Cyber 321: 7th January 2022 - Cybersecurity Without Insanity

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: The 4 tech trends that we will be reading about in 2022, how to speak to the Board about cyber, and how law firms are getting on with cybersecurity.

This week’s action: Keep it simple.

If reading isn’t your thing, you can now listen to Cyber 3-2-1.

This week’s episode is accessible from https://www.buzzsprout.com/1914497/9840546

All future episodes will be accessible from this page. You can also listen and subscribe on Apple Podcasts, and soon on Google Podcasts or wherever you get your podcasts. Who needs sleeping pills when you’ve got Cyber 3-2-1!

3 ARTICLES

1: The tech that will grab the headlines in 2022

This New York Times article, republished here in The Irish Times, identifies four tech trends that will “invade our lives” (i.e. we will read more about) in 2022.

It is a good read, but as I sit here at 7am waiting for the kettle to boil, the cynic in me has control of the keyboard:

Metaverse – I’m already weary of the term ‘metaverse’ and I think there are more angles to it than just the virtual reality and digital lives mentioned in the article. Blockchain and crypto will play a role, possibly in enabling creators to earn a fairer share from their creative efforts. Although maybe this is ‘web 3.0’. Ah yes, another term I’m weary of.

Smart home – A really great idea until your Nest Thermostat randomly loses its WiFi signal and refuses to turn on the heating in the depths of Winter. By comparison, a traditional 7-day timer just works. It has a dial or screen that explains what it is doing. And it has real buttons to control it. I know a smart device can turn on my heating when I am away from home. But I prefer systems that will reliably turn on my heating when I am AT home. I don’t want ‘smart(ish)’. I want ‘simple’.

Connected health – What’s not to love about a system that will upload my health data to the cloud, so that medical professionals can ignore it and commercial organisations can exploit it?

Electric cars – Yes, they are the future. But don’t throw away perfectly-good oil burners until they really are no longer serviceable. After all, significant resources are consumed and a significant amount of CO2 is emitted to manufacture every new car, even the electric ones.

2: If you are the victim of a cyber crime, you may also become the convict

“The FTC [US Federal Trade Commission] has fired a shot across the bows of companies in US jurisdictions, telling them to get their patching in order, or face the consequences”

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

“The FTC is essentially warning companies and vendors that some vulnerabilities and patches are important enough that there’s no longer room for lead, follow, or get out of the way; there’s room only for lead.

“If there were precautions against a data breach that you could reasonably have taken, and that people would reasonably expect you to have taken, but you did not, then you could end up being both a victim and a perpetrator at the same time.”

3: Trying to get the Board’s attention? Stop the tech-speak.

“When you get a chance to speak with executives, you typically don’t have much time to discuss details. [..] It’s important to phrase cybersecurity conversations in a way that resonates with the leaders. Messaging starts with understanding the C-suite and boards’ priorities. [..] For example, if the CEO wants to increase total revenue by 5% in the next year, explain how they can prevent major unnecessary losses from a cyber attack [and thus reduce the risk of missing this 5% revenue growth target]. [..] Conversations leading with highly technical terms are unlikely to keep a C-suite or board member’s attention.”

If you are in front of your Board, I recommend you lead with real-world stories and then let the questions of board members drive the conversation. Listen to their concerns and answer their questions in plain English. You will build trust. And they may just invite you back.

(Commercial plug: I provide board training services)

2 STATISTICS

1: 79%

79% of the US law firms employing between two and nine lawyers do not have an incident response plan, according to a survey by the American Bar Association that was published in late December 2021.

“For solos and small firms, [the incident response plan] may just be a checklist plus whom to call for what, but they should have a basic plan.”

2: 30%

30% of US law firms reported receiving a cybersecurity questionnaire from at least one client, according to the American Bar Association survey.

“Clients are increasingly focusing on the cybersecurity of law firms representing them and using approaches like required third-party security assessments [..] and questionnaires.”

(Commercial plug: I help firms to assess their defences and to prepare for these questionnaires.)

1 ACTION

1: Keep it simple

This week, it’s not an action. It’s a principle.

Whether it’s smart tech or incident response planning, keep it simple.

Incident Response Planning: Start with the basics. A checklist of what you will do in the first few hours of an incident and who you will call is a simple but effective start. My guide may help.

Smart(ish) tech: Recognise that these are great toys, but don’t depend on them. Have a simple ‘Plan B’, or keep the smart(ish) stuff away from the important things.