Emerging Markets Law

Cyber Hygiene Habits: Have a Plan For Your Employees

For 2015, we are addressing data security and privacy by discussion of topics relating to information security and hygiene. Parts one and two covered knowledge of what laws cover your business and of what data you have in your networks. This installment covers the human side of data handling: which employees have access to your data, and why.

Data security is not merely a function of IT and technology. There is a large behavioral component to it, as well. That is even more true of insiders than of third parties who try to gain access from outside your enterprise. Consider, for example, the disgruntled employee who leaks HR records via a social media account. Or the temp who accidentally emails a file outside the company. Or the dismissed employee who uses still-valid account credentials to gain access to confidential data or to send offensive material to your clients. All of these depend more on training, knowledge and policies than on deployment of advanced technology.  And although there are tech fixes that could help here, prevention and mitigation can better be handled with behavioral approaches that are decidedly low-effort and not at all complex. Choosing any or all of the below approaches, and documenting them effectively, can be a very helpful exercise in cyber-preparedness. 

Access Based on Role

Having a policy that access to information is based on role could help keep sensitive data in only a limited number of hands, thus reducing the risk of accidental (or malicious) exposure. To segregate data effectively, you need some help understanding how and where data enter your enterprise, what those data are, and whom they touch as they flow through the company. You might find, for example, that you have recurring payment authorization from clients on hand. If it is stored electronically, knowing who has access to it – and why – is a good idea. Does anyone outside Accounts Payable need that information? Is there a way to segregate the data from the general employee pool, or to impose a secure access requirement (such as a file password)? These are very simple measures that can help avoid a loss of data merely by minimizing the number of hands through which it can pass. Likewise with internal-only data such as HR records. It is likely that your entire organization has no need for employee SSNs and other such data. Confining that data to a secure file/database minimizes exposure by reducing the odds that someone will (deliberately or not) transmit it outside the company. 

Training and Awareness

Based on their role in your company, your employees should be made aware of what sensitive information they may have access to, why they have such access, and why it is sensitive. Creating this heightened awareness on their part depends on your deciding who should have access to what, and whom to target for training. Be aware that the best practice currently is to have a cross-functional team that shares responsibility for cyber issues, both in planning and in responding.     

In addition, educating relevant employees on how to respond to an incident (reporting, investigating, communicating, etc.) is a large part of training. They should know whom to call, who is authorized to speak for the company, and what role they will play in investigation of an incident.     

Device and Account Policies

In addition to training and role-based permissions, there are several very simple measures that can help manage data access and use by employees. For starters, consider requiring PIN/password protection on devices used to access the Company networks. Encrypt sensitive files and portable devices and media so that not just anyone can use them. (Incidentally, if encrypted data is lost or stolen, not only is it generally unusable, but you might not have a legal duty to disclose the incident…one more benefit of encryption.) Have an on-boarding and an exit process for employees. Changing corporate account credentials when someone leaves is very easy. So is requiring that each employee have his or her own credentials for vendor accounts. So, for that matter, is having employees sign a confidentiality policy when they start work. 

Conclusion

Taking the time to plan, and to decide and communicate what role(s) your employees should play in cyber awareness and security, can go a long way toward prevention of incidents, or mitigation if an incident occurs. Being able to tell the story of your planning efforts may become important if you ever have to discuss an incident publicly or, worse, testify about one.    

Stay Connected

Subscribe to blog updates via email

Contributors