Comment: BYOD and Surviving an Insecure Cyber Workforce
by Mark Edge, Country Manager UK & VP Sales, Brainloop Ltd.
Employee behaviour is one of the biggest risks facing IT security in the legal sector today. The enormous uptake of the Internet of Things (IOT), wearable technology, Bring-Your-Own-Device (BYOD) and office-based cloud applications have created many potential vulnerabilities in legal firms’ IT security. Ensuring that employees use this technology securely must therefore be a top priority for legal firms when implementing and reviewing their security procedures.
The loss of confidential business information and devices can be catastrophic and is most commonly caused by employee misbehaviour, whether that is a result of carelessness, ignorance or malice. In fact, in response to a recent ITIC Security Deployment Trends survey, 80 percent of people questioned claimed that the greatest threat posed to organisational IT security is the actions of permitted end users.
While security education is a crucial part of shaping employee behaviour, the best practices in cybersecurity require a more vigorous approach. As a continual work in progress, security education should be constantly audited, updated and improved. However, employee training can only go so far in protecting a legal firm’s IT security from the threats posed by new technologies. It is simply impossible to develop a fully cybersecurity trained and attentive workforce, and so it falls upon IT managers to follow these four steps to ensure efficient and effective computer data security within their organisations:
1. Proper, Proven and Secure Technologies
The age of BYOD and IOT infrastructures has too many vulnerabilities. Security professionals in the legal sector need to transfer their attention from infrastructure protection to information protection. It is vital that security does not only exist at the boundaries of a network, but must be integrated and omnipresent within a network or application.
IT managers should be sure to implement proper, proven and secure technologies to ensure sensitive, critical business information is wholly protected. These technologies should be integrated into the workflow of employees and the applications they use so that if, for example, a careless or malicious insider emails a sensitive legal document to an unauthorised recipient, the technology will block the action and so instantly prevent a costly and reputation-damaging data breach.
2. Turn Employees Into Security Assets
Whether working in the office, from home or whilst travelling, your employees carry confidential data with them. To prevent them from becoming security risks, employees need to be made into security assets who are aware of their role as agents of security for the business. Trusted employees who have been given the appropriate permissions and access should be responsible for handling high value information. It is important that they understand the amount of trust that has been placed in them and that they are trained to always think twice before disclosing company information, whether verbally or in writing.
In an increasingly collaborative world, however, most legal organisations have business partners, vendors and contractors who must also be trusted to receive sensitive information. In order to reap the benefits of these partnerships high value documents will need to be shared. This poses an issue as there are fewer opportunities for training and compliance monitoring with third party organisations than with your internal employees. It is therefore especially important to use technology that implements granular security that controls how and when data is reproduced and shared. While you may not always be there to ensure that your security policies are adhered to, the technology will so you can be sure that measures are always being taken to protect your sensitive business information.
3. Take a Targeted Approach to Tackling Security Risks
When confronted with the many potential risks that could harm your business IT, it is important to take a targeted approach to tackling them. Rather than spreading themselves too thinly across all risks, IT managers should focus on the greatest risk areas and take measures to protect the business against them first. Be sure to identify what could cause the greatest harm and how you can prevent against this happening before going on to address less major IT risks.
One major risk that all IT managers in the legal sector need to be aware of is insider security breaches. While external stakeholders do pose risks to a business’ IT security, the risk from internal employees is often greater. The good news, however, is that insider security breaches and data compromises are more easily controlled. Risk areas such as internal access, security policies and compliance should be tackled first to get the most significant and cost effective gains.
4. Keep Security Simple
Security needs to be selective but also simple. Easy-to-use technology can guard new information and help classify existing, unprotected information. Establishing three straightforward categories of information is often the most effective way for a legal firm to move forward with their data security by clarifying how each type of information should be handled. These categories and their relative actions are:
• I know it’s sensitive – store it in the most secure category of our solution.
• I think it’s sensitive – store it in a medium security area.
• I know it’s not sensitive – store it on the most pragmatic place for efficient collaboration.
Finally, let’s not forget the importance of providing employee security training which is comprehensible and people-friendly. Keep your security policy simple and concise so that employees will be able to read it and digest the core security messages.
With an alarming number of data breaches occurring each day we all need to be vigilant about security, and it needn’t be difficult. Now is the time to ensure that your organisation’s security process is ubiquitous and able to keep up with the increasing number of security risks in the workplace. The fight for cybersecurity is an ongoing one, but one which will be crucial in protecting your legal firm from security threats – from the inside, out.