by Bill Lederer
on January 25, 2018
Cyber Security & Data Privacy
Editor's Note: These tips still ring true a year after their initial publication. If you missed these goals last year, give it another shot. Join us at Legalweek to discuss security, compliance, and more to round out your focus areas for 2018.
There are few modern catastrophes more frightening to today’s corporation than a data breach. When critical data is compromised, everyone suffers: employees, customers, CEOs, and legal teams must all face the consequences.
Fortunately, even as would-be hackers with ill intent get smarter, technology is getting smarter, too. There are ways for every organization to protect themselves against threats, cyber and otherwise.
There is never a bad time to get ahead of your security strategy, but now is the best time. As you plan your IT and security priorities for the year, consider adding these practical efforts to your list.
Phishing scams disguise attempts at obtaining sensitive information for malicious reasons as genuine requests for action from a supposedly trustworthy source.
Educate your whole company on what these scams look like and what risk they pose to your business, customers, and even employees.
Familiarize your organization with the red flags of a potential phishing scam and instruct employees never to engage with these messages in any way.
Additionally, clearly lay out a process for reporting possible phishing scams. An easy solution is to specify in your employee handbook that all suspicious emails should be immediately forwarded to your IT department for investigation. When reports come in, your IT team will be able to spot patterns and issue warnings to the larger organization as needed.
Passwords should never be recycled across systems, devices, or tools. When an employee uses the same simple password for his email, CRM account, and HR system access, he is putting himself—and his data—at significant risk.
Major data breaches—including those that compromised 1.5 billion Yahoo accounts—are made more dangerous by this “worst practice” because once a hacker has obtained a password to one account, they can use it to obtain access to innumerable other systems.
It can be difficult to prevent password recycling in your organization, but it’s fairly easy to establish a minimum requirement when it comes to password complexity. Require passphrases—passwords of 20 characters or more—for employees to access networks and their machines. Improved complexity makes these passwords much more difficult to hack.
You can eliminate the guesswork of enforcing password standards—and save employees the frustration of managing them manually—by implementing a password management tool. Solutions such as Okta store passwords and automatically input them when employees visit enrolled websites. These tools can even auto-generate complex passwords and set passwords to change periodically, further increasing security without creating extra work.
When implementing Okta across an organization, IT teams can configure Okta to enable single sign-on and password protection with integrated systems like Salesforce and even Relativity. Okta is engineered to plug into these supported systems securely, using modern authentication protocols (such as SAML2.0 and OIDC) to give your IT team a central hub of user authentication and authorization, and protect your most sensitive company and customer data.
Vulnerabilities are much less expensive and time-consuming to resolve when they are spotted before someone has found an opportunity to take advantage of them. You can set up penetration testing to spot these vulnerabilities proactively.
This can be done formally or informally, by internal teams or with the help of outside experts. Either way, seeing just how far someone can get into your own systems by hacking or tailgating is an invaluable way to stay ahead of threats.
Ensure your network is properly monitored at all time for breaches, and that all outgoing work product is audited for optimal security when applicable. Our Relativity developers regularly work with a dedicated team of security experts to make sure new code is architected in the most secure ways, and to perform penetration tests on our software on a regular basis.
You should also have at least one go-to expert on your team monitoring the news for breaking stories on breaches that may affect your company or your systems. A favorite source to watch is Krebs on Security; there may be other, industry-specific sources for you to monitor, as well. Legaltech News, for example, frequently has articles about security in the legal field.
Microsoft and other vendors are constantly coding bug fixes into their software to fix security vulnerabilities as they’re identified. So when laptops prompt their users to install the latest updates, encourage employees to do so in order to take advantage of those new layers of protection.
Portable, plug-in devices such as USB sticks are not a secure way to store or move data. Firstly, they are easily misplaced. Additionally, most are not encrypted, so data is left easily accessible and unprotected by even a simple password. Finally, these devices often lack secure erasure options, so even “deleted” data may be recoverable.
Discouraging the use of these devices also prevents employees from plugging in a device that has been compromised, as these tools are often harbingers of pre-loaded malware or other digital threats.
Especially when it comes to remote employees and employees who travel with sensitive or customer data, it’s important to provide laptops and other devices that are properly encrypted and configured to adhere to network security standards. Whenever possible, employees should be instructed to limit their computer use to work only, rather than sharing a device between business and personal purposes. This will ensure no “cross-contamination” between personal and professional data, and minimize outside risks to company information.
Your security policy—which should be taught to any new employees during onboarding and reiterated company-wide in annual refresher courses—should include clear, realistic reporting expectations for employees. Make it easy for them to contact your security team to report even small incidents, and be sure to take any reports seriously. Using due diligence in all matters will encourage compliance and prevent vulnerabilities.
Company-wide security isn’t about asking employees to police one another. Encourage teams to have fun with these habits in the course of keeping each other accountable.
For example, if a computer is left unlocked when an employee walks away from their desk, we leave foreboding notes on their desktop or even send out an email on their behalf to the rest of the team promising to buy donuts the next day (known as a “donut email”). These interactions are meant to be playful while reminding employees that such behaviors can put their data at risk.
Your company’s leadership team should be the first to follow these protocols and model them for their teams. Many employees will learn best by example or via direct instruction from their managers, and they will be motivated to keep up with security policies when their mentors are doing the same thing.
We hear lots of fearful talk about insider threats. Ultimately, it is better to treat your insiders, your employees, as allies in the drive for security—think of them as your first level of detection and defense.
Bill Lederer was chief security officer at Relativity, leading a team dedicated to maintaining secure environments for customers and employees. Before bringing decades of security expertise to Relativity, Bill worked at Matasano as a security consultant and ran his own independent consultancy. In those roles, he worked with Fortune 500 companies and large organizations around the globe, solving complex security challenges.
Think Security First: Cybersecurity Takeaways from Relativity Fest 2017
Navigating the Digital Geography of Remote Work in Legal
3 Legal Tech Takeaways from Richard Susskind's 'Future of the Professions'