LEGAL CENTS: How to minimize security threats from the inside

Listen to this article

If you haven’t seen the 1999 cult classic “Office Space,” rent it. Mostly because it’s funny, but also, it demonstrates the biggest cybersecurity threat in your legal department: your people.

In the film, employees plant a virus in their workplace computer network after suffering a series of indignities, such as a loyal worker bee continually denied a piece of cake, perpetuated by a soulless boss.

Whether it’s the willful act of disgruntled employees or the carelessness of insiders, the people that work in an office offer the most likely threat of exposure to a company’s sensitive data, said information technology professional Sarit Singhal, owner of Superior Support Resources Inc., Brookfield.

You can hire a cybersecurity professional to lessen the threat, and that’s money well spent for some companies. But if it’s not in the budget, Singhal said there still are many free or low-cost ways to protect your data.

First, don’t be a soulless boss.

Second, educate yourself. Two excellent, free online resources are the Department of Homeland Security’s Center for Internet Security, msisac.cisecurity.org, and the Information Security office at Carnegie Mellon University, cmu.edu/iso/governance/index.html. Both are especially reliable because they are not vendors.

Using that knowledge, you can devise basic cybersecurity rules, as well as consequences for straying outside of them. Communicate the rules to all employees — not just when they join the department, but quarterly, via face-to-face discussions (preferably over food, perhaps cake for all). Don’t just email cybersecurity reminders, because no one will read them.

Singhal also advised companies and firms to implement a social media policy that allows self-expression without revealing proprietary information. The Coca-Cola Co.’s policy, available online at thecoca-colacompany.com/socialmedia, is a good starting point, he said.

He also advised developing a mobile-device policy. Any device with access to work email or documents should be password protected, he said.

And don’t forget to hide and secure your Wi-Fi networks. Many businesses offer open internet access so guests can have access, Singhal said, but it’s easy and cheap to put a guest network in place that is outside the company’s firewall.

As with mobile devices, be sure to control access to company computers and network components. No one should know anyone else’s username and password, Singhal said, unless it’s an authorized individual. And when someone leaves the company, passwords should immediately change, he added.

Speaking of passwords, universal ones are a bad idea. Yes, it’s easier to remember one password for multiple uses, but that makes it all the easier for a hacker to get access to sensitive information.

Instead, Singhal recommends a secure password-management system such as KeePass. I’ve used RoboForm with good results, as well. Both options are free.

Companies also can require regular password changes or ask the network administrator to set a policy requiring users change their password at given intervals.

The latest threat to cybersecurity is cloud computing and the resulting “data sprawl.” Clouds have become popular, Singhal said, because they’re inexpensive and simple to create. But that makes it tempting for one of your attorneys to create his or her own cloud, or several of them, unknown to you.

When that person leaves, he or she can potentially take that data to her next job, with your client’s main competitor.

To avoid such issues, Singhal said, make sure your business is using a reputable cloud provider and that you have a policy in place for procuring and decommissioning clouds.

And remember, it never hurts to dole out some company-wide cake now and then.