This article was originally published in the 2018 Legal Geek Conference Magazine in October.
With data breaches becoming more common, cybersecurity is as important as locking the door of the office. CenturyLink’s Solutions Architecture and Security Director EMEA, Bryn Norton, believes effective cybersecurity isn’t just about building ever-more intelligent anti-malware software, it’s about empowering people to take responsibility.
1. What’s the biggest cyber threat to big law firms?
“Complacency. In 2017, the majority of security breaches were executed against vulnerabilities that were already known to the industry well before the breach. It’s a mindset of ‘I have bought a device, I have plugged it in and therefore I am now safe’ – but it’s not as simple as that. You need to be cognisant of how to use it properly and how to maintain it. The WannaCry hack in 2017 demonstrates how many organisations are not adhering to very basic security measures. Two months prior to WannaCry, Microsoft released a critical patch to address the specific vulnerability, but many companies still hadn’t deployed the patch and were left vulnerable. What that highlights is that people aren’t always doing the basics well.”
2. What is the greatest misconception about cybersecurity?
“That people don’t play a big role when it comes to cybersecurity, because nothing could be further from the truth. People are the weakest link in any organisation’s cybersecurity system, and therefore they are the most important. When you apply security controls to a company, you need to take employees on that journey with you. It’s the responsibility of the organisation to empower staff to execute effective cybersecurity.
“In addition, what a lot of organisations do is buy technology and then think about making it secure – as an afterthought. But the market place is changing and GDPR is having a positive effect. For example, Article 25 shifts the emphasis to security by design, which is how every security structure should be deployed.”
Effective cybersecurity requires everyday heroes.
3. What simple things could everyone here today do to improve cybersecurity at their company?
“While it’s important for employers to empower their staff, at the same time individuals also need to use their own initiative to ensure security standards are being met. Each employee should be conscious of how their actions could positively or negatively impact the business. It’s about being mindful of what data is being used, where it is shared, and who with. Does that specific person need to receive all data, just some, or do they even need it at all? Even something as simple as a clear desk policy is effective. Also, with the majority of security breaches still occurring through phishing, enterprises must ensure staff are trained to recognise suspicious emails before opening them.”
Even simple strategies like a clear desk policy can make a big difference
4. Is using the ‘cloud’ safe?
“Cloud” data is stored on third party servers that can be remotely accessed from multiple locations via the internet — as a result, there is often a perception that it is less secure than data stored on systems you own or control.
“For example, last year it was reported that Amazon, one of the largest cloud providers, experienced a breach – but was it the fault of the cloud provider? No, it wasn’t. The breach was caused by a private function being enabled by a user to become public.
“There are cloud solutions which can more securely protect data than if you store it on a server in your own environment, with advanced security features to protect sensitive information. So really, the cloud is as secure as you want to make it. However, every cloud user also needs to take responsibility for managing their data in the cloud. ”
5. What do you predict happening in cybersecurity over the next 12 months?
“There is no escaping the fact that cyberattacks are on the rise and enterprises are therefore looking at increasing investment in cybersecurity. Why? Because there are more people becoming digitally connected. Bad actors feed off this growth. The difficulty is that cybercrime presents a relatively low risk of being detected, and returns can be substantial. The entry to market is incredibly low – you don’t need to be a talented coder, you just need to understand the basics and know where to download the tools required.
“What is complicating the industry’s response to these increased threats is that the cybersecurity marketplace is crowded. Everyone at the Legal Geek conference could go out and buy multiple security technologies to protect themselves, however deciding what is right for your organisation can be a daunting and confusing task. As a result, what you do buy can all too often become ‘shelfware’, something which makes a lot of noise and provides a lot of information but isn’t understood properly. Consequently this acts as a prohibitor to making good decisions.
“At CenturyLink, the big thing we are looking at is how our customers can cut through the noise and understand the actionable information. This empowers people to make effective business decisions based on a strategic security policy, and on fact.”
Centurylink is the second largest US communications provider to global enterprise customers.