Editor's Note: These tips still ring true a year after their initial publication. If you missed these goals last year, give it another shot. Join us at Legalweek to discuss security, compliance, and more to round out your focus areas for 2018.
There are few modern catastrophes more frightening to today’s corporation than a data breach. When critical data is compromised, everyone suffers: employees, customers, CEOs, and legal teams must all face the consequences.
Fortunately, even as would-be hackers with ill intent get smarter, technology is getting smarter, too. There are ways for every organization to protect themselves against threats, cyber and otherwise.
There is never a bad time to get ahead of your security strategy, but now is the best time. As you plan your IT and security priorities for the year, consider adding these practical efforts to your list.
#1: Create a defense against phishing scams.
Know how they are delivered, and make sure employees know, too.
Phishing scams disguise attempts at obtaining sensitive information for malicious reasons as genuine requests for action from a supposedly trustworthy source.
Educate your whole company on what these scams look like and what risk they pose to your business, customers, and even employees.
Establish a protocol for reporting phishing scams.
Familiarize your organization with the red flags of a potential phishing scam and instruct employees never to engage with these messages in any way.
Additionally, clearly lay out a process for reporting possible phishing scams. An easy solution is to specify in your employee handbook that all suspicious emails should be immediately forwarded to your IT department for investigation. When reports come in, your IT team will be able to spot patterns and issue warnings to the larger organization as needed.
#2: Standardize on good password hygiene.
Don’t reuse passwords.
Passwords should never be recycled across systems, devices, or tools. When an employee uses the same simple password for his email, CRM account, and HR system access, he is putting himself—and his data—at significant risk.
Major data breaches—including those that compromised 1.5 billion Yahoo accounts—are made more dangerous by this “worst practice” because once a hacker has obtained a password to one account, they can use it to obtain access to innumerable other systems.
Rely on long, complex passwords.
It can be difficult to prevent password recycling in your organization, but it’s fairly easy to establish a minimum requirement when it comes to password complexity. Require passphrases—passwords of 20 characters or more—for employees to access networks and their machines. Improved complexity makes these passwords much more difficult to hack.
Take advantage of a password management tool.
You can eliminate the guesswork of enforcing password standards—and save employees the frustration of managing them manually—by implementing a password management tool. Solutions such as Azure Active Directory and Okta store passwords and automatically input them when employees visit enrolled websites. These tools can even auto-generate complex passwords and set passwords to change periodically, further increasing security without creating extra work.
When implementing such a solution across an organization, IT teams can configure it to enable single sign-on and password protection with integrated systems like Salesforce and even Relativity.
#3: Implement penetration testing.
Stage real-life experiments.
Vulnerabilities are much less expensive and time-consuming to resolve when they are spotted before someone has found an opportunity to take advantage of them. You can set up penetration testing to spot these vulnerabilities proactively.
This can be done formally or informally, by internal teams or with the help of outside experts. Either way, seeing just how far someone can get into your own systems by hacking or tailgating is an invaluable way to stay ahead of threats.
Educate your in-house technical teams.
Ensure your network is properly monitored at all time for breaches, and that all outgoing work product is audited for optimal security when applicable. Our Relativity developers regularly work with a dedicated team of security experts to make sure new code is architected in the most secure ways, and to perform penetration tests on our software on a regular basis.
You should also have at least one go-to expert on your team monitoring the news for breaking stories on breaches that may affect your company or your systems. A favorite source to watch is Krebs on Security; there may be other, industry-specific sources for you to monitor, as well. Legaltech News, for example, frequently has articles about security in the legal field.
#4: Boost protection for physical devices.
Stay up to date with software updates.
Microsoft and other vendors are constantly coding bug fixes into their software to fix security vulnerabilities as they’re identified. So when laptops prompt their users to install the latest updates, encourage employees to do so in order to take advantage of those new layers of protection.
Eliminate plug-in devices.
Portable, plug-in devices such as USB sticks are not a secure way to store or move data. Firstly, they are easily misplaced. Additionally, most are not encrypted, so data is left easily accessible and unprotected by even a simple password. Finally, these devices often lack secure erasure options, so even “deleted” data may be recoverable.
Discouraging the use of these devices also prevents employees from plugging in a device that has been compromised, as these tools are often harbingers of pre-loaded malware or other digital threats.
Leverage encryption and dedicated devices whenever necessary.
Especially when it comes to remote employees and employees who travel with sensitive or customer data, it’s important to provide laptops and other devices that are properly encrypted and configured to adhere to network security standards. Whenever possible, employees should be instructed to limit their computer use to work only, rather than sharing a device between business and personal purposes. This will ensure no “cross-contamination” between personal and professional data, and minimize outside risks to company information.
#5: Establish a culture of shared responsibility.
Offer strong reporting protocols with thorough follow-up.
Your security policy—which should be taught to any new employees during onboarding and reiterated company-wide in annual refresher courses—should include clear, realistic reporting expectations for employees. Make it easy for them to contact your security team to report even small incidents, and be sure to take any reports seriously. Using due diligence in all matters will encourage compliance and prevent vulnerabilities.
Make it fun.
Company-wide security isn’t about asking employees to police one another. Encourage teams to have fun with these habits in the course of keeping each other accountable.
For example, if a computer is left unlocked when an employee walks away from their desk, we leave foreboding notes on their desktop or even send out an email on their behalf to the rest of the team promising to buy donuts the next day (known as a “donut email”). These interactions are meant to be playful while reminding employees that such behaviors can put their data at risk.
Expect consistency up the chain.
Your company’s leadership team should be the first to follow these protocols and model them for their teams. Many employees will learn best by example or via direct instruction from their managers, and they will be motivated to keep up with security policies when their mentors are doing the same thing.
We hear lots of fearful talk about insider threats. Ultimately, it is better to treat your insiders, your employees, as allies in the drive for security—think of them as your first level of detection and defense.
Bill Lederer was chief security officer at Relativity, leading a team dedicated to maintaining secure environments for customers and employees. Before bringing decades of security expertise to Relativity, Bill worked at Matasano as a security consultant and ran his own independent consultancy. In those roles, he worked with Fortune 500 companies and large organizations around the globe, solving complex security challenges.