Biggest Data Breach Threat: Your Employees

Dec 8, 2020 8:15:00 AM / by Ryan Short

2020 has been a banner year for highlighting the visceral relevance of cybersecurity. Risk mitigation is being discussed regularly, but law firms cannot eliminate their biggest source of risk: employees.  


What follows is a brief survey of topics that can trip up even the most well-meaning employees (let alone the less-diligent team members) and some areas where IT and legal leadership can collaborate to protect the business, its customers, and its employees.


More Devices

Bring Your Own Device - or BYOD - policies have been a reality for more than a decade at this point, but many firms have lagged in implementing formal policies. Most companies permit BYOD phones in the smartphone era, and many companies in the tech and advertising space even provide a tech stipend to be spent on things such as laptops, subsidized by the corporation but owned by the employee, to be used for work. Some employees still believe that their personal device is not subject to discovery. This is low-hanging fruit to be addressed, especially if most employees are operating remotely.

  • What devices are acceptable as BYOD, and what must be firm-administered? (e.g. can employees use their own phones, but only access certain programs on firm-issued laptops?)

  • What access does IT have to a personal device? (e.g. to wipe data in the event a phone is lost)

  • What protections are in place? (e.g. multi-factor authentication)

More Collaboration Software

Teams, Zoom, Slack, Trello, google docs, Airtable, Basecamp, Monday... the list goes on. The more channels through which electronic data is created and communicated, the more "backdoors" there are for bad actors, especially through phishing and ransomware. 

  • What are the password policies?

  • Do you recommend or require multifactor authentication?

  • How is the data and metadata preserved?

Home WiFi Networks

Home WiFi represents a major opportunity for attackers to gain entry to corporate data. Simple steps like changing the network name and creating a strong and unique password are common (but not ubiquitous). Other considerations include:

  • Do you utilize and/or mandate virtual desktops?

  • Is a VPN connection recommended or required to access corporate data?

  • Do you recommend changing the IP address?

There is no shortage of ideas to make a home office more secure, and not all of them have to break the bank. Understand the risk/reward of possibilities, communicate clearly, and follow up.


How to Talk to Distracted, Burnt Out Employees

It's never been more important to be stringent about communicating data security threats, but it's also never been more difficult to capture employees' attention. Since the pandemic began, most employees report: working longer hours, having more cluttered inboxes, a higher sense of "burn out".

Generally, security has been treated as a compliance matter, but rarely explained or treated as a cultural issue of material importance.  

With employee attention fragmented, this is the perfect time to get creative in messaging, delivery, and connecting real risks back to business impacts - specifically, how will they personally be affected in the case of a data breach?

  • Humans will always act as they are incented to act, so consider gamifying or even compensating people based on their level of compliance. After all, compensating employees for protecting a business and its customers is a lot more cost-effective than paying legal and IT professionals after a breach has taken place. 

  • Create a cadence in which you provide bite-sized updates on new developments. If there is a company-wide town hall on a monthly or quarterly basis, that's a great opportunity to take 10 minutes to introduce or reiterate a message. And that repetition tells people data security isn't a flavor-of-the-month issue, but an important priority to be built into the culture. Avoid being dry, rote, and overly-technical. Use layman's terms, and showcase your sense of humor if you're comfortable with that. Your responsibility isn't to check off the list of items to address, it's to create an atmosphere of conversation and approachability.

If you'd like to discuss ideas addressed in this blog article, or other cybersecurity items, let me know. We can help.

Tags: Cybersecurity, Data Breach, Legal Services, Risk Management

Ryan Short

Written by Ryan Short

Ryan joined Proteus in 2020. He is an MBA and a Certified eDiscovery Specialist with over a decade of experience in publicly traded, PE-backed, and bootstrapped entities focused on technology-enabled services. Ryan lives in Indianapolis with his wife and their 5 children under the age of 9. Consequently, his wife won't let him buy a dog.