Legal frontiers in cybersecurity
By Tal Williams and Joann Yap, Holman Webb Lawyers
A. Top four strategies to mitigate cyber attacks
Lawyers and particularly in-house counsel need to understand and be prepared to develop a culture of cybersecurity awareness in their own organisations as well as to assist clients in their own infrastructure and processes. While it is not possible to have an impenetrable system, the Australian Signals Directorate (ASD) has published a report on the security effectiveness of 35 strategies to mitigate cyber intrusions, measured against metrics including relative user resistance, upfront cost and maintenance cost. The ASD found that at least 85% of the intrusions responded to by the ASD in 2011 involved unsophisticated hackers that would have been mitigated by implementing the top four strategies as a package.
Accordingly, the ASD has listed the top four strategies as essential for overall security effectiveness to protect an organisation from low to moderately sophisticated intrusion attempts. The ASD's report found that the remaining strategies can be selected for implementation in conjunction with a risk assessment, to plug security gaps until an acceptable level of residual risk is reached. The top four are:
- Whitelisting: application whitelisting allows only specifically authorised applications to run on a system, to protect computers and networks from malicious or unapproved applications.
- Patching operating system vulnerabilities: a patch is a piece of software designed to update, add a new feature, fix a bug or add documentation to a computer program or its supporting data. Operating systems should be patched typically within two days of a vulnerability being made public.
- Patch applications: specific applications such as Java, Flash and Microsoft Office should also be patched within a 2-day timeframe for serious vulnerabilities.
- Restrict administrative privileges: administrators are often targeted due to the high level of access to an organisation's ICT system. Minimising administrative privileges makes it more difficult for hackers to spread or hide their existence on a system. Additionally, separate accounts with IT administrator privileges but without internet access should be created.
B. US Framework
As a result of President Obama's Executive Order 13636: "Improving Critical Infrastructure Cybersecurity", the US National Institute for Standards and Technology has published a comprehensive guide relating to the US's Cybersecurity Framework. It is based upon a five tier approach of Identifying, Protecting, Detecting, Responding and Recovering. While now about 18 months old, and not directly referable to Australian standards, it outlines a useful approach that could be adapted for local purposes.
C. What other reasonable steps should organisations take in the context of privacy?
The OAIC's "Guide to securing personal information" (the Guide) provides further guidance on the reasonable steps organisations should take under the Privacy Act to protect personal information. While not legally binding, the OAIC has stated that it will refer to this guide when investigating whether entities have complied with personal information security obligations or when undertaking assessments.
Broadly, the Guide considers steps and strategies across the following non-exhaustive areas:
- governance, culture and training;
- internal practices, procedures and systems;
- ICT security;
- access security;
- third party providers, including cloud computing;
- data breaches;
- physical security;
- destruction and de-identification; and
- standards.
Lawyers will need to consider their client's risk profile (such as the level of sensitivity of data held by a client) and response plans across these and other areas, including notification of affected individuals and the OAIC where there is a data breach. Cybersecurity should be taken as a comprehensive holistic approach and not simply limited to the perimeter. Lawyers should understand what data is held on their client's systems, including where the data is located (such as on the cloud), and understand the threat profile attached to the data.
Take for example the own-motion investigation of Cupid Media Pty Ltd (Cupid Media) by the OAIC. The outcome of that investigation illustrated that, at a minimum, organisations that hold personal information should ensure that customer passwords are encrypted and that more stringent steps are required of organisations handling sensitive information. Lawyers should also ensure that clients have a system or procedure in place to audit, identify and destroy or permanently de-identify information that is no longer required or used.
Conclusion
While it is impossible for organisations to construct impenetrable defences across systems, peripheral devices and even Internet of Things products without limitless resources, it is imperative for lawyers to work collaboratively with board members, IT professionals and all parties in the supply chain to drive a dedicated and fully considered approach to cybersecurity. Appropriate data protection and risk management processes must be in place, audited and reviewed periodically. Attention must be paid to regulatory requirements and guidance to limit any potential damage should a cyberattack occur. Within this ever changing space, continued vigilance and attention to new and current methods, policies, systems and procedures is fundamental if organisations are to minimise the chance of a cyberattack.
Note: This is an extract from Internet Law Bulletin, September 2015, Volume 18 No 6, and can also be read here.