In the past 18 months, there has been a steady procession of stories about top U.S. companies that have suffered major network intrusions. The companies come from a diverse cross-section of the economy, including the technology, telecommunications, finance, retail, energy and health care sectors. Some have entered into multi-million dollar settlements with consumers, some have paid hefty regulatory fines and some are embroiled in costly litigation. And the costs associated with such intrusions continue to rise.
Companies interviewed by the Ponemon Institute for its “2010 Report on the Cost of a Data Breach” reported an average cost of $7.2 million for responding to a breach, up 7 percent from the previous year. The value of proprietary information stolen from U.S. companies’ networks over the last year was nearly $500 billion, according to Congressman Mike Rogers, chairman of the House of Representatives Permanent Select Committee on Intelligence.
Computer intrusions are so prevalent that every company has reason to be concerned. The tradecraft of the intruders is sophisticated. Many of the companies that come to us for help responding to and remediating network intrusions discover that the intruders have been in their networks undetected for more than a year.
Based on our work with clients, network security vendors, and the law enforcement and national security community, we estimate 30 percent to 40 percent of major U.S. companies are currently unwitting victims of ongoing computer intrusions. An additional 10 percent to 20 percent have detected an intrusion and are assessing their losses, improving their network security practices and struggling to reclaim control of their networks.
What can in-house counsel do to protect against and prepare to respond effectively to a network intrusion? The following “ounce of prevention” measures can help prevent an intrusion, mitigate the damages from an intrusion and save companies expenses associated with response and remediation, litigation, lost revenue and lost business. And when in-house counsel coordinate these measures in order to provide legal advice to a company, the information developed is protected against discovery by the attorney-client privilege.
1. Know your network. The first step in every intrusion response is to map the network. By mapping your network prior to an intrusion you can determine ways to enhance your network's security, ensure compliance with privacy, cybersecurity and data protection regulations and prepare your company to respond quickly and forcefully in the event of a network attack.
What is your network architecture? Is it segmented or flat? Can an intruder who compromises one part of the network easily move to other parts? How are user privileges managed? Are key network activity logs kept and aggregated, particularly for the sensitive parts of your network?
2. Know your data. What types of data does your company maintain? Do you have personal identifying information, health records, confidential data protected by contract or other sensitive types of information? Consider having a privacy review now so you understand what sensitive data you possess, how you are protecting it and the risks and obligations your company may incur if the confidentiality of that data is compromised.
3. Review your network security policies. What are your company’s policies regarding network passwords, remote access and removable media? Does your company permit individual users to administer their own computers and download applications and other software? Have you obtained your users’ consent to monitor the network in order to detect intrusions?
4. Develop an incident response plan. Do you have a written plan with identified leadership and clearly defined responsibilities? What vendors will you engage for forensic analysis, intrusion response and network remediation? How will your company amass the necessary information technology resources to respond to an intrusion? Are you prepared with a crisis communications strategy that takes into account your employees, investors, customers, government regulators and the public?
Taking these prophylactic steps can prevent, or minimize the damage from, an attack.