The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Training

  • From Vol. 4 No.41 (Dec. 5, 2018)

    Tips from EY’s Forensics Team on Recognizing and Preventing BEC Attacks

    While headlines often feature enormous data breaches and large-scale infrastructure attacks through malware such as ransomware, another kind of cyber attack has been on the rise – sophisticated instances of social engineering known as business email compromise. In this article, we cover the trends and preventative measures for BEC attacks that were discussed by three members of EY’s Forensic & Integrity Services team at a recent webinar. “What we’re seeing in general around cyber attacks is that cyber criminals have moved away from targeting infrastructure alone,” said U.K. partner Ryan Rubin. “They’ve been very successful in targeting individuals and people within organizations. We suspect this might be the number one type of attack in 2018 that people will refer back to, rather than very complex cyberattacks that we also do see in the news.” See also “Multimillion-Dollar Scheme Serves As Backdrop for Lessons on Preventing and Mitigating Phishing Attacks” (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.41 (Dec. 5, 2018)

    Answers to Four Critical Questions on Privilege in Internal Investigations

    Many lawyers do not understand the concept of privilege fully, Stuart Altman, senior vice president and global CCO at Las Vegas Sands Corp., observed at a recent webinar hosted by Strafford. A privileged communication is one “between client and lawyer sent under confidential conditions for purposes of seeking or providing legal advice,” he explained. When it comes to internal investigations, it can be difficult to determine what constitutes a communication covered by the privilege, who counts as an attorney, who counts as a client and when privilege might be waived. Altman was joined by Michael Hayes, a partner at Montgomery McCracken Walker & Rhoads, in discussing the nuances of the answers to these four key questions. See our three-part series on protecting attorney-client privilege and attorney work product while cooperating with the government: “Establishing Privilege and Work Product in an Investigation” (Feb. 8, 2017); “Strategies to Minimize Risks During Cooperation” (Feb. 22, 2017); and “Implications for Collateral Litigation” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 4 No.25 (Aug. 15, 2018)

    How to Build a Cybersecurity Culture Using People, Processes and Technology

    While organizations strive to have strong security technology and effective cybersecurity policies, ultimately, one of the most powerful ways to protect themselves is to create a culture of security. The Cybersecurity Law Report spoke with Pamela Passman, president and CEO of Center for Responsible Enterprise And Trade (CREATe.org) about why creating a culture of cybersecurity from the break room to the boardroom is essential, and how to accomplish that. “Culture matters because it affects the company’s ability to function and get worth out of its innovations,” said Passman. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case

    While regulators and companies have recently focused on cybersecurity efforts to keep data secure, the SEC’s recent administrative proceeding against Deutsche Bank Securities Inc. (DBSI) emphasizes that policies and practices to secure data must continue to safeguard nonpublic information from all types of dissemination methods, from emails and chats, to telephone calls and in-person meetings. The SEC announced last week that DBSI agreed to pay a $9.5 million penalty for (1) failing to properly safeguard material nonpublic information generated by its research analysts, (2) publishing an improper research report and (3) failing to properly preserve and provide electronic chat records sought by the SEC. The SEC emphasized that employees must receive clear definitions and training so that they understand what information should not be shared. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part One of Two)

    In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Twenty Ways a Company Can Use Behavioral Psychology to Improve Compliance

    Limited compliance resources can be a challenge, but there are ways to get the compliance message across without breaking the bank. Whether it is a cybersecurity or an anti-corruption compliance message, behavioral psychology can be used to encourage people to do the right thing in their jobs, Virginia MacSuibhne, vice president and general counsel of Ventana Medical Systems, explained during a recent Clear Law Institute program. MacSuibhne presented 20 inexpensive, but effective, communication tools that can be used to assure that a compliance message hits home. See “Defining, Documenting and Measuring Compliance Program Effectiveness” (Jan. 20, 2016).
    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Three of Three)

    An effective employee cybersecurity program does not start or end with a single training session. To combat evolving threats, companies need to establish ongoing communications with employees and continuously evaluate their training program. In this final article in our three-part series on the topic, outside counsel, consultants, and in-house experts provide actionable insight and recommendations on how companies should follow up after the initial training. They also address the challenges of establishing an employee cybersecurity training program and how to handle training when dealing with third-party vendors. Part one of the series discussed tailoring policies and training to the type of company and universe of employees and part two highlighted ten important topics to cover during training, as well strategies for engaging employees and getting the message across. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Two of Three)

    Cyber threats, commonly attributed to outside malfeasance, often originate from within – employees’ negligence or lack of awareness can open the door for cyber criminals. Establishing an effective employee cybersecurity training program can go a long way in combating that threat. The process can be distilled into three phases: (1) designing the relevant policies and planning the best training approach, considering the type of company and universe of employees; (2) ensuring the necessary topics are covered effectively during the actual training sessions; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively. In this second part, outside counsel, consultants, and in-house experts provide insight on ten important topics to cover during training, as well as strategies for engaging employees and getting the message across. Part one provided advice for developing the proper program based on the company’s industry and types of employees. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part One of Three)

    While cyber threats are frequently attributed to outsiders, many breaches are caused, often inadvertently, by company employees. The effective training of employees to keep data secure and respond properly to breaches is a hallmark of any cybersecurity program. The development and implementation of a good training program can be broken down into three phases: (1) designing the training policies and planning the best training approach, considering the type of company and types of employees; (2) conducting the actual training sessions and ensuring the necessary topics are covered effectively; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively, with insight from outside counsel, consultants, and in-house experts. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Minimizing Breach Damage When the Rubber Hits the Road

    When a cybersecurity incident is discovered, a company’s first steps are crucial to minimize the damage. Kirk Nahra, a partner at Wiley Rein, gave candid, practical advice for breach response at the recent IAPP conference. He discussed, among other things, the importance of training employees about breach reporting; how the terms a company uses for a breach may come back to haunt them; when privilege should not be preserved; and how getting all of the healthcare providers and vendors in the country into the Dallas Cowboys’ stadium to streamline their contracts could save billions of dollars. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies (Part One of Two)

    Many companies now allow employees to use their own devices for work email and other work-related functions.  Allowing employees to “bring your own device,” or BYOD, provides companies with cost savings and employees with flexibility, but also presents serious cybersecurity challenges.  This first article in our two-part series on designing cybersecure BYOD policies discusses BYOD risks and recommends strategies to reduce these risks, including employee training.  Part two will discuss mobile device management tools and software as well as handling lost devices, outgoing employees and discovery.  See “Strategies for Preventing and Handling Cybersecurity Threats from Employees,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Eight Ways Compliance Officers Can Build Relationships With the “Middle”

    Whether it is cybersecurity, privacy or any other type of regulatory compliance, the much-talked-about “tone at the top” is often cited as crucial for an effective compliance program.  See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two, Vol. 1, No. 4 (May 20, 2015).  Ensuring that tone is conveyed throughout the organization, however, is equally important.  Getting the compliance message across typically falls on an organization’s middle managers.  A recent Society of Corporate Compliance & Ethics program featuring Charlotte Nafziger, director of compliance of T-System, Inc., explored the importance of middle management in developing an effective ethics and compliance program and the ways compliance officers can engage middle management in doing so.

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    How to Prevent and Manage Ransomware Attacks (Part One of Two)

    Ransomware attacks can cause substantial disruption and damage by tempting a single employee to click on a link or visit a malicious site.  “The threats are getting more and more sophisticated every day in terms of the malware itself and the delivery,” Judy Selby, a partner at BakerHostetler, said.  This article, the first part of a two-part series, explains the threat and suggests steps that companies can take to prevent ransomware attacks and mitigate the impact if one does occur.  The second article will address how to handle a ransomware attack and when and how to report and work with law enforcement.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Strategies for Preventing and Handling Cybersecurity Threats from Employees

    Not all data breaches stem from trained cybercriminals – in fact, many cybersecurity incidents come from the inside.  They are initiated by an employee’s inadvertent mistake or intentional act.  In this interview with The Cybersecurity Law Report, Holly Weiss, a partner in the Employment & Employee Benefits Group, and Robert Kiesel, a partner and chair of the Intellectual Property, Sourcing & Technology Group, at Schulte Roth & Zabel, discuss: the two categories of internal cybersecurity threats (inadvertent and intentional); specific ways to protect against those threats, including effective training methods and “bring your own device” policies; and the effect of relevant regulations.

    Read Full Article …