Between remote work and widespread adoption of cloud infrastructure over on-premise platforms, companies are quickly moving to an easier, more efficient way of working. This tends to open up a host of new security vulnerabilities in the face of new cybersecurity threats for organizations of all sizes.
In the emergence of these threats, there are three big themes every in-house counsel in this space should consider.
Regulatory Landscape
Given recent incidents such as the widespread SolarWinds hack, we’ve seen disruptions in the digital space can create significant consequences, monetary loss, and reputational damage. Regulatory bodies have stepped in to oversee use of cloud infrastructure and various consumer and commercial platforms, including critical infrastructure and additional elevated security protocols.
These systems go above and beyond General Data Protection Regulation in many instances, such as the Indian Computer Emergency Response Team known as CERT-In, which mandates reporting of incidents and outages within as little as six hours of knowledge.
Companies should be asking themselves: what industry am I in, what regulations is my industry subjected to, and how does the regulatory landscape look for my industry in the next five years?
Proper planning, including some foresight on where the regulatory landscape is headed, will help IT and technology platforms decide what direction to grow and where to make investments. This also serves as the “why” to help teams justify spreading and spending resources to meet legal requirements to continue providing services to customers globally.
‘Bug Bounties’
A bug bounty is essentially a reward given to ethical hackers, or security professionals who attempt to discover flaws and vulnerabilities in a company’s services and get a reward for reporting it to the organization.
While most major companies have a bug bounty program, this is a highly effective but not well-used aspect of crowdsourced security that could be part of any company’s security vulnerability management plan.
Being tapped into the security community in a way that allows for flow of information on services vulnerabilities can help strengthen internal teams and maintain up-to-date details on the latest threats. Depending on your resources and the type of service being offered, having a public alias or contact form is often helpful for anonymous reports as well.
Social Engineering
Long gone are days when people peer over other people’s shoulders for their passwords and usernames. Today, social engineering is sophisticated and rampant.
Anyone in your organization is subject to receiving an email from their “IT” department to resolve a bug, or congratulating them with an active e-card for being with the company on their five-year anniversary—all it takes is one click.
While the best security protocols can regularly sweep your systems for anomalies, even a few minutes could be too late if the underlying infrastructure has any vulnerabilities to be exploited. This means the front line defense for every company should be proper security protocol training, including social engineering for all employees with any access to company resources.
Security is everyone’s problem when so much information is available online in professional directories to help make connections to fool the most careful individual. Ensuring you have training, a process, and some kind of internal reporting mechanism will help everyone be your eyes and ears on the ground to expand the perimeter of internal security programs.
Other Considerations
When running a lean organization with resource constraints, many companies have to make tradeoffs on where to invest people and resources.
Some nice to haves, if your organization has covered the above, would be looking through vendor contract management, including auditing capabilities of your organization and attempting to create annual processes that review those vendors and third parties who manage your platforms or data. The weakest link becomes the most vulnerable spot for any service if the underlying components themselves contain vulnerabilities.
Make sure your vendors and third parties who manage data truly do what they say they do. Ask to see copies of their certifications and craft good auditing language in your contracts, with appropriate liabilities and timely notifications of their incidents. This will help protect your organization in the event of a security incident.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Lorrie Ma is a product, privacy, and security in-house counsel for Google, LLC. She works with engineering and the business to align goals and create legal strategies to achieve innovation amid a changing cybersecurity landscape.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.