CybersecuritySome Proactive Measures to Improve Cybersecurity Preparedness

Some Proactive Measures to Improve Cybersecurity Preparedness

The impact of ongoing ransomware events in the healthcare and broader business communities compel us both professionally and personally to self-reflect and to ask tough questions like “how ready are we?” “can we really do anything to prevent it from happening to us?” and “what if it happens, then what?”.

There is no one-size-fits-all approach, but there are some relatively easy proactive measures that can help narrow an organization’s attack surface, despite their cyber-maturity. These measures can additionally mitigate the likelihood of falling subject to a ransomware event.

Resource Allocation

Organizations should focus on allocating resources to create robust incident response, disaster recovery, and business continuity plans and effective governance structures to support them. In addition, organizations should audit their existing network security as there are many opportunities for vulnerabilities. Luckily, these potential vulnerabilities can be prevented if your organization takes the proper steps. Some key points to consider regarding the security of your organization are:

• Proper segmentation or end point encryption

• Remote Desktop Protocol (one of the most dominant attack vectors)

• Explore running services on a non-default port for higher security

• Controls around change management and patching processes

• Data retention & data loss prevention

• Identifying access management and vendor management

• Unsecure servers hosted by third parties

Evaluate and Improve Patch Management Process

In addition to monitoring network security and keeping systems and applications up to date, organizations should address their “end of life” problem. If it is impractical or even impossible to update systems, it is critical to take additional steps to mitigate your risks. If your business has technology that is embedded in the fabric of your operations, segment end-of-life systems and software and develop a minimum-necessary access policy. This is particularly important with regard to medical devices, as many are still running outdated operating systems that simply cannot be updated. Remember, where preventative controls are not possible, develop detective controls and perform real-time monitoring to mitigate risks.

Backups and Testing are Essential

Another measure your organization can take are restorable backups. Restorable backups may appear to be an easy process but there are many seemingly mature organizations that do not have a full backup of all critical data. Although restorable backups require data categorization or classification effort, it is equally important that an organization maintain an off-line, 100% off-network back-up instance. A good place for this is in an organization’s asset inventory. Organizations should also test the ability to restore their backups. In a worst-case scenario, a victim organization will have to rely on the availability of backed-up data.  Restorable backups are something every security framework requires. Do you align with an industry recognized framework? If you have not adopted a security framework, it is critical to do so as soon as possible.

Policies are Living Documents

Your organization should have well documented policies and procedures that meet legal requirements and provide a legally defensible posture. Every organization has different needs and different legal standards which they need to abide by, therefore it is bad security hygiene to copy and paste policies found online. You may be subjecting yourself to laws and standards that do not apply or leaving your company legally exposed. Every well-planned policy taxonomy will have both a sustainable governance framework that serves to keep your policies current and relevant, and a mechanism in place to enforce the policies.

Our Beckage team leverages their deep experience to assist organizations of various sizes and complexities in building efficient, longstanding and scalable IT due diligence programs. Our team of attorneys are seasoned technology professionals with backgrounds that include risk management, in-house counsel, governmental agencies, and information security and technology leadership.  We work with businesses across channels and industries to facilitate the design and implementation of enterprise-wide security programs and perform ongoing “health checks” to evaluate the appropriateness of controls and alignment with business requirements. As we continue through 2020, there has never been a better time to operationalize a risk-based methodology.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

WorkplaceLegal Strategies When Executing a Distributed Workforce Strategy

Legal Strategies When Executing a Distributed Workforce Strategy

In a short period there has been a monumental push for remote working arrangements by almost every existing organization. As a result of the Coronavirus outbreak, our calendar has been filled with appointments to discuss the practical considerations and steps that every leadership team is facing, from executive to technology, including application and business stakeholders. This incident has brought on evaluations of an organization’s readiness through the lens of business continuity, incident response, and more expansive administrative, technical, and physical safeguards.

While not exhaustive, below is a list of some areas to consider in executing a distributed workforce strategy:

Principle of Least Privilege – Has the organization operationalized a principle of least privilege? Does this extend to your remote access management? Opening the floodgates to all end users at once is neither practical nor safe. Discuss a tiered approach and where preventative controls are not possible or practical, implement detective controls. This would look like automated log management, reviews, and analytics to identify anomalous behavior on networks or systems that are classified as mission critical or that handle the most critical data. Take a risk based approach to identity access management and consider a more restrictive policy, you can remind your user base this is a temporary measure. From a security perspective, your objective is to narrow the threat surface; remember the security triad -Confidentiality, Integrity and Availability.  

Remote Desktop Protocol –  Now is the time to check your remote access configurations. We are sure to see a significant uptick in cyber incidents exploiting enabled ports that are commonly used for remote access, this is the point that is frequently the way of entry for ransomware attacks. Audit your network and if you haven’t already, identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, and where permitted based on your unique circumstances, immediately close port 23 on all systems as well as any unnecessary SSH and RDP ports. It was only a year ago we witnessed Bluekeep, the security vulnerability that allowed for remote code execution through RDP.  

Data in Transit and At-Rest – Revisit your organization’s encryption standards as they apply to data in transit and at rest. With an expanded workforce now remote and handling sensitive and non-public data, an encrypted data at rest conversation should be at the top of your discussion list. The NY SHIELD Act, which became effective March 21st, expands upon the definition of private information to include personal information in combination with various listed data elements (refer to NY Senate Bill S5575B) that “were not encrypted” or “was encrypted with an encryption key that was accessed or acquired.” For financial institutions the FFIEC, which prescribes uniform principles and standards, states that institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.

Password Strength and Two-Factor Authentication – Replace any default or weak login credentials with passphrases. Roughly two years ago the National Institute of Standards and Technology (NIST) published a guidance on this and organizations have been slow to adopt passphrases in place of their typical 8 character passwords. Now is a good time to implement passphrases and communicate this as a necessary response to the recent distributed workforce requirement. Similarly, you should also consider revisiting screensaver and session lockout times, remember, this is about narrowing the threat surface. If you can shorten these times by 5 minutes, the compounding effect across say, 1,000 employees, could be 5,000 minutes of time or 83 hours. That’s 83 hours less time a bad actor has to compromise your devices. In addition, consider looking at failed login attempt configurations, you can adjust this setting to lock an account on less attempts than usual. This can be a temporary measure until your workforce return to the office setting.

Communication – The question which has come up the most has been regarding communication while working remote. Workforce will need to be informed as they transition to remote. Organizations will need to remind their workforce of what is expected of them as it pertains to policies such as acceptable use, BYOD, information security, business continuity, disaster recovery, and incident response. Similarly, the workforce should also be reminded of safe security practices in the home (for example, when was the last time they updated their router firmware?) While company-wide communications will be necessary, tailored communications to various departments may be equally important. For example, the Incident Response Team leader should communicate regularly with all stakeholders. They will need to review the Incidence Response Plan to evaluate whether the procedures have limitations based on physical proximity of all parties with responsibilities. Likewise, physical security may have unique requirements since the offices will largely be empty.  

The push to remote work has forced organizations to revisit their control environments, operational workflows, and technical capabilities. This is an exercise that requires input and coordination across the organization and highlights the importance of a policy governance structure.  

Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

As COVID-19 puts pressure on companies trying to comply with their contractual obligations, it is time to take a look at the provision that might excuse performance: the Force Majeure provision.  This provision works to excuse parties from performing their obligations when an unforeseen event occurs.  COVID-19 may fall right into the description of that unforeseen event, but whether a party can take advantage of performance excusal depends on the Force Majeure provision itself.  Given the ever-changing landscape around COVID-19,organizations may want to consider the following to understand what terms come into play for a Force Majeure event:

1.     Review Your Force Majeure Provision

What events are covered?

Look at the events listed in the Force Majeure provision.  Most Force Majeure provisions state that Force Majeure events occur when the event is “beyond the party’s control.”  If an organization is claiming Force Majeure, it should be prepared to make the argument that federal and state mandates pursuant to COVID-19 are beyond its control.  If specific events are listed in the provision, organizations should review whether the event aligns with COVID-19.  For example, “acts of God,” public health emergencies, epidemics, or pandemics maybe listed. It is worth noting in light of the COVID-19 pandemic that a virus/bacteria may be excluded if it is a contract for health-related services.

Are any events carved out?

Review whether any specific events are carved out of the provision.  Savvy contract drafters will carve out certain events that are more likely to impact performance for the specific services being provided to ensure the performance is not excused.

How is the event triggered?

The occurrence of Force Majeure events does not necessarily trigger the provision.  Some provisions may require formal declarations from federal or state entities declaring emergencies.  Organizations should evaluate whether the Force Majeure provision has any such prerequisites for excusing performance.

It is also possible that reactions to COVID-19 will greatly frustrate an organization’s performance,rather than making it so impossible that the performance is excused under a Force Majeure provision.  In these cases, there is no clear-cut answer of how to handle, so the parties will need to work together to come up with solutions that make complying with contractual obligations easier.

2.     Review Requirements for Claiming Force Majeure

The contract may include specific deadlines and notice requirements for claiming Force Majeure. Organizations should review the requirements for making such a claim to avoid missing the relevant window of time.

3.     Consider Contracts Being Currently Negotiated

If an organization is in the middle of negotiations for an agreement, it should review the Force Majeure provision and consider adjusting to contemplate complications arising from COVID-19.  The organization can also consider adding additional termination rights or longer periods for cure to combat further fallout from the virus.

Our Beckage Team continues to closely monitor the legal and business implications associated with the COVID-19 pandemic.  It is critical that companies align with experienced counsel to proactively assess their existing contractual obligations and the obligations of their counterparts.  The Beckage Team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for your business in the event coverage is needed.  

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.

Algorithmic BiasAlgorithmic Bias – What Businesses Need to Know

Algorithmic Bias – What Businesses Need to Know

Algorithms, artificial intelligence (AI), “data scraping” and other means of evaluating vast amounts of information about people have indeed become widespread and are increasingly common tools in the hiring toolbox. As predicted the use and scope of big data has grown exponentially over the past several years and continues to influence employment and hiring decisions. We are operating in a world where automated algorithms make impactful decisions that amplify the power of business. However, as with the use of any new technology, the legal landscape for businesses is rapidly changing so it is critical to closely evaluate these tools before incorporating them into your hiring practices. Why? Because these tools may unintentionally discriminate against a protected group.  

The challenge is straightforward: AI algorithms are based on datasets collected or selected by humans. That means those data sets are subject to intentional or unintentional bias, which could lead to biased algorithmic models. Examples of algorithmic bias have already started popping up in the news. In 2018, for example, a large company decided to scrap its proprietary hiring algorithm when it discovered the algorithm was biased in favor of men, simply because the algorithm was trained on patterns from resumes received over the past 10 years—resumes that were mostly from men because the tech industry skews male. So, rather than taking away the existing bias against women in technology, this company’s system amplified the bias.

How the EEOC is Handling Algorithmic Discrimination

In the face of increasingly broad use of algorithms the Equal Employment Opportunity Commission (EEOC) is responsible for enforcing federal laws that make it illegal to discriminate against job applicants or employees because of their membership in a protected class. The EEOC has begun to challenge the use of hiring and employment practices that have a statistically significant disparate impact on a certain group and cannot be justified as a business necessity. The EEOC expects companies that use algorithms and AI to take reasonable measures to test the algorithms functionality in real-world scenarios to ensure the results are not biased, in addition the EEOC expects companies to test their algorithms often. The EEOC has also redefined the protected category of “sex”, for example, to include sexual orientation and gender identity. With these changes it is possible that the number and type of individuals protected from discrimination will continue to expand.

How Businesses Are Mitigating Risk

Lacking any concrete laws or guidelines, how can businesses mitigate the risks around algorithmic hiring systems? The key is using extreme vigilance and strong contracting practices if or when your business is relying on AI in recruiting and selecting candidates even when trusting on third-party vendors. Companies are responsible for ongoing and daily assessments and audits of their own algorithms and hiring practices. If a third party is providing or managing the algorithms used to make hiring decisions, it’s still up to the employer to scrutinize validation claims and results before acting. It is also wise to consider including indemnification, hold harmless clauses and appropriate disclaimers in any agreements. The Beckage Emerging Technologies team and AI Practice Group at Beckage are ready to help assess how your business can use algorithms in your hiring practices effectively and responsibly and to help clients deploying AI driven services and products in areas such as compliance with laws and regulations, data privacy issues, and AI governance and ethics.

*Attorney Advertising. Prior Results Do Not Guarantee A Similar Outcome.

Subscribe to our newsletter.

Black and White upward view of buildings in cityNext Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

Next Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

The New York State Department of Financial Services issued a Cybersecurity Regulation (23 NYCRR 500)(“Regulation”) that went into effect on March 1, 2017.  The Regulation carried with it several compliance milestones applicable to “Covered Entities” under the Regulation, which includes those entities that are operating or required to operate under the New York insurance, finance and banking laws.  

SUMMARY OF COMPLIANCE MILESTONES TO DATE

The Regulation first required Covered Entities to establish a number of Cybersecurity and IT policies and procedures by August 28, 2017.  Next,Covered Entities were required to submit a Certification to the Department of Financial Services by February 5, 2018, that they complied with the first milestone under the Regulation.  By March 1, 2018, the Regulation required Covered Entities to additional CISO reporting,Annual Penetration Testing and Vulnerability Assessments, Risk Assessments and implement Multi-Factor Authentication where necessary based on the results of the Risk Assessments.

The most recent milestone was on September 3, 2018.  Covered Entities were responsible for establishing audit trails to reconstruct material financial transactions creating policies and procedures around in-house developed applications and assessing the security of externally developed applications.  In addition, Covered Entities were required to establish policies on Data Retention limitations, continue Cybersecurity training and monitoring and develop procedures for the encryption of Non-Public Information that is transmitted over external networks and at rest, unless infeasible.  

NEW MILESTONE – MARCH 1, 2019 DEADLINE

The next compliance milestone pertains to Third Party Service Providers. This milestone must be met by March 1, 2019 and involves the oftentimes complex process of evaluating the Third-Party Service providers utilized by your company.  This process can be a cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.  Accordingly, it is recommended that you begin this process as soon as possible as there are often several components to the analysis.  

SUGGESTED NEXT STEPS

Moving towards the March deadline, Covered Entities should assess the risk that each Third-Party Service Provider poses to their data and systems and then determine an effective solution to address those risks.  It is insufficient to rely solely on the Certification of Compliance submitted by theThird-Party Service Providers the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

Covered Entities should take steps to determine what, if any, Third Party Service Providers are being utilized by the company, evaluate them as it relates to security, and review the relevant policies and procedures. Covered Entities should consider whether or not it makes sense to require Third Party Service Providers to carry adequate insurance including Cyber Insurance to cover both the entity and the Covered Entity should a breach occur.  

ADDITIONAL INSIGHT INTO THE REGULATION

It is helpful to note that the DFS regularly answers FAQs pertaining to the DFS Cybersecurity Regulation that provide valuable insight.  The complete list of FAQs can be found at the following link: https://www.dfs.ny.gov/about/cybersecurity_faqs.htm

The contents of  23 NYCRR Part 500 can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

The attorneys at Beckage PLLC are fully equipped to help you navigate through the Third-Party Service Provider Risk Assessment and all other components required under the Regulation by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. www.beckage.com.or info@beckage.com.

Attorney Adverting: Prior results to not guarantee a similar outcome.

1 4 5 6 7