Interest in cybersecurity is escalating across the legal profession, reflecting the complex and potentially catastrophic threats that clients, particularly financial services firms, now face. The combined power, speed and baked-in vulnerabilities of information technology (IT) have given rise to previously unimaginable but now-endemic risks to organizations. Malicious actors can and do steal, lock or destroy confidential data, in bulk or in smaller but still-devastating caches, and then exploit the information’s resale, extortion or spite value. Moreover, even accidental errors can cause confidential information to leak, with similarly costly regulatory, litigation and business fallout.
Because these risks are deep and potentially disastrous, lawyers are increasingly tasked with counseling clients about how to contain them. Frequently this requires dispelling clients’ misconceptions about those risks and effective countermeasures. Below we explore each of six such misconceptions that often beset organizations. Avoiding these errors is essential to fulfilling the core functions of a cybersecurity programs: (1) identifying cyber-risks, (2) protecting critical infrastructure using appropriate safeguards; (3) detecting incidents; and (4) responding and (5) recovering from them. National Institute of Standards, Framework for Improving Critical Infrastructure Cybersecurity (v. 1.0) (2014) at 7-8 (NIST Framework).
