“The message here is please think before you click,” said Ray Kelly, vice chairman of K2 Intelligence.
If anybody would know, it’s Kelly. Formerly the longest-serving commissioner of the New York Police Department (NYPD), he has seen the damage that outside threat actors can have on organizations. And as the keynote speaker at ALM’s cyberSecure event in New York on September 27, he said that cyber attacks are among the most dangerous attacks he has ever seen.
“Yes, the threat may change, but our vigilance is as strong as it’s ever been,” he explained.
From experience, Kelly noted that vigilance from corporate legal departments requires a two-pronged approach. First, companies need a team, either internally or externally, that can respond quickly when suspecting a breach. Second, organizations need a comprehensive business continuity plan for cybersecurity defense.
Both the team and the plan need to encompass the entire organization, he cautioned. “Cyber has to be everyone’s problem and everyone’s concern, from the IT center to the executive suite. Particularly the executive suite.” If cyber isn’t a priority from up top, he added, “it won’t be effective for very long.”
Once that tone from the top is set, it’s incumbent on businesses to respond with a practical action plan. Kelly laid out his own plan in four distinct steps, which he said was designed to roll out immediately. The first step is to recognize the threat, though Kelly added that this is easier said than done.
“Those high profile reports are chilling. But the everyday reality of cybercrime happens far from public view,” Kelly said. “This is mostly about money, scamming and squeezing it away from people who have some.”
Second, Kelly reiterated that the cyber plan should start at the top. He explained that this not only means carrying out a plan, but the overall organizational attitude towards stopping cyber threats. While some may feel being breached is inevitable, Kelly said, “Don’t accept that, because that attitude becomes a justification for accepting intrusion from cyber criminals.”
The third step in Kelly’s plan is to ally with knowledgeable professionals. Cybersecurity can be a daunting task, especially for lawyers that often need to focus on other parts of the practice.
“The threats are constantly changing, and few organizations have the expertise,” he advised. “Usually this means bringing in outside experts. Go for the best; it’s money well spent.”
Finally, he explained that organizations should be monitoring their defenses constantly. He noted that businesses cannot rely on government alone, many software products provide only basic security, and the threats are constantly evolving.
“This one will not be won overnight. … It requires constant monitoring. This is not a fix it and forget it problem,” Kelly said.
While this four step plan may seem simple, each step can provide pitfalls for even the savviest businesses. As Kelly noted, some have said that it’s not a matter of if you’re going to be breached, but when. And for many organizations, true cybersecurity protection will not happen without a change in mindset.
“We have to shift our thinking from building walls to managing risk,” Kelly said. “Because guess what, those walls don’t work anymore.”