Risk Mitigation Spring Clean: Top 5 Ways to Improve Your Security Stance

Everlaw’s Lisa Hawke speaks at CyberTalks 2018

Spring 2018 is blooming within a complex world of privacy concerns, data security risks, and heightened user awareness. For any organization, it’s a good time to renew and refresh security awareness within corporate operations and law firms.

Here are five areas to consider to improve your privacy and security stance and enhance team member awareness:

1. Adopt Privacy by Design within your company culture

Scott Smith, FBI Assistant Director for the Cyber Division, reported at CyberScoop’s SF CyberTalks 2018 that 80% of security vulnerabilities are created by outdated software for which there is a known and easily available patch. Creating a robust culture of security and privacy, from the intern to the C-suite, is the strongest defense against these security vulnerabilities. Executives must make it a priority to understand that major state areas, e.g. the European Union, consider privacy a basic right for citizens, and should thoughtfully reconcile and incorporate that philosophy within their current mission and operations. Consider that security and privacy by design can be adopted early in development, which makes it easier to scale technical requirements. Adopting security and privacy by design later in the maturation process or siloing it will make things more difficult. 

2. Review your data collection practices

A common refrain risk managers navigating GDPR have echoed for months is: “Does our organization truly need to collect this data?” Even if your organization is not subject to EU regulation, this is a valid question to ask. Customer awareness in light of recent data privacy debates means that US lawmakers, industry watchdogs, and investors are more carefully tracking and reviewing privacy policies and practices. Interview teams across a range of functions to evaluate your risk, and determine whether it lies within the level your organization has determined it can tolerate.

3. Enforce a BYOD policy for personal mobile devices

Personal mobile devices and passwords all create security vulnerabilities. Managers can mitigate this issue through a strong bring-your-own-device policy backed up by technical controls. Mobile device management protocols, such as Google Mobile Device Management, MobileIron, or AirWatch are key to oversight in this area because they provide the ability to remotely remove access to selected accounts, or wipe a device. Managers can mitigate situations where the device with access to company data is compromised (lost or stolen) by enforcing device lock passwords (the longer the better) and through a policy with the technical controls mentioned above.

In rare instances, porting a phone number to a new device makes the system vulnerable to account takeovers. The best prevention policy is to remove SMS as a step in the system’s two-factor authentication procedure. Managers can replace SMS with a time-based, one-time password based method, such as Google Authenticator.

4. Monitor chat systems and team communications 

Team members will communicate using whatever systems are convenient, expressive, or secure enough for them. They are not necessarily observing guidelines designed to make the risk manager’s job easier.

Ephemeral messages and other chat systems are creating new data sources which were called into question during the 2017 discovery process in Waymo v. Uber, leading to a call for sanctions. Evaluate your team’s use of discoverable and ephemeral platforms, and determine whether they lie within an acceptable level of risk.

5. Comply with the EU’s General Data Protection Regulation

The May 25th deadline is quickly approaching. Even businesses not subject to other types of European regulation may incur the GDPR, given that the law applies globally, depending on your data processing operations. There are a variety of good, free, and easily-accessible resources to ensure your team is prepared. GDPR is a seismic shift, and the regulators expect to see a meaningful change in how organizations describe their data collection and processing practices, and how they protect data. Tweaking around the edges won’t be enough.

Other governments have adopted similar types of privacy guidelines, including the APEC Cross-Border Privacy Rules. Three members of Congress are researching or have proposed privacy measures, including lawmakers from California, Connecticut, and Massachusetts. Take time to consider whether your team would prefer to build in the capacity to support data privacy from the beginning, or alter an existing system after it’s in use.