When attorneys' clients turn to them for help with cybersecurity, it's important they understand the best practices to reduce risk
By Bahar Ferguson
Recent surveys published by the Association of Corporate Counsel consistently show that one of the top concerns for general counsel at private companies is cybersecurity. This concern is certainly well placed, given the steady stream of alarming incidents involving the security of sensitive data. As a result, companies, big and small, are looking to their attorneys for help in establishing policies and practices that keep their information systems safe and their data secure.
But what does that specifically mean? What should lawyers be telling their clients?
As Benjamin Franklin once wisely advised, “An ounce of prevention is worth a pound of cure.” More and more, businesses look to their counsel to help devise plans for prevention.
As lawyers represent clients who run a multitude of busines enterprises, from large corporations to the smallest startup in a variety of industries, they should advise cybersecurity practices that will serve all businesses.
Documenting Cybersecurity Policies
A written policy acts as a formal guide that outlines the cybersecurity practices that a specific business follows. It is the best way for business owners and their employees to be on the same page where security matters are concerned.
Although this document will be a beneficial guide for an entire company, it should also outline departmental security policies as different departments carry out different tasks.
Lawyers should encourage their clients to draft this document to use as a starting point for their cybersecurity practices.
As businesses seek to avoid risk, lawyers should not shy away from identifying and assessing different levels of risks for their clients. A “look before you leap” approach will always save money and resources while protecting important business information.
Here are some best cybersecurity practices that can serve as a starting point for a client concerned about risk:
1. Multi-Factor Authentication. This is the use of two or more components to verify the identity of a user. In a traditional sense, multi-factor authentication has been categorized into these three things:
• A fingerprint or other form of biometric data.
• A password.
• A mobile phone or token.
When lawyers are advising their clients on cybersecurity practices, they should point out that multi-factor authentication matters because it confirms that the individual who is attempting the authentication is the one in question. This is because, even if a password has been compromised, the chances of compromising a fingerprint or biometric data are low. As this authentication mitigates the risk of a password by requiring multiple authentication, it enhances security.
Clients should know that this is one of the best ways to prevent unauthorized access. But for this cybersecurity practice to be effective, it should be used in the right way. Multi-factor authentication should be used across all ends: server logins, on-premise applications, cloud storage and private network logins.
When clients cover all bases, they will be protected against data breaches and unauthorized access. Lawyers should help their clients understand that security vulnerabilities are always changing. As such, they should review their multi-factor authentication from time to time.
2. Password Managers. Every business owner is looking for a solution that will be manageable and provide the best protection.
Enter password managers.
Strong passwords should always be the first line of defense for your clients. While adopting this method of protection is easy, remembering complicated keystroke combinations is something that most people do not do so well. When sensing this level of difficulty, team members may become lax on the passwords. The result? Security breaches.
To avoid this, lawyers should make the benefits of password managers known. For instance, Dashlane and Keeper are well-known and trusted password management apps. They are as secure as they are easy to use. They offer advanced encryption and come with an array of password change features.
The biggest advantage that comes with password managers is the fact that users can adopt the most complex passwords or different passwords for every access point without having to memorize them.
Clients who are looking to tighten their cybersecurity measures will appreciate the fast access and the ultimate protection password management affords.
3. Mobile Device Management. Due to the rise in smart technology, a majority of companies are adopting the use of smart devices for the completion of work-related tasks. Because these devices have seeped into the everyday work routine, they bring convenience in handling clients as well as their documents.
Therefore, lawyers should focus on the protection of mobile devices as a significant part of cybersecurity. Remember, if mobile phones are unprotected, they are exposed to threats like ransomware and hacking.
Mobile device management is a cybersecurity method that manages mobile devices from a remote location. While this is not a new invention (it emerged in the early 2000s), it has evolved to be compatible with the latest technology. Needless to say, it is a dependable method of protection for businesses devices.
The good news is that mobile device management works on a wide variety of devices and acts as a gateway for companies to implement their policies. It blocks external games and applications that may invade mobile device privacy. If a device is lost or stolen, mobile device management allows reactive actions to take place. It triggers a warning and disables the device. This ensures that data is not lost or hacked.
4. Company Policies and Restrictions. It is not uncommon for employees to carry their smartphones and tablets with them to work. But how do these devices impact security practices?
The answer to this question is simple. When employees carry their devices, they will want to connect to the company’s Wi-Fi network. What no one thinks about is the security threat this poses. Therefore, creating workplace security policies will help eradicate these threats.
For instance, employers can implement a BYOD (bring your own device) policy which provides security rules for employee-owned devices. Granted, it may be difficult for employers to protect their data while protecting employee rights. But by creating specific policies, employers can protect both company and employee interests.
Employers should detail the use of employee devices so they can understand their responsibilities. It is also impossible for employers to control what devices their employees purchase, but they can detail the list of acceptable device models, operating systems and versions that are secure.
Additionally, they can implement the use of passwords and authentication locks so that their data can remain secure.
5. Monitoring Third-Party Access to Data. It is not uncommon for businesses to work with remote or third-party contractors. While this may be a short list of people who work for short periods of time, they still get access to company data. This in itself poses a security risk and paves the way for malware and hackers to access your system.
One of the best ways to offer protection in this case is by third-party monitoring. Companies should limit the scope of access to sensitive data. This should be accompanied by one-time passwords so that malicious activities can be detected. The logic behind this is that these passwords are only provided to the remote workers to use for each login. Whoever tries to craft their own new password or multiple passwords poses a threat.
6. Partnering with a Technology Expert. Technology experts exist so that they help organizations take charge of their technical systems. They are not only helpful when setting up company hardware and software, but they can go the extra mile to ensure that the right security measures are put in place for any organization.
Remember, there are different types of technology experts including single-service experts, who only guide businesses toward a solid IT plan, and general IT contractors, who can handle any technology issue.
However, to get the best experience, lawyers should advise their clients to get guidance from technology experts who offer comprehensive services. These experts have a heightened ability to advise on a wide scope of cybersecurity capabilities, leading each company to the kind that is best suited for them.
Both large corporations and small businesses can experience a security breach. A technology expert will conduct an assessment of a business network to identify vulnerabilities and establish the right security protocols.
They also train employees to identify threats and viruses as well as dangerous malware.
The Bottom Line
When business owners have the right knowledge, then they can strengthen the breach vulnerabilities that their companies are facing. Needless to say, a simple corrupt link can allow for hacking of important files. Therefore, lawyers should be vocal when it comes to advising clients on cybersecurity matters. It is part of their job to advise their clients on the best way to conduct business and why having the right security measures in place matters.
Keeping abreast of current cybersecurity practices can be the difference between a secure business and one that might be targeted by hackers.
Bahar Ferguson is an attorney and president of Wasatch I.T., a Utah provider of outsourced IT services for small and medium-sized businesses.