Data security has become one of the most talked about subjects this year. With the data breaches occurring at companies such as Chick-fil-A, Microsoft, Sony, J. P. Morgan Chase, Apple and Boeing, the business world has had to stop and take notice. Small to midsize firms commonly believe they are not at risk of a data breach because they are small companies but, it is this common misconception that can turn out to be costly in both bad publicity and expensive litigation.
Respondents of the Ponemon Institutes January 2012 study "The Human Factor in Data Protection" listed the 3 most common causes of data loss as (1) loss of laptops or other mobile devices, (2) third party mishaps or flubs and (3) system glitches. Only 8% of incidents were the result of outside actors. So, even though you may not be as high profile a target as a large Fortune 500 company, the threat to your and your clients data is just as real and can be just as costly.
ABA rule 1.6 “Confidentiality of Information” states “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the occurrence of several other specified circumstances.” With this rule comes a great responsibility to your clients.
The Ponemon Institute notes ten examples of risky practices routinely engaged in by employees:
1. Connecting computers to the Internet through unsecured wireless networks.
2. Not deleting information on their computers when it is no longer necessary.
3. Sharing passwords with others.
4. Reusing the same passwords and usernames on different websites.
5. Using generic USB drives not encrypted or safeguarded by other measures.
6. Leaving computers unattended when outside the workplace.
7. Losing a USB drive containing confidential data and not immediately notifying the firm.
8. Working on a laptop when traveling and not using a privacy screen.
9. Carrying unnecessary sensitive information on a laptop when traveling.
10. Using personally owned mobile devices that connect to their organizations network.
If we honestly evaluated ourselves today, how many of the 10 items above have we all been guilty of violating? 2,3 or 10? Listed below are several things to consider to help mitigate the human factor in data protection.
1. Manage and monitor your end user privileges. Routinely reviewing Active Directory to challenge users access to company data and purge former employees.
2. Conduct criminal background checks before granting access to data. We all need to perform our due diligence before blindly granting access to sensitive information.
3. Train employees regarding IT security policies and procedures. Much like a fire drill is performed to assist in an emergency your employees need to understand how to prevent a data breach or loss of sensitive client data, and how to react if one occurs.
4. Ensure third parties are properly vetted before granting access to data. You have a duty to protect your clients data and that includes everyone from the local PC repairman to an online storage provider. You need to ensure you know everyone who may have access to client data.
5. Perform timely security patches and updates. This is the easiest and most efficient way to stay protected. Microsoft and your antivirus provider pay people to be on the front lines of data and virus protection. They routinely release patches and fixes to issues that are found. If you're not updating then you're not taking care of your business.
6. Limit physical access to servers and data storage devices. Having a server sitting in an empty office is not secure. For example, a temporary employee who is filling in should not be able to access company servers. If, they can, security needs to be improved.
7. Manage and monitor end-user access to Internet apps. In the new days of BYOD or (Bring your own device) this can be a difficult task. You must stress that, if a device is connected to your internal network, it needs to abide by the company rules, period. If it's a company-owned laptop you have the right to ensure the latest spyware-packed games are not installed on the machine.
8. Enforce security and data protection policies. If you're going to allow a BYOD environment, you need to make sure you can enforce your security policy, any good MDM (Mobile Device Management) program can help with this.
9. Enforced VPN use when on public Wi-Fi. There are apps for mobile devices and programs for PCs that will allow you to create your own VPN (Virtual Private Network) when using public WiFi. This will encrypt your data in transit, protecting you from possible prying eyes.
10. Restrict web-based personal emails at work. One of the fastest ways to get a virus is to allow personal email access at work. I'm sure we have all seen the amount of spam that can come to our personal emails. It only takes one employee checking their email and clicking on the wrong link that can cost your company thousands in lost productivity and fees to repair virus damage.
11. Enforce use of encrypted USB drives for client data. With the nominal cost of encrypted USB devices, it makes sense to use them exclusively. It is a small but a worth while investment to make sure all staff have one 32Gb USB drive that is encrypted for client data.
12. Use complex password policies on all devices including cell phones. You can enforce complex passwords even on an iPhone. If the device can access client email or any number of cloud storage apps you need to ensure a complex password is set on the device.
13. Ensure mobile data is encrypted. Apple and Android have announced that their latest respective operating systems will encrypt your data at rest. Apple doesn't even retain the decryption key, so they are unable to access your data even if they are legally required to produce it.
14. Set up reporting channels for lost data. Having a method and environment that allows employees to quickly and safely report lost data is important to any data security policy. Tools to help you deal with data loss are only helpful if you know something is lost in the first place.
In the end security needs to become ingrained in our business practice. Just because you're a small to mid-size firm does not mean you're invincible from data loss or a data breach. How that data breach happens may not have the makings of a Bond movie but the possible catastrophic results just may.