Cybersecurity?

Prologue

Cybersecurity must be on an employment lawyer’s radar.

When discussing cybersecurity audits, PriceWaterhouseCooper notes that “[o]ften, when companies get a glimpse into what really is going on, they are surprised. They discover that the biggest problems may be caused by their employees.”  In short, one of the largest holes in cybersecurity – and thus a key pathway to incredible financial loss – is undoubtedly through an employee’s keyboard.

(Next in the series: Cybersecurity Basics and Talking to the CIO).

Businesses are spending billions on cybersecurity and digital forensics.  However, cybersecurity expert Gary Warner argues that the

[t]he weakest component of your cyber security is your humans. If a crook can get that email in…then your last hope is that your humans are smart enough not to click on it…. But, guess what? They do. We call it ‘the inevitable click.’

While employers take steps to implement security measures ranging from better firewalls to multi-step authentication, the reality is, as Nichole Perroth recently suggests in the New York Times, “even those who are layering on as many defenses as possible are still getting crushed.”

In advising their clients, lawyers in general, and employment lawyers in particular, will have to understand, and if necessary lead, the drive to protect data. Some thoughts:

1. Cybersecurity policies and procedures will need to conform to the idea that employee-based threats represent some of the largest vulnerability to an employer’s data.   One place to make a change is in employment policies and their enforcement — ensure that good information security policies are in place and are backed by serious sanctions.  The risks and costs associated with employee-undermined (such as using weak passwords) and employee-thwarted (such as stealing sensitive data using USB drives) security will only get worse.   Employees also ought to know what is expected of them regarding security on corporate networks — especially when it comes to that ‘inevitable click.’ Indeed, employers ought to restrict media such as USB drives from being attached to the network.
2. Employees must be treated as outsiders when it comes to the systems to which they have no business need to access.  In such a context — even if achieved through virtualization and/or encryption — the highest levels of security ought to interpose a wall between employees and prohibited data. In addition, rigorous inspection and detailed audit trails are especially important in the employment context: insist on being able to know which employees have accessed which system, when, and what they did once there.
3. Consider employment agreementsthat deal with the entire range of employee-related risk.  Educate employees about how to manage the risk occasioned by third-party apps.
4. Educate employees about what their devices (especially, but not exclusively, in a BYOD environment) are doing data-wise — privacy is still valued and may influence behavior. They need to know they are sharing many things on that device with their employer and far beyond.
5. Have firm rules about who makes decisions that can have an impact on cybersecurity.  In this emerging environment, any decision relating to the public posting of any data or information that discusses the company or its systems, no matter how seemingly innocuous, needs to be escalated to the highest levels of decision-making.  One cybersecurity website suggeststhat Target’s recent data woes may have had roots in vendor-related information left on its public-facing website – allegedly leading hackers to an air conditioning vendor whose systems touched Target’s systems.
6. Employer-deployed systems (including wearables and apps) should be built with rigorous security, configuration and data encryption as a primary concern.  Developers should be meticulously screened, and outside vendor agreements must make security a central focus. Non-employer-deployed devices that seek to connect with employer systems or that may be used to carry corporate information (including BYOD devices) should be required to conform to a device-independent corporate security protocol and screening procedure while the data they capture should be open to employer scrutiny. Moreover, such devices should only be permitted to connect with systems that are segregated from the most sensitive data pools, or, where impossible, should be backed by strict policies, auditing, security protocols and user education.
7. Employment lawyers representing employers of all sizes will need to know how to handle data breaches either caused by, or that have an impact on, employees.  Planning for such an eventuality needs to be concrete and immediate – breaches should be treated as inevitable.
8. Employers should ensure they have adequate cyber risk insurance.

The bottom line: tech-savvy lawyers need to be an integral part of the security puzzle.  While lawyers need not be security technicians, they need to understand the technical elements of security.

Next in the series: Cybersecurity Basics and Talking to the CIO.