Legal BlackBook: The MIT article focused on the likely future targets of cyberattacks, including cloud storage companies, data brokers who store information about people’s Web browsing habits, and infrastructure such as electric grids and voting machines. What potential targets strike you as the most important for in-house lawyers to pay attention to?
Daniel Garrie: Vendors and supply chains. They will have the biggest impact, and there is a high likelihood that they will be targeted. This presents a huge risk because larger companies can have many vendors, some of which may have connectivity to a company’s most sensitive information. If vendors get hit and they have the right level of connectivity, that can have the most material consequences to the organization.

LBB: What can they do to protect their companies?
DG: Three things. First, policies and procedures should be implemented and followed. It is not enough to simply make policies and consider the problem solved. Having a bunch of policies that no one at the company follows is a problem. Having a bunch of procedures that aren’t followed by managers or vendors is also a problem. That’s why it is critical to ensure that policies are being followed by anyone with access to company data. Second, there should be a robust structure for educating employees on good information security practices. It’s important that the training is not threat-driven, but rather engages employees and focuses on the constructive rather than destructive aspects of security. The third area is insurance. They should make sure they’ve done an evaluation and adjustment of their insurance framework and coverages, and understand where the gaps are. They need to review their insurance in light of all their risks, and then determine what they may need to insure against from a cyber perspective.

LBB: Based on your experience, how do you think they’re doing?
DG: Most of the companies I have worked with struggle with all three—at different levels, depending on the resources they have available to them.

To read the full article, go to TAG Cyber Law Journal