Far too many cybersecurity professionals are in the unenviable position of often being the one person in the company continually forecasting imminent doom. But it turns out that another important constituency is also starting to share those concerns.
A new survey of 200 general counsels and in-house lawyers conducted by ALM Intelligence on behalf of the law firm Morrison & Foerster finds that 65 percent of the respondents now recognize privacy and security as being a major challenge. However, over a third (36%) said their companies have no crisis management plan in place and only three percent said their companies were “well prepared” to handle a crisis.
Almost a quarter of the general counsels (24%) admitted their organizations were hit by ransomware in the last year, which may account for why cybersecurity is now being viewed as a more pressing issue. Those types of attacks often result in organizations having to notify various regulatory bodies and customers that personally identifiable information (PII) data has been compromised. Once that occurs it’s usually the legal team that gets tasked with managing that process.
Given the prevalence of ransomware attacks, it’s clear that lawyers are now viewing cybersecurity as more than just a theoretical threat. What remains to be seen is to what degree those concerns will result in increased budget allocations for cybersecurity. Lawyers have a way of insisting that all known threats to the business be documented. Once cybersecurity makes that list it’s usually not too long before the board of directors starts asking about what’s being done to mitigate that threat. After all, the primary reason the board exists is to assess risks to the business. Most of those board members, of course, have no idea what is required to secure the business. But they will take some comfort from being informed that the amount of dollars being allocated to cybersecurity is being increased.
Cybersecurity professionals would be well-advised to brief their organization’s legal team on the true nature of the cybersecurity threat the organization faces. The fact of the matter is that most business leaders today are making assumptions about the overall risk to the business that are ill-informed. But given the new this week the chances are good both the internal counsel and the board of directors of many organizations will now want to know a lot more about cybersecurity in the plainest terms possible. Just this week Uber announced a settlement with the Federal Trade Commission (FTC) under which it has agreed to have the way it handles customer records audited for the next 20 years. That’s on top of $20 million fine Uber agreed to pay earlier this year.
No doubt the senior managers of Equifax were surprised to discover last month that the records of over 143 million consumers had been compromised. Not only did the credit risk scoring firms stock value drop over 10 percent this week after Equifax disclosed those breaches, it’s a certainty that fines associated with this breach will involve multiple millions of dollars.
In both cases, it’s probable that the board’s understanding of the level of risk to the company would be a lot higher if a lawyer had attached a potential cost to those types of breaches versus simply listening to an IT professional describe a theoretical risk that is now all too real for everyone concerned.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.