“Employees are at the root of most cyber breaches” said Judy Selby, Partner of BakerHostetler LLP, while moderating “The Weakest Link: Employee Practices Around Cybersecurity” panel at Legaltech in early February. Selby was joined by Gamelah Palagonia, Founder of Privacy Professionals, Amy DeCesare, AVP, Litigation Management, Allied World and Xenia Ley Parker, principal of XLP Associates.
With recent breaches in the press, we tend to focus on technology, however these events mostly happen because of employee behavior. It could be as simple as a well-meaning employee sending business documents home to work over the weekend, or because an unprotected laptop was stolen, or because an email was forwarded to the wrong person. Breaches can occur maliciously by disgruntled employees as well.
The impact of employee behavior on cybersecurity is an important issue, and probably isn’t getting as much attention as it should, said Selby.
What type of employee behavior leads to risky situations?
Although the focus has been on IT and Security departments, Marketing can cause all types of privacy issues in their handling of customer data. One example is Uber. Its recent privacy issues and negative press were not the result of a hack or a breach, but rather, were caused by the deliberate behavior and actions of employees at the direction the Chief Executive Officer. Specifically, the employees used software to predict how many people were having one-night stands. “On a basic level, as a human being and an employee, how could they think that was right?” asked Palagonia.
According to Palagonia this is a perfect example of “lack of thought process when it comes to executing the services by some of these new innovative companies that collect personal data”. Like Uber, by not training your employees on the appropriate use of data, your brand can be diminished, even when there was no external hack or security event. “Security is like a lock on your door at home, privacy is more like blinds on your window” and a behavioral risk. It’s easier to take care of the security risk. Employee training is the key to mitigating cybersecurity risk at all levels in every part of the organization” concluded Palagonia.
How Can You Protect Yourself?
The panel shared horror stories of a sole practitioner attorney pushed to the brink of bankruptcy when her unprotected laptop with all her client data was stolen from her home. Or a business owner forced to pay a $50,000 ransom to regain access to his business data. What can we do to protect ourselves?
- At a bare minimum, all your devices should be password protected, including your phone. “Just as you would lock the front door so the criminals can’t come in. We’ve been saying this for decades. It’s kind of depressing that people still think it’s ok to have unprotected laptops.” says Xenia Ley Parker. Don’t put data on unprotected thumb drives. Create an automatic backup and store that in another location in case of equipment theft, ransomware or even a fire.
- Parker also advises to be very careful with email. Clicking on links can introduce malware into the organization. If you receive an email from someone you don’t know, delete it without even reading it. Close the reading panel in your email and don’t even let it show up on your screen. If you think you know who it is from, and it has a link in it, don’t click on the link, instead, look it up yourself.
- Go to a protected browser and use Google, which checks whether it’s a legitimate website. When the audience asked how this would work in practice, Parker gave the example of receiving an email from Amazon about the delivery of a package. Rather than click on a link within the email, go to Amazon directly, log into your account to see the details there.
“Hackers don’t just show up. It’s the weak links. It’s the people clicking on the emails. It’s so simple and so basic“ says Parker.
The Challenge Of The C-Suite
Firms tend to focus their cybersecurity training on low level employees, however, the problems start at the top. The C-Suite tends to think that cybersecurity is an IT problem. The biggest challenge is changing behavior of the senior executives and partners in a law firm who want to be exempt from every rule. Like anything else, to effect change in the organization, you need buy-in from the senior executives. The recent Sony breach may actually change behavior as executives begin to understand that a data breach can result in embarrassing personal revelations in addition to damaging the reputation of the firm.
5 Ways To Your Protect Your Firm Today
- Strengthen passcodes: The longer the passcode, the harder it is to break. To make passwords easy to create, use a phrase such as “I love eating cherry pie” and then substitute some of the letters for numbers, use both upper and lower case and add a symbol to create a password that looks like “1LoveEatingCh3rryPie!”. Passwords longer than 20 characters are best and should be changed every 30 days.
- Manage email: Emails are an important source for discovery in litigation. To mitigate risk, create and follow a policy to auto delete emails on a pre-established timetable. Don’t store files in email. Don’t send work home to your personal, unencrypted email accounts on your personal computer where it can be accessed by your family.
- Beware of phishing emails: Trust, but, verify. Do not click on any link within an email. Create employee policies that include specific consequences for employees who repeatedly click on links and introduce malware into the organization.
- Limit the use of removable media: Many firms disable the USB port. Provide your employees with encrypted devices to use.
- Control Use of Web Based Applications for Business Purposes: Use technology to block access to certain websites, such as file sharing sites like Box or DropBox. Create Social Media Employee policies that are reinforced with technology that control access to various features. Remember: Social media users consider themselves part of a tribe and are more likely to click on links from a “friend” or “follower”.
In the coming months, we can expect a serious debate about data breach litigation, with the focus on who is held responsible. If businesses are held to a higher standard, they will need to strengthen the “weakest link”, by training employees on proper behaviors in addition to investing in modernized policies, processes and technology to protect personal information — or face stricter sanctions and reputational risk.
How are you training your employees?
This article was written by Joanna Belbey from Forbes and was legally licensed through the NewsCred publisher network.