Information Security – The Past, Present and Future

Wednesday, March 8, 2017

Guest Blog by Niamh Muldoon, EU Information Security Director, DocuSign

“It will always be about protecting data”

The Past:

In the past, Information Security frameworks were inwardly focused organisationally, predominantly consisting of policy, standards and procedures that the organisation adhered to. The majority of data and information was stored in-house within the business technology perimeter. Data and information assets existed in both electronic and physical formats. The ability to technically share data and information was very limited and when permitted, subject to stringent Information Security Framework controls. Technology departments’ management tooling supported security teams with the administration of tooling, protecting the perimeter and businesses’ data.

Businesses that understood data and classified their electronic data were considered to be mature; they had appropriate controls in place, and their data was accessible internally and externally. The perimeter-to-perimeter connectivity was mainly focused on a one-to-one relationship, including underpinning network topology using leased private telecom lines progressing to the virtual private network concept.

The cyber-security threat landscape of the past was very different to the present day. In 1988, we saw the first piece of malware being introduced. Robert Morris created the ‘worm’ type of malware. The ‘Morris Worm’ impacted over 6000 computers and it’s said that it would have cost $96 million if it hadn’t been stopped. Not too many years later, we had the first well-publicised Distributed Denial of Service attack (DDOS).

The Present:

Fast forward to 15 years later to where we are today, and really the only way to say this is – the Internet has exploded. We all, in our personal and business lives, have embraced digitalisation and digitisation using Internet-based technologies.

To support this digital transformation, businesses have transformed to a ‘perimeter less’ ecosystem and Information Security Framework. With the starting point of the Framework commencing at the law level, the required laws that businesses need to adhere to for the data they manage and use, including global and country-specific laws, need to be considered. The next level up is the data protection regulations for the jurisdictions of operation – adding industry compliance standards that have a data component and industry best practice standards. These four levels all support businesses to digitally operate globally. Businesses need to internalise these requirements into policies, standards and procedures for data management that the internal organisation must then adhere to.

Operating at a global level using Internet/cloud based technologies means that businesses need an Information Security Framework that not only protects the Information Asset categories from cyber security attacks, but also supports safeguarding the authorised use of those assets including their transfer across geographical borders.

The requirement for understanding data, classifying it into Information Asset types and protecting them has become even more granular. Today’s cyber security threat landscape is very different to the past. The means, opportunity and motive to attack have not only grown, but have advanced.

There were a total of 2,260 reported data breaches in 2016. Motives for attacks vary, but because hackers have the means and opportunity, it’s become far too easy to be a target for attack with the highly likely result of a data breach ensuing.

The Future:

We won’t know what the future will look from a technology advancement perspective, however we do know that data transformation to digitalisation will continue or be complete. Pro-actively managing and protecting Information Assets types is proven to be the foundation of success, enabling businesses to reduce the risk of security breaches and associated cyber security attacks – this will remain fundamental in the future.

At DocuSign, we have on average 130,000 new users joining the DocuSign Global Trust Network every day and our user-group is spread across 188 countries including regulated industries.

DocuSign has chosen ISO 27001 to be the core for its Security Standard model and it allows customers to take ISO 27001 results and map them into their vendor management programmes. DocuSign has also invested heavily in a cyber-security programme, investing 3 million into the Centre of Excellency. The Binding Corporate Rules programme is underway and the company continues to provide assurance with Compliance certifications.

About Niamh Vianney Muldoon

Niamh has over 15 years’ experience as an information security professional. Prior to DocuSign, she was the EMEA Technical Compliance programme manager at Workday where she established and grew the organisation’s EMEA Privacy and Compliance team. Through her Information Security programme manager role at the Irish online eGaming company, Paddy Power Betfair, she transformed the team from being an IT Security function to a mature Information Security function. Niamh spent over 12 years at the Irish Financial Institution, AIB; where she commenced her Information Security career and had many successes in relation to technology risk assessments frameworks and establishing Enterprise Information Security & eDiscovery functions. In her spare time, Niamh likes to give back to the Information Security Industry working with (ISC)2 sitting on the global scholarship review panels. She I is also a part-time evening lecturer in cybersecurity at the National College of Ireland.

Wednesday, March 1, 2017

Key Take Aways for Law Firms from the Ascertus Cyber Security Seminar

- Roy Russell, CEO, Ascertus Limited

Six industry experts presented at our Cyber Threat Landscape for Law Firms seminar last week, with all broadly agreeing on the key cyber security issues facing law firms and the measures they must take to mitigate the impact on their organisations. The highlights are as follows:

  • Law firms are marked

Several threat actor categories are targeting law firms including Nation State, Organised Crime Gangs (OCGs), Hacktivists and Insiders – each motivated slightly differently. For example, Nation States want to gather intelligence on mergers and takeovers, pinch intellectual property or gain intelligence that offers them a favourable position in trade negotiations. OCGs see great scope in monetising data from law firms – be it by selling insider intelligence to rogue traders or stealing money. Furthermore, different threat actors operate differently in different sectors. As firms develop their cyber defences, it’s wise to incorporate future requirements, looking at the business and threat scenario three to five years ahead.

  • Hackers love email

Ransomware holds the number two spot for malware popularity among criminals. It’s easily delivered via email, the most ubiquitous application in business today; and isn’t too complex to put together. For the same reason, phishing attacks are increasing too. A friendly, legitimate-looking email from the boss explaining via an attached spreadsheet why the individual wasn’t given the desired salary raise is all it takes to infect the employee’s PC. Similarly, criminals are able to easily breach people’s PC and wider organisational infrastructure such as network shares via attachments such as PDFs, which end-users perceive as ‘being safe’ to send and receive.

A ‘herd alertness is critical’ organisation-wide to ensure security. It’s imperative that firms develop cyber-resilience via a combined approach to prevention, continuity and recovery.

  • People and culture are weak links

A vast number of hackers are social engineers, exploiting the vulnerabilities of people and the culture of organisations to breach for financial gain. Social engineering isn’t rocket science, it requires little technical knowledge, a great deal of patience, people skills and good research. A disgruntled employee could easily be exploited (unbeknown to the individual) by a hacker to gain information that helps breach the organisation, physically or online.

A major blind spot that hackers often manipulate is people’s view that they aren’t important in the firm and hence not a hacker target. A hacker could potentially take advantage of a pre-occupied receptionist to gain important information on the physical security procedures of the organisation to then exploit. Firms must ‘know’ their employees, but also ‘grow’ their own social engineers, educating them in the ways and the mindset of hackers so that they can spot potential breaches.

  • Behavioural analytics is a must

Behavioural analytics can help firms ‘know’ their employees. Data is a law firm’s crown jewels, how and when they are accessed can serve as strong indicators of security. With behavioural analytics, every employee has a ‘finger print’, which can be a tell-tale sign for a potential breach. For instance, a hacker using a litigation lawyers ID to access sensitive M&A files on a matter would be instantly flagged up to the IT department as an anomaly, for appropriate action to be taken.

  • Security, legal, privacy and compliance must work together

There are three principles of information security including confidentiality, integrity and availability. Based on these tenets, security, legal, privacy and compliance professionals in law firms must all work together to influence how data is accessed and managed, today and in the future. This approach will grow in importance with trends such as Big Data and regulations such as the upcoming EU General Data Protection Regulation (GDPR).

  • Intelligence-driven security operations are needed

Cyber criminals are continuously adopting new tactics to breach security. Law firms need to adopt a Security Operations-led approach that goes beyond traditional IT security. This approach delivers Adaptive Threat Processing that facilitates a big picture of the threat landscape encompassing everything from assessing new threats, adaptive controls, detecting manifesting threats, mitigating the impact as well as monitoring threats and their evolution.

Over 50 people attended the seminar and the feedback has been excellent with comments including “very interesting”, “very informative”, “excellent seminar” and “good range of presenters and materials”. Watch out for future Ascertus seminars being planned for locations across the UK and Europe.

This blog is based on the presentations by The Security Alliance, iManage, Mimecast, DocuSign, Jenny Radcliffe and QuoScient at the Ascertus Cyber Threat Landscape for Law Firms seminar on 23rd February 2017 at the Bird and Bird LLP auditorium.

Thursday, March 16, 2017

The Difference Between Metrics and KPIs

By Dr. Michael Tal, Managing Director, BusyLamp

The biggest challenges faced by legal departments according to corporate counsel are improving operational efficiency, ensuring regulatory compliance, alleviating budget pressure, delivering despite a staff shortage and making better use of technology. So, in a nutshell, doing ‘more with less’ is an overriding objective. Often, corporate counsel often has a gut feeling that everyone in the department is “doing more with less”, but struggle to quantify the “more” and the “less”.

All the above-mentioned challenges could to a large extent be reduced by using legal analytics. Existing data can help to measure these items and drive quantifiable improvements. In addition, it allows the legal department to speak the language of company executives and senior management – i.e. the language of metrics and Key Performance Indicators (KPIs).

To obtain high-quality, trustworthy analytics, one must feed it with good data. There are several factors that determine quality data. With regard to legal spend management, these are for example: categorised matters, Uniform Task Based Management Systems (UTBMS) task-coded line items, robust line item descriptions and line items that are not block-billed.

Law departments have an abundance of available data, like historic bills from their outside counsel, which contain a wealth of valuable information, if they could mine it. This requires a structure and using legal analytics platforms is a good idea. These platforms can structure, aggregate, organise and compare data in meaningful ways to make it truly actionable in the form of metrics and KPIs.

To speak bluntly, metrics in organisations tend to be what can be easily measured. So often decision makers discount the metrics that don’t appear to achieve the outcome they desire at the least possible cost. Nevertheless, in order to convey the resounding impact of process innovation and improvement through the use of applied metrics on the legal department, it’s important to define success factors, limitations and choose KPIs that align with the established strategy. This makes the relationship between a KPI and a metric tangible – a KPI is simply a metric that is tied to a target.

A metric is generally understood to be a standard of measurement and that can be used as a way of quantitatively assessing the efficiency of performance with respect to a particular process. In order for a metric to be useful, however, there must be full agreement in advance as to how the relevant data will be collected, organised and displayed. Metrics cannot be used in isolation and their results must be evaluated against pre-agreed standards. This exercise is referred to as “benchmarking”, post which a large number of “performance indicators” can be identified. The focus must be on those that are truly “key” – meaning that KPIs should have a sensible and sustainable architecture, which aligns with the company’s overall strategy and are easily understood by stakeholders while being limited to those areas that can create the most value for the organisation.

There is no “right answer” for what metrics a legal department should use and the KPI programme must be implemented, but there are some questions that can help drive the decision-making process:

  1. Why are the KPIs being developed? For example, is it to demonstrate the value of the legal department; or just track trends?
  2. What are the department’s goals? What are the company’s overarching goals? Is there a strategy you could review?
  3. What aspects of performance are of value to leadership (company, law department, business units)?
  4. Does anyone have extensive experience of developing and implementing KPIs within the organisation?
  5. Are metrics being tracked in other areas? What do those look like and what is the process for evaluating and measuring them? What were the lessons learned?
  6. What processes and tools are in place already that could help with measurement? What processes and tools would need to be implemented and what does that effort look like?
  7. Where does the KPI programme fit with the priorities of the department?

When determined following a diligent process, metrics can help incentivise the legal department and they can be embedded within the workflow. KPIs, on the other hand, should be used to establish goals and objectives for further improvement. Note however, that the goals should not simply be to achieve a “better score”, but rather be supported by specific “next steps” that can be understood, implemented and measured. This approach will enable the department to truly strive for and achieve definite improvements.