Cybersecurity – Sometimes The Problem Is You

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://abovethelaw.com/2015/10/cybersecurity-sometimes-the-problem-is-you/

Last Friday, Above the Law held its inaugural Academy for Private Practice
in New York. There were several great panels and workshops focusing on what
solos and small law firm attorneys can do to have a better law practice. I
spoke about cybersecurity and ediscovery, and had a number of people come
up to me throughout the day ask me something like, “I am a total novice
when it comes to cybersecurity. What is the best platform for me to store
my files securely?” There are certainly a lot of platforms to choose from
and some are better than others, but usually the platform is the least of
your worries.

Imagine you store your client files in that one room from Mission:
Impossible 1. Would Tom Cruise need to fake a fire and crawl through the
ventilation shaft with some weird pulley system if the NOC list was
accessible remotely via one of the employee’s cell phones?

Most of the time, if you are looking at increasing your firm’s security,
the weak link is not the software you use to store your files – it’s you
and your policies (or lack of policies) for accessing files. Here’s what
I’m talking about:

Mobile Access

A lot of cloud service providers have mobile apps to access your files
remotely. Of course, a lot of phones allow you to access your email from
your phone too. So, on most business phones, there are at least
confidential emails. An unsecured phone is a much easier route to that
information than going in to hack the server. A good portion of data
breaches from unsecured phones come from phones that are just lost or
misplaced too.

So, aside from the simple solution of locking your phone with a password,
there are other solutions that you can employ to help keep your information
safe. First though, consider the physical characteristics of your phone.
Hold your phone up to the light and turn to look across the surface of it.
Can you see the outline of your trace pattern to unlock your phone
(Android), or can you see finger smudges over the password keys? If so,
using a password might not be the best solution for securing your phone.
Companies can also dictate what the minimum security level is to have
access on that phone. For example, I had a client that dealt with health
records. They had server controls that did not allow email to be synced to
an employee’s phone if the employee did not have a strong lock system, such
as a password or fingerprint lock on their phones.

Several cloud apps also allow you to configure a password to access
complete cloud directories in the mobile app. Without that, if someone does
get your phone, they have access to all of the documents in your cloud
drive.

Some phones also allow for remote locking and remote wipe. That way, if you
can’t find your phone, and you don’t know if it’s lost or stolen, you can
remotely lock it or remotely wipe the phone’s memory.

In sum, lock your phones using the most secure method available. If you are
concerned, enable controls on your server that block users who do not lock
their phones. Look into whether you can remotely lock or remotely wipe your
phone’s memory if you think it might be stolen or misplaced.

Securing Your Computers

If computers are set up to remotely access files, they are one of the
easiest ways to get a company’s data. Again, aside from the simple solution
of putting a password on your computer, here are a few more ways to make
your computers safer.

If your computer has a password, it does not help if the computer does not
get to the password login screen. Configure your computers so they go to
sleep after a few minutes of inactivity and require a password at wake up.
I have two levels of settings for my work computers. I have them set to
lock with a password after just a few minutes of inactivity when they are
plugged in, and a much longer period if they are not plugged in. The
rationale there is if my computer is on and plugged in, it’s probably at my
desk, and if I have not hit any keys for a few minutes, I’m probably not at
my desk. Conversely, if my computer is not plugged in, it’s because I have
it with me, and am probably doing some kind of a presentation or using it
in court, and I might have a longer gap in between slides as I explain
something on the screen, so I would not want it to turn off after just a
few minutes. Otherwise, I would be constantly reconnecting to the projector
and waking my computer up during a presentation.

If you have work laptops, try setting up cloud syncing of files, as opposed
to requiring employees to download and create multiple copies of files.
Many cloud providers allow you to unlink a computer and remotely wipe the
files from the missing or stolen laptop.

Conclusion

Before you begin looking at making big changes in your file storage
solutions, take a look at your policies and procedures in the office to see
if the weak link is going to be from within or whatever platform you choose
to store files.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!