27 April, 2018
Patching leaks from your house to the courthouse
Even companies with redundant data-security systems have blind spots for the social or nontechnical ways that corporate details are at risk. Projects that emphasize physical security—new purchases and monitoring of usage patterns—win funding and attention, while more mundane threats barely get a thought.
It starts with remembering to lock the server room door.
Consider that petty thieves made off with $2.8 million in the Great Brinks Robbery of 1950 by using a piece of plastic to pick a lock. In 2014, the Sony Pictures hack was made possible thanks to logins and passwords stored in an unencrypted file labeled “Passwords.”
Companies need to start with the basics, such as training employees to spot and report suspicious activity. Just as the color-shifting ink or the 3D security strip next to Ben Franklin’s portrait can betray a counterfeit $100 bill, employees should know the telltale marks of fraudulent emails or spoof websites.
It may seem counterintuitive that the higher you go up the corporate hierarchy, the greater the need is for data-security training and situational awareness. Bad habits and weak passwords are just part of the story.
If an intrusion is suspected, everyone should be prepared with the proper steps for escalating questions and reporting to department heads, the IT brain trust or even outside technical experts.
Importantly, incident responders need to take a team approach to cast a wide net, probing to discover whether other departments or locations are affected and to discuss when to alert law enforcement agencies.
Protocols should be set up and practiced in tabletop exercises, so that everyone knows whom to call. Fire drills are common on corporate campuses.
Data-protection drills or breach responses need to be practiced as well.
Multiple points of failure, far from your office
Departing employees with seniority or access to trade secrets are another weak spot.
High-value data needs to be segregated, and unusual behavior (login failures, downloading or deletion activity) must be monitored to spot or predict removal of company assets.
If an employee suddenly quits, the HR manager’s first priority has to be to forensically preserve all data on her company-issued devices to protect secrets and establish an electronic paper trail to lay the groundwork for legal action in case workplace rules have been violated.
Locking down confidential data also becomes more challenging when the normal course of business requires you to ship sensitive information to a law firm, outside accountant or PR agency.
Executives mulling takeover bids or IPOs tend to clue in lawyers at an early stage. While confidentiality is a time-honored tradition in the legal profession, many law firms are late adopters of technology and may have limited internal IT resources.
The most notorious legal hack is the Panama Papers case. In 2015, more than 11 million documents relating to more than 200,000 clients were swiped in one go from a Panama-based law firm that catered to offshore entities.
Litigation files are another treasure hunt for data thieves. Data-protection standards in class-action lawsuits are murky, for instance, making personal or customer details produced in the discovery process tempting for cybercriminals. Expert witnesses may be permitted to sift through these datasets, creating another overlooked weakness. You never know who else may be looking at your documents and what their security understanding is, especially for people with no corporate loyalties.
Companies need to hold their lawyers, accountants or consultants to the same data-integrity standards that they apply in house. Big banks or retailers often send lengthy questionnaires on IT security to consultants bidding on a contract, followed by a rigorous on-site inspection and the signing of confidentiality pledges.
Data protection starts with fundamentals. Ignoring basic security protocols or understanding other weaknesses is as futile as hiding the silver in your home’s closet but leaving the front door wide open.
Peggy Daley is a managing director for Berkeley Research Group in Chicago, specializing in data security, investigations and analytics.
For further information, please contact:
Stuart Witchell, Managing Director, Berkeley Research Group
switchell@thinkbrg.com