It’s a New Year and a Good Time for a Cybersecurity Checkup

2024 was another active year in cybersecurity, with high-profile vulnerabilities and data breaches, and government and private sector responses to them. Examples include pervasive ransomware attacks targeting the healthcare, government, and education sectors, and other targets, foreign infiltration of telecommunications and the Treasury Department, and new regulatory requirements, including Department of Defense requirements for contractors, draft requirements for mandatory reporting of cyber incidents and payment of ransomware (required to take effect in 2025), and new and updated state security and privacy laws and regulations. Attacks against unpatched legacy vulnerabilities, like Log4j and Microsoft Exchange, have continued.

As we move into 2025, it is a good time for businesses and organizations of all sizes to review their cybersecurity postures in light of these events and developments, the resulting lessons learned, and any new cybersecurity requirements that may apply. For those that have established cybersecurity programs, it is a good time to review and update them. For those that don’t have programs, it is a good time to start the process and follow through to implement a comprehensive cybersecurity program.

Cybersecurity is a process to protect the confidentiality, integrity, and availability of information. Comprehensive security should address people, policies and procedures, and technology. While technology is a critical component of effective security, the other aspects are critical and should also be addressed.

Cybersecurity is best viewed as a part of the information governance process, which manages documents and data from creation or receipt to final disposition. Managing and minimizing data is an essential part of information governance, including security, privacy, and records and information management.

Security starts with an inventory of information assets and data to determine what needs to be protected, followed by a risk assessment to identify anticipated threats to the assets and data. The next steps are the development, implementation, and maintenance of a comprehensive cybersecurity program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks. Programs covering these safeguards are frequently required by laws, regulations, and contracts for covered industries, protected information, or both.

Comprehensive cybersecurity programs are often based on standards and frameworks like the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF), Version 2.0, (February 2024), more comprehensive standards, including NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations (November 2023) and standards referenced in it, the Center for Internet Security’s CIS Critical Security Controls, V8.1 (a prioritized set of security actions to protect from cyber-attack vectors), and the International Organization for Standardization’s (ISO), ISO/IEC 27000 family of standards, (consensus international standards for comprehensive Information Security Management Systems (ISMS)). The update should include understanding and applying any changes in applicable standards.

For example, the NIST Cybersecurity Framework has been updated to Version 2.0, which adds a new core function of Govern to the current Identify, Protect, Detect, Respond, and Recover. It recognizes that cybersecurity is best viewed as a part of the information governance process (including records and information management, security, and privacy). A cybersecurity program should cover all six of these core security functions. The CIS Critical Security Controls have been updated to V8.1, including the Govern function added by NIST.

These standards can be a challenge for small and mid-size businesses. For these organizations, the Cybersecurity and Infrastructure Security Agency (CISA) maintains a website with Resources for Small and Midsize Businesses and NIST maintains a Small Business Cybersecurity Corner website. NIST has published a Small Business Quick-Start Guide for the new version of the Cybersecurity Framework.

Businesses and organizations with cybersecurity programs should periodically review, evaluate, and update their programs. The review and evaluation should address areas like new or changed hardware, software and business processes, changes in personnel or job functions, supply chain changes, lessons from any security incidents, and updated threat information. They should address emerging technology like artificial intelligence and developing defenses like passkeys, extended detection, and response, zero trust architecture, and the use of artificial intelligence in cybersecurity (by defenders and attackers).

Those without programs should assign responsibility and adopt a plan and schedule for developing and implementing one.

Training is a critical part of a cybersecurity program. The goal should be to promote constant security awareness, by every user, every day, every time they use technology.

If you have questions about the content of this update, please contact David Ries (dries@clarkhill.com; 412.394.7787), Melissa Ventrone (mventrone@clarkhill.com; 312.485.0540), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.