When it comes to cybersecurity – what is your weakest link?
Confidentiality is key. In the wake of the digitalisation of arbitration processes follows a new focus on protection against data breach. Lise Alm, Head of Business Development at SCC, offers a checklist with the where, when and how-questions needed for assessing your vulnerabilities.
One of the central features of international arbitration is the that it is confidential, that the parties can choose to resolve their disputes in a private context. This requires that information intended to be private stays that way, that the walls around your data are tight.
When assessing cyber related risks, you need to find your weakest link. The best weapon you have against exposure of your data is your inside knowledge about your own weaknesses and vulnerabilities. To find your weakest link, you need to look at your process from several different angles. This is not something that can be delegated entirely to an IT department. Someone close to the process needs to take active part in the analysis, and everyone in the process needs to evaluate his or her own role. Below are some starting points for a vulnerability analysis based on our experience in business development at the SCC.
When thinking of cybersecurity, it’s easy to envision a hacker sitting in a basement exploiting vulnerabilities in your software and computer programs. While this is not irrelevant, it’s far from the only threat. When assessing your vulnerabilities, you need to look at all the potential entry points for a potential intruder. While software might be the front door, leaving a window open could have the same consequence. Here are some aspects to consider.
- Software – which programs do you use? Do you use VPNs? Do you have any thresholds for externals to install software on your computer?
- Hardware – is your computer or phone good enough? How about passwords? When can I plug in external hardware, like USB sticks? Do external people handle my hardware?
- Networks – which networks outside the office are safe?
- Physical environment – what does my environment look like from where I access the information? Is there a risk that print outs could end up in the wrong place?
- Social engineering – is there a risk that I, or someone in my team, could be tricked into handing out data voluntarily? The easiest entry point for an intruder might be to play on the good nature of someone in your team, e.g by asking them to print something and thus open a harmful attachment.
The arbitral process has different stages, each with different types of challenges and potential vulnerabilities from a cyber security perspective. The challenges you face in the preparatory stages are different from the submission of briefs before the tribunal, hearings, enforcement or closing the case and archiving the file. By carefully tracking each step of the process, assessing who is involved when and over what means (email, platforms, videoconferences etc) you can identify your potential risks.
The questions above need to be addressed for anyone handling your data. You may not be able to control the answers for people outside you team, but if you are to maintain a high level of security, the risk assessment also needs to included members outside your team handling your data. You may even want to address them explicitly in an early stage of the proceedings, e.g. at the initial case conference.
In most arbitral proceedings, a fairly large group pf people will have access to potentially sensitive data relating to your case.
- Your own team
- The client · Potential other advisors to the client
- The counterparty/ies
- Their counsel and potential other advisors
- Experts and witnesses · The arbitral tribunal and sometimes tribunal secretary
- The institution (if any)
This is a large group of people. It’s advisable to agree with these groups how you want to handle security matters, which security thresholds you want to put in place and how you should communicate securely with each other.
Protecting your data could be difficult, and most security measures are cumbersome and generally not very user friendly. Demanding two factor authentications every time you log in somewhere (i.e. where you need two separate steps to sign) is great for security, but it’s terrible for the user experience. If it’s hard for the attacker to get in, chances are, it’s hard for you too.
Humans are inherently both lazy and inventive, which is a great soil for ingenuity, but also for inventing various good or less good ways of circumventing cumbersome security step. Therefore, too much security might lead to a less secure end-result. For instance, it’s so complicated to access the data via the secure platform that you download the document and keep it locally and unprotected on your computer instead.
To make sure you put the barriers in place where they are needed, evaluate your data and the threats to it. Is all data equally sensitive? Who do you need to keep it from? How often does the data need to be accessed? How cumbersome is the security arrangement in relation to the sensitivity of the data?
Keeping your data secure is not unlike trying to stay fit. It doesn’t come without effort and requires continuous work and attention to be upheld, but once done, it provides a better night’s sleep.
Lise Alm, Head of Business Development SCC