I am the head of the firm's International Commercial Group, and established the cyber-security team back in 2010. I am a commercial lawyer engaged in providing a full spectrum of legal support to clients for their day to day business.
Many businesses are deterred from addressing cybersecurity by the expectation of huge bills for cyber gadgets, snake oil, and rapacious hordes of self-proclaimed cyber experts (including lawyers). They rationalise their inactivity by pointing to that huge cost saving and the confidence that comes from the fact that they haven’t suffered a cyber incident………..yet.
We are incessantly told that a cyber incident is not a matter of ‘if” but “when” but isn’t that simply the scare sales tactics of the gadget floggers who offer an illusion of cyber absolution? I believe the truth of the matter is that there is a good chance that sooner or later we will all be hit with a cyber incident of one form or another, whether personally or corporately. It is probably similar to the prospects of having a car accident – we all hope it will never happen but accept that the chances are it will and keep our fingers crossed that, when it does, it will be a small bump with little damage. Yet, in the case of driving cars, we insure against the chance – albeit that we are generally legally required to do so - and we generally drive cars with safety features: brakes, bumpers, seat belts, airbags etc. Odd then that many don’t adopt a similar stance when it comes to their digital lives, both personal and business.
Returning to the main point, is it correct that cybersecurity costs a king’s ransom? In a typically weaselly lawyer way, the answer is ‘possibly’. However, the follow-on is that there is a stack of measures that can be put in place which will deliver material cybersecurity benefits at no or low cost.
Let’s slay one myth immediately – there is no such thing as fully cybersafe. All you can sensibly plan, pay and hope for is a level of cyber secure. That level is down to you and setting it is where sense and affordability come to play and where it may be a good use of funds to engage a cyber expert.
When it comes to setting your level, it helps to see that, on a fantasy cyber security percentage scale (fantasy - as in my world anything much above 90% secure is myth and probably achieving a position beyond 75% secure is within the reach of nation states alone), you can get to roughly 55% secure without breaking the bank, albeit possibly having to break into sweat instead.
In order of priority, here are a baker’s dozen steps to get you to, or close to, your 55% cybersecurity:
Get a senior management level sponsor. First step and very much a case of if you can’t get this you will struggle to pass Go. Without board support you are entering a Sisyphean world of pain and disappointment. Cost - Free
Assess your key cyber risks. Consider who poses real cyber threats to the company and what their motivations may be. The evaluation promotes prioritised focus, activity and expenditure. Cost - Free. What article of cybersecurity could be complete without a quote from Frederik the Great? – “Little minds try to defend everything at once, but sensible people look at the main point only; they parry the worst blows and stand a little hurt if thereby they avoid a greater one. If you try to hold everything, you hold nothing.” Well said, Fred.
Introduce and rigorously enforce a routine that implements security patches, updates and releases as swiftly as possible. A patch is issued once a vulnerability has been found and you can safely assume that the villains have found the vulnerability some months before a patch is released. Cost - Free. [NIST – SP 800-34]
Apply encryption to all devices and require multifactor authentication. Cost – Low. [NIST SP 800- 63B]
Buy the best firewall you can afford and scrupulously keep it up to date. Deploy continuous monitoring processes to detect and respond to anomalous activity and to assist in the response to incidents. Cost – Medium. [NIST SP 800–137]
Set and enforce a realistic password policy. If the passwords are too long, too demanding in terms of characters, or numbers and symbols, the likelihood is that humans will find a work around and that work around will be less secure than where you have come from. So, think along the lines of a twelve-character password requirement with at least one symbol and one number. In terms of forcing password changes, if the requirement to change is too frequent you will end up with humans adopting the obvious alphabetic or numeric escalation route which rather defeats the object. So, seek a change say once a quarter. Cost – Free.
Develop a cyber incident response plan (CIRP) to map how you will deal with an incident when it hits. Having a CIRP won’t necessarily save you from an incident as sadly we can’t predict the future but it should enable you to respond to an incident more swiftly and effectively. There is a myriad of free guidance on the internet on how to write a decent CIRP. If you have the energy, you can get an extra star by developing what are often referred to as ‘playbooks’ where you refine your CIRP to craft a map for how you will address likely forms of attack – such as what will we do if we suffer a ransomware attack? Cost – Free - if you do it yourself, or Low if outsourced or approved by a cyber expert. [NIST SP 800-61]
Identify your cyber response team and engage them in a thorough review of the CIRP. As a rule, seek to keep the team as small as you can so that it can be agile and decisive. My core dream team for a major corporate includes the following badges or their equivalent: CISO/CTO, COO, DPO and Head of Legal/GC. I would have the CEO and COO on speed dial. Cost – Free.
Introduce strict access controls. These should be based on the principle of least privilege where authorised users are given the minimum levels of access or permissions needed to enable them to perform their jobs. Cost – Free. [NIST SP 800-53]
Train the troops. A base level of cybersecurity training is relevant to all – both for work and home life. Those in positions of cybersecurity responsibility should clearly be trained to a more sophisticated level. Cost – Low. [NIST SP 800-50]
Test. You should commission a certificated testing expert periodically to attempt to break into your castle. You may be sitting in a false sense of security that can be identified in a penetration test. Cost- Medium. [NIST SP 800-30]
Practice, practice. With your shiny new CIRP, possibly the playbooks and your bright-eyed and enthusiastic response team, it’s time to run a simulation. The more realistic you can make it, the better; tick box simulations, while common, are of minimal value. It will also often highlight the core focus for your business when dealing with an incident. A well-run simulation will pay dividends allowing you to adjust and improve your CIRP, playbooks (including bending them to meet the identified core focus) and responder team. From experience, simulation is something that should always be run by external experts and should not be something to scrimp on. So, this will be a cost but one that I consider delivers real value. Cost – Medium. [NIST SP 800-50]
Decommission obsolete systems and applications. Obsolete kit can often open a vulnerability to a system as the developer/vendor will have stopped supporting the kit including the issue of any vulnerability patches. Cost – Free.
If you wish, or need, to push the dial up from 55% then come and have a chat.
At the risk of infecting a predominantly practical article with a smattering of law, you should also evaluate how your security stance and resilience preparations compare with both local and international frameworks, standards, and applicable regulations. So, compare with leading international standards such as the NIST framework (you will see the NIST cross references against most of the baker’s dozen above) and/or the CIS Controls framework. For the local yardsticks, consider the guidance issued by:
For KSA – the framework and guidance and Essential Cyber Security Controls issued by the Saudi National Cybersecurity Authority, and the KSA Personal Data Protection Law (fully in force from 14 September 2024).
For the UAE – the Cyber Security Council's Information Assurance Regulation and the UAE Personal Data Protection Law (awaiting the Executive Regulations).
My special thanks to Christopher Murphy, Managing Director, Head of Middle East Cybersecurity, at FTI Consulting for his invaluable insights and expertise in contributing to this article.