subject to contractual notification obligations or PII/PHI. This data is particularly risky to hold on to because, if taken, the former employees or former customers are less likely to be understanding and are more likely to file a complaint with a regulator or file a lawsuit in court.

● Trade secret information, including customer lists, source code, or other restricted information. Obviously, the competitive advantage lost when such information is made public can be devastating to a company’s bottom line.

● Information about your cybersecurity program, including information about your cyber insurance coverage. Cybercriminals are smart, and many forensic investigations in which we have been involved have reported threat actors searching for cybersecurity architecture information to better undermine a company’s defenses. They look for insurance coverage to better assess a company’s ability to pay a large ransom (and, of course, this informs the ultimate amount of the ransom demand itself as well as any eventually negotiated settlement).

For the reasons stated above, focusing on these areas in a company’s data security and minimization initiatives will significantly reduce a company’s risk.

Consider legacy data that is no longer needed.

Encourage a dialogue with IT and business stakeholders about soon-to-be retired or legacy systems containing sensitive information and whether these systems can be destroyed rather than archived for an indefinite period. If the data is needed in the short-to-medium term to meet recordkeeping or business continuity requirements as the company transitions to new systems, confirm a timeline for disposition and consider if the data can be taken offline or encrypted as an added security measure.

Identifying high-risk data sources, limiting permissions, and implementing automating deletion, where feasible, will decrease a company’s overall cyber risk in meaningful ways.


Implement automated deletion where possible

Information that does not exist cannot be stolen.

Companies can significantly reduce the risk that sensitive data is affected in a cyber event by limiting the amount of data it holds beyond retention. Implementing automatic deletion in locations where company records are not maintained ensures that stale data is regularly purged. Consider implementing automatic deletion in personal storage spaces and communications systems like email, personal sandboxes (e.g., user drives, OneDrive), collaborative communication platforms, and other instant messaging tools, which are often junk drawers for loose, unstructured information that is not easily searched or assessed for sensitivity. Proper employee training will also have the added benefit of encouraging employees to move company records out of email and personal sandboxes and store them in the appropriate systems where such records are required to be stored. Of course, companies must still consider whether there are regulatory or legal obligations to retain these types of communications and ensure they can move swiftly to suspend auto-deletion when and where required.

Limit the spread – Minimize unnecessary copies of highly sensitive information

Limiting the unchecked spread of sensitive information limits the potential impact of a cyber event. Companies must retain all kinds of records to satisfy recordkeeping obligations and business needs, but generally, only one copy of a record is needed to comply. Many times records are stored in systems (like a company’s HR database or contract management system) and so downloading, sharing, or otherwise copying materials outside of those systems should be minimized, and employees should be encouraged to dispose of any copies as soon as their need for the document ends.

Employees should similarly be trained and instructed to limit sharing of sensitive information over email and messaging platforms (e.g., Teams, Slack) or to share in an unencrypted form when provided outside the company’s systems.

Placing limits on the average employee’s ability to access or download sensitive information also reduces the risk that information will spread across your organization unchecked. A common issue we see in cyber events is that even when a key enterprise system is not impacted, employees may have historically downloaded reports from these systems and stored the reports in unstructured locations. To minimize unnecessary downloads of sensitive information, consider implementing permissions that limit download and print capabilities to a narrow class of employees or trigger a warning reminding employees that they are downloading sensitive materials that should either be deleted when their task is complete or password protected in its final form.

Conclusion

While the steps identified above will not prevent a cyber incident from occurring at your organization, they can limit the damage caused by such an event (and the attendant risk to the company’s overall viability) by focusing on the key governance strategies that protect and minimize high-risk data in your organization. The easier and less burdensome a company can make compliance with its information governance policies, the more likely it is that employees will adhere to these requirements. Thus, identifying high-risk data sources, limiting permissions, and implementing automated deletion, where feasible, will decrease a company’s overall cyber risk in meaningful ways.



Featured Vendors