One of the greatest challenges for organizations, including law firms, attempting to address cybersecurity risks is the number of fundamental security myths that cause organizations to incorrectly assess threats, misallocate resources and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security.
Myth #1: “It’s all about Privacy”
A very common misconception is that security only relates to the protection of personally identifiable information. While protecting personal information is clearly of critical importance, other types of information assets must also be protected. Additional information assets include trade secrets and other intellectual property (such as source code for a company’s software products), competitive information (such as customer and supplier lists), pricing and marketing data, company financial information and more.
Myth #2: “It’s all about Confidentiality”
When talking about security, the tendency is to focus on the most obvious element: ensuring data is held in confidence (i.e., the data is not used by unauthorized individuals or for unauthorized purposes). For data to be truly secure, it must be confidential, its integrity must be maintained, and it must be available when needed. These are the three prongs of the well-known information data security acronym “CIA”:
- “Confidentiality” means the data is protected from unauthorized access and disclosure.
- “Integrity” means the data can be relied upon as accurate and has not been subject to unauthorized alteration.
- “Availability” means the data is available for access and use when required. It does no good to have data that is confidential and its integrity maintained, but the data is not actually available when a user requires it. For example, ransomware attacks and DOS attacks are specifically designed to prevent availability of key systems and data.
Myth #3: “To be a Hacker, you must be a Technological Expert”
It is a common error for businesses to focus security measures to deal with the professional hacker, or for protecting against individuals or entities that are highly skilled in programming and technology. Such skills are no longer a pre-requisite to hacking. Today, someone with little or no knowledge of technology can readily find online, easy-to-use hacking tools capable of causing substantial harm to a business.
Myth #4: “I can Achieve 100% Security”
Finally, one of the most common misconceptions about security is that complete security can be achieved and that complete security is in fact required by law or industry practice. Neither is correct. Both laws and industry practices require businesses to do what is “reasonable.” Complete security is not required or even realistic.
All sensitive and proprietary information, not just subsets of that data, must be accounted for in addressing and mitigating cybersecurity threats. Protection of those information assets must be addressed not only within the company or firm, but also with its external vendors, contractors and other partners. The headlines are replete with security breaches that resulted from a business entrusting its data to a third-party vendor who had inadequately protected its own systems.
When assessing security measures, the concept of CIA should be a foundational requirement. Specifically, security controls must be designed to address not only the confidentiality of data, but the integrity and availability of that data.
Applicable laws and standards require businesses to do what is reasonable to address cybersecurity threats. That means devoting an appropriate level of investment that balances usability against security. Striking an adequate balance is key to designing a successful cybersecurity approach.
This article was co-authored by James R. Kalyvas, a Partner and Transactional Lawyer at Foley & Lardner LLP.