Protecting Your IP: Data Security for Software Technology
Download as PPTX, PDF1 like311 views
The document discusses the prevalent cybersecurity threats faced by organizations, emphasizing that many breaches are due to weak security practices and insider negligence. It outlines the essential components of a robust cybersecurity strategy, including employee training, strong policies, and effective incident response planning. Additionally, it provides a hypothetical scenario illustrating the potential consequences of cybersecurity failures, highlighting the importance of preparedness.
Protecting Your IP: Data Security for Software Technology
- 3. www.solidcounsel.com What do you think? Sophisticated James Bond-like attacks? or Simple things, people doing dumb things?
- 4. www.solidcounsel.com The real-world threats are not so sophisticated. Easily preventable • 90% in 2014 • 91% in 2015 • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily preventable • 90% in 2014 • 91% in 2015
- 5. www.solidcounsel.com Start with the basics. “Some people try to find things in this game that don’t exist but football is only two things – blocking and tackling.” -Vince Lombardi * If you want to talk deep programming- type issues, see Section VII of paper.
- 6. www.solidcounsel.com Our objective is to protect IP. Which of the following aspects of the IP are we most focused on protecting? 1. Confidentiality 2. Integrity 3. Availability 4. All of the above “CIATriad” of cybersecurity
- 7. www.solidcounsel.com Cybersecurity “CIA” examples. Stuxnet Integrity German steel mill Integrity Sony Availability Confidentiality Target Confidentiality
- 8. www.solidcounsel.com Malicious • compete • newco • Sabotage • disloyal insider Negligence • email • usb • passwords Blended • foot out the door • misuse of network • stealing data • negligence with data • violate use policies Hacking / Cracking Social Engineering Malware Stealing Planting Corrupting Who are the primary threats?
- 10. To protect IP, you must: • Protect our companies’ data • Confidentiality • Integrity • Availability • Against threats from • Insiders • Outsiders • Third-party partners
- 11. www.solidcounsel.com Cybersecurity needs for companies (and firms). Strong cybersecurity basics. Policies and procedures focused on cybersecurity. Social engineering. Password and security questions Training of all employees. Phish all employees (esp. executives). Signature based antivirus and malware detection. Multi-factor authentication. Backups segmented from the network. Incident response plan. Encryption for sensitive and air-gap for hypersensitive data. Adequate logging and retention. Third-party security and supply chain risk management.* Intrusion detection and intrusion prevention systems.*
- 12. www.solidcounsel.com Incident Response • Appendix A • Goal is to execute IRP • This is check list, not an IRP • How detailed? • Tabletop exercises
- 13. www.solidcounsel.com Cyber Risk Assessment Strategic Planning Deploy Defense Assets Develop, Implement &Train on P&P Tabletop Testing Reassess & Refine Cybersecurity Risk Management Program
- 14. www.solidcounsel.com Hypothetical. You have become very wealthy over the last 5 years working for one client, PayDaBills, Inc., which has given you so much business that it is now your only client. PayDaBills was a start-up when you met and you have been its trusted advisor for all things legal. Its leaders rely on you to alert and advise them on risks that could impact the company as they focus all of their time on promoting PayDaBills’ product, a highly-sophisticated computer program that is its only asset. PayDaBills runs lean and mean with only the executives/sales people, 2 developers, and an office admin. The developers are “computer savvy” and set up the computer network when they started. Because the computer program is so valuable, they keep its source code on a network drive with limited access rights and highly encrypted. It is a beautiful Friday afternoon and you are with PayDaBills’ CEO for your weekly golf game – the first round of drinks just arrived.
- 15. www.solidcounsel.com 1:05 PM: CEO’s phone rings, it is Admin, he lets it go to voicemail. She is calling to tell him that the website link in his email to her did not work – it didn’t sound important, like she was confused, so he did not call back. 1:45 PM: Admin calls again, this time CEO answers. She tells him that her computer is frozen up and Developers are complaining that the network is slowing down. CEO asks to talk to one of the Developers. 2:05 PM: Developer calls and tells CEO that the entire network is encrypted and there was a demand for $50k Bitcoin, paid in 72 hours, to get the decryption key. But, it is not a big deal because they have recently backed up the network. 2:25 PM: Developer calls back, back up copy of network was also encrypted. But, not to worry, there is a monthly back up stored offline, they will use to restore. 3:45 PM: Developer calls CEO. They attempted to restore the only backup copy but somehow it too was then encrypted. 3:47 PM: CEO turns to you. You say, “I heard about something like this at a conference but I thought the speaker was making a big deal out of nothing.”
- 16. www.solidcounsel.com • Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, NorthTexas Cyber Forensics Lab • Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016) • SuperLawyersTop 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer &Technology Section, State Bar ofTexas • Privacy and Data Security Committee of the State Bar ofTexas • College of the State Bar ofTexas • Board of Directors, Collin County Bench Bar Foundation • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science &Technology Committee of the American Bar Association • NorthTexas Crime Commission, Cybercrime Committee • Infragard (FBI) • International Association of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security • Editor, Business Cybersecurity Business Law Blog Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com