MDP's tips and tricks to manage cyber security

/Juridisch

In a recent report, IBM confirms what is pretty much common knowledge. The numbers are nonetheless astonishing: nearly 9 out of 10 data breaches are caused by human errors! Combining this with the continuously increasing number of cyber attacks, we considered it useful to list 10 rules of thumb relating to the fight against this new form of crime.

First, to decrease vulnerability companies should consider to take preventive measures in terms of internal organization:

  • RULE 1 – SET UP A SECURITY TEAM: Compose a multidisciplinary team composed of persons with a different background (e.g. technical, operational, security and legal persons). This team should take ownership of the cyber security question within the organization. The multidisciplinary nature of the team is very important. To give just one example from our practice, the notion “processing data” will have a different meaning for a technical person than it will have for a legal person. Insights from various points of view will improve the efficiency of the team considerably.
  • RULE 2 – DOCUMENT YOUR SECURITY LEVEL: Document the security architecture and measures that are taken within the organization. If necessary, an external expert can be involved to map your security level. Such document will facilitate the assessment whether additional measures should be taken.
  • RULE 3 – ESTABLSH INTERNAL GUIDELINES: Humans (and not information technology) are generally the weakest link. Therefore it is strongly recommended (and often mandatory) to establish internal security guidelines which both create awareness for individuals working within your organization, and establish binding rules that must be observed. Such guidelines can range from a “clean desk” policy, over a “password policy”, to a “Use of IT systems” policy.
  • RULE 4 – CREATE AWARENESS: Related to rule 3 it may be recommendable, considering the size and activities of your organization, to organize periodic awareness and training sessions informing collaborators within your organization of actual threats, recent trends, lessons learned, etc.
  • RULE 5 – CHECK YOUR CONTRACTS: Check your own (IT) contracts with customers, and those with your suppliers on a number of aspects, including liability, security measures, processing agreements, SLA, etc. A clear and solid contractual structure may considerably mitigate the risks in this respect.
  • RULE 6 – CERTIFICATION: Organizations (commonly either bigger ones, or those active in highly regulated industries) may consider to obtain a security certification (e.g. according to ISO standards).

However, despite these efforts, security incidents may, and actually will, still occur. In such event, it will be important to have in place several measures to mitigate your risks: 

  • RULE 7 – DATA BREACH PROCEDURE: Avoid that in the event a security incident occurs in your organization, no-one actually knows in practice how to deal with the incident. Therefore document what procedure is to be followed: (a) which person(s) must decide the way forward; (b) who must be contacted; (c) how and when do we need to report the incident; etc. This avoids total chaos and may help limiting damages.
  • RULE 8 – KEEP A DATA BREACH REGISTER: “Learn from your mistakes”! Keeping such a register (which can be a simple document) may help increasing awareness and understanding, thus avoiding similar incidents in the future.  
  • RULE 9 – INSURE YOURSELF AGAINST INCIDENTS: Organizations should assess whether it is useful to insure against cyber security incidents. Insurance contracts in this niche are on the rise and are finetuned presently by several specialized insurers. However, it is very important to critically assess, considering your specific circumstances (e.g. size, activities, risks, …), the nature of the insurance cover, the exclusions/limitations, and of course the amount of the premium to be paid. In our experience in this area, big differences still exist so close scrutiny of these agreements by an expert is strongly recommended.
  • RULE 10 – INVOLVE EXPERTS: In the event of security incidents, the help of experts may be of quintessential importance. This includes PR services, technical assistance and legal assistance (either internally or externally). For example in relation to the legal aspects, several issues will be relevant, including liability issues, contractual issues, compliance with privacy rules and requirements, notification duties, and so on.

MDP lawyers regularly assist clients in this area and can help you with any question related hereto. For more information regarding the above, please contact Antoon Dierick.