Panelists Discuss Top 10 Controls Companies Should Have for Cybersecurity

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Yin Wilczek

March 5 — In an era of prevalent cyber breaches, panelists at a March 5 privacy conference pointed to the top 10 categories of controls and security operations they said companies should implement to help them discover hacking incidents and control data leakage.

Environmental differences within organizations—including the types of contractors, consultants and users they have and whether their code repositories are kept in-house or externally—greatly impact what sorts of controls are appropriate, said James Shreve, an associate at BuckleySandler LLP in Washington. Christopher Pierson, executive vice president, general counsel and chief security officer of Viewpost LLC, also said that systems well-designed at the front end will help companies maintain a “cleaner house.”

They spoke at the International Association of Privacy Professionals' Global Privacy Summit in Washington.

Top Controls 

The top 10 security controls are:

• access-based controls, such as network segregation and system movement restrictions;

• signature-based controls, such as firewalls, intrusion detection and prevention and data leakage protection;

• setting baselines for what is considered “normal”;

• white listing technology in which data on the white list is protected;

• indicators of compromise that seek to block connections to questionable Internet Protocol (IP) addresses;

• file integrity monitoring, where key files are monitored for modifications;

• access controls for users;

• encryption;

• network flows; and

• intelligence.

 

Among other observations, the panelists noted that signature-based controls remain necessary, especially from the standpoint of reducing legal liability. However, baselines and white listing technology are gaining in popularity and increasingly the direction in which organizations are heading, they said.

Shreve added that the more granular the baselines, the better companies can detect when something abnormal—such as access at strange times of the day—is occurring. In addition, the baselines must be constantly refined, he said.

Pierson also noted that while file integrity monitoring can be human resource-intensive, it may be worthwhile in certain segments of the business when carried out “with precision.” File integrity monitoring “can be an incredibly powerful tool” to detect file changes but must be performed “very carefully,” he said. “You must be careful how you wield this.”

Businesses more likely to use file integrity monitoring are those with well-thought out security systems and “good management,” Pierson said.

Access Controls 

Meanwhile, companies should regularly monitor their access controls for users, Shreve said. He also noted that in certain parts of their business, companies may need to be more granular with respect to access controls. At the same time, they can borrow ideas from the financial sector, where regulators such as the Securities and Exchange Commission and the Federal Deposit Insurance Corporation have actively encouraged firms to pursue better cyber practices, Shreve said.

Moreover, Shreve warned that “not all encryption is created equal.” Some forms of encryption are more secure than others, he said. He also noted that encryption can interfere with the usability of data and with other controls, such as data loss prevention.

Shreve further warned that encryption may be mandated in some instances, and he urged companies to review their legal, regulatory and contractual requirements.

As for intelligence, Shreve observed that threat information-sharing now is a favorite cybersecurity topic for lawmakers. In addition to formal information sharing—such as with industry Information Sharing and Analysis Centers (ISACs), regulators and law enforcement—companies shouldn't forget “informal” information sharing, he said.

Shreve added that companies should develop procedures for what information they will share and when and how they will share it. This is not something that should be performed on an “ad hoc basis,” he said.

To contact the reporter on this story: Yin Wilczek in Washington at ywilczek@bna.com

To contact the editor responsible for this story: Kristyn Hyland at khyland@bna.com