The year’s barely half over, and it’s already setting records for cybersecurity incidents. The National Security Agency has been hacked, the WannaCry ransomware incident swept the world, and an openly available data file potentially exposed the voting data of almost 200 million people. IdentityForce, a security services provider, offers a sobering read of how brands ranging from Arby’s to Brooks Brothers have come under attack. In a sense the news is that this is an intensification of a familiar story—the attack on customer data. But even as business leaders should be finely attuned to this broad consumer attacks, they must also keep in mind the evolving logic of attacks on targets inside their companies. Commonly made assumptions may be in need of a re-think.
While it’s true that cybersecurity has to be a priority for every employee, some organizations take that sentiment too far and assume that means giving every employee the same lecture about cybersecurity, regardless of their job responsibilities. But certain departments need it more than others. Take legal, human resources (HR), and accounting.
What makes cybersecurity so critical for these three departments? First of all, all three tend to have access to a lot of personally identifiable information (PII), whether it’s for staff, customers, or the company itself. There’s Social Security numbers, addresses, finances, and all sorts of other data. Second, those departments tend to be staffed by people who, while experts in their respective fields, aren’t necessarily experts in information technology (IT).
That’s not to say that IT staffers are inherently better at security than staffers in these other departments. Actually, a 2016 Ponemon Institute survey reported that finance and accounting, legal, and HR were actually three of the top four company departments that were most conscientious about protecting an organization’s sensitive and confidential information. IT? It ranked seventh.
That said, hackers are increasingly going after these departments because they hold the keys to the corporate kingdom, as it were. In addition, because they are typically considered to be less technically sophisticated, and because of today’s interconnected companies, hackers can often use a single weak spot to enter the perimeter of the corporate network and then get access to everything. In addition to hackers, this is also a factor in security incidents caused by disgruntled employees, who are actually more likely to create those incidents.
“Many companies implement controls that focus on protecting their networks and systems against incursions by external attackers, but they have less developed approaches to security once an attacker gets into the network,” write three attorneys in Inside Counsel. “Such an approach may not adequately safeguard the ‘crown jewels’ of a company’s enterprise, including valuable trade secrets, sensitive personal information, financial information, business plans and health records.”
One of the most common ways for hackers to get inside is through the well-known technique of “phishing,” where email is purported to be from a colleague, customer, or supplier but actually collects information that the hacker can use. The information might be valuable by itself, or as a means of obtaining further entry into the system. HR is particularly vulnerable to this type of attack because, typically, staffers in that department are predisposed to be helpful.
So what’s an IT staff to do? Here are some suggestions.
Encrypt data based on a risk assessment. Organizations should periodically conduct a data security risk assessment, according to Thomson Reuters Practical Law Intellectual Property & Technology in Above the Law. “This process allows organizations to know where they stand, identify pitfalls, and mitigate potential security risks before data breaches or other cyber incidents occur,” the organization explains. Depending on the results of the assessment, and what data could potentially be exposed, organizations may wish to encrypt the data.
Look beyond the password. Make judicious use of technologies such as two-factor authentication, biometrics, password requirements, and identity systems that limit access to certain applications or data based on a person’s role at the company. Requiring a fingerprint or access to a cellphone or other hardware device can make systems more secure. Identity systems keep access to legal, HR, and accounting data limited to the people actually in those departments. At the same time, don’t make things too challenging: Requiring everyone to have a 32-character password that’s changed every month simply guarantees that everyone’s password will be on a Post-It on the side of the computer.
Log access to sensitive data. Once your security systems are set up, don’t get complacent. Log and review access to sensitive data and set up alerts for anything out of the ordinary, such as sudden large downloads of the entire HR database or people logging in from unusual locations or at 2AM. While hackers might still get access to some data, one of the biggest problems with malware is that it can sit on your computer systems for months or years before it’s discovered.
Don’t make things too hard. Ultimately, people have to do their jobs, and simply telling them “Don’t” isn’t likely to win their cooperation. In fact, trying to lock down things too much can result in people using less-secure workarounds instead. “Surveys suggest that many workers see a trade-off between efficiency and data security, and when forced, they’re choosing efficiency over security,” writes Paxton Hehmeyer in The Law Insider. “In a recent survey, 15 percent of Millennials, 13 percent of Gen Xers, and 13 percent of Boomers said they were ‘very likely’ to find ways around restrictive security controls, and 41 percent, 29 percent, and 15 percent respectively said they were “moderately likely” to do so.
So if people are dead-set on working at home, make sure the data is protected and they have access to a virtual private network (VPN) or a secure sockets layer (SSL) connection with reasonable performance, rather than simply telling them not to do it. (One survey found that among the worst workaround offenders were often C-level executives, because they typically had the most access to sensitive data and were more likely to travel or otherwise need data outside the office or office hours.)
Finally, keep in mind that these three departments can also be important partners with IT in terms of protecting the entire company from a cybersecurity attack.
- Legal – helps include security in contracts and needs to be kept in the loop in the event of a data breach. In addition, legal should work with IT in getting cybersecurity insurance and proactively updating and reviewing the incident response policies and plans based on regulatory compliance and data breach notification requirements.
- HR – provides training, particularly during staff onboarding, but also regularly updated – not just a PowerPoint presentation once a year. “. “It oversees employee training, onboarding, cultivating a positive corporate culture, and redressing employee conduct,” Hehmeyer writes
- Accounting – brings useful skills to the cybersecurity battle because finance and accounting personnel are familiar with audits and with the company as a whole.
In short, cybersecurity is critical for all employees equally – but it’s important to consider the different needs of different departments rather than consider a one-size-fits-all approach. And it’s not just a one-way street, either: Departments outside IT have valuable insights on cybersecurity as well. As threats continue to evolve, failure to think creatively about solutions will be a source of needless risk.