Cybersecurity Weakest Link
“Employees are at the root of most cyber breaches” said Judy Selby, Partner of BakerHostetler LLP while moderating “The Weakest Link: Employee Practices Around Cybersecurity” panel at Legaltech in early February. Selby was joined by Gamelah Palagonia, Founder of Privacy Professionals, Amy DeCesare, AVP, Litigation Management, Allied World and Xenia Ley Parker, principal of XLP Associates.
With recent breaches in the press, we tend to focus on technology, however these events mostly happen because of employee behavior. It could be as simple as a well-meaning employee sending business documents home to work over the weekend, or because an unprotected laptop was stolen, or because an email was forwarded to the wrong person. Breaches can also occur maliciously by disgruntled employees as well.
The impact of employee behavior on cybersecurity is an important issue, and probably isn’t getting as much attention as it should, said Selby.
What type of employee behavior leads to risky situations?
Although the focus has been on IT and Security departments, Marketing can cause all types of privacy issues in their handling of customer data. One example is Uber. Its recent privacy issues and negative press were not the result of a hack or a breach, but rather, were caused by the deliberate behavior and actions of employees at the direction the Chief Executive Officer. Specifically, the employees used software to predict how many people were having one-night stands. “On a basic level, as a human being and an employee, how could they think that was right?” asked Palagonia.
According to Palagonia this is a perfect example of “lack of thought process when it comes to executing the services by some of these new innovative companies that collect personal data”. Like Uber, by not training your employees on the appropriate use of data, your brand can be diminished, even when there was no external hack or security event. “Security is like a lock on your door at home, privacy is more like blinds on your window” and a behavioral risk. It’s easier to take care of the security risk. Employee training is the key to mitigating cybersecurity risk at all levels in every part of the organization” concluded Palagonia.
How Can You Protect Yourself?
The panel shared horror stories of a sole practitioner attorney pushed to the brink of bankruptcy when her unprotected laptop with all her client data was stolen from her home. Or a business owner forced to pay a $50,000 ransom to regain access to his business data. What can we do to protect ourselves?
Are your systems optimized for maximum speed and performance? (I can tell you, 99% of the computer networks we review are NOT.)