Data Security and the “Low-Hanging Fruit”

Protecting an organization from a data breach can seem daunting, and impossibly technical.  But the good news is that there are some basic precautions that can help.

There is a saying in the data security community that is a bit tired, but nevertheless true: There are two kinds of companies – those that have been hacked and those that will be hacked.  When clients come to us with questions about data security, it is often necessary to consult technological experts in this arena, especially when the client suspects that its data may have been breached.  All too often, the client first consults us only after this suspicion has arisen.  In these cases, we frequently find that basic and non-technical security best practices have been ignored.  In fact, an organization can make some fairly rudimentary changes to secure its data more fully, even without information security expertise.

These suggestions will by no means insulate a company from a data breach, but they may serve to diminish the probability of one.

Develop and Enforce Password Protocols

According to a fascinating recent series in Fortune Magazine concerning the Sony hack, Sony personnel were well-known to have a weak approach to passwords.  This was not due to a lack of knowledge about correct password protocols.  Rather, the problem was both cultural and political, and not unique to Sony.  The lesson the Sony hack offers is that data security broadly, and password policies in particular, require management buy-in and emphasis.  Without such engagement, an organization’s password policy will not be followed and simple passwords will be chosen, with predictable consequences.

A good password policy should do two things: 1) enforce strong password protocols (i.e., numbers, symbols, capital letters and consider no dictionary words) and 2) force a password change every three to six months.  Password strength requires no explanation.  I once saw a beer cozy at a football tailgate that said “I drink because your password is password.”  A strong password is basic stuff and important.  The second requirement is also very important but for a different reason.  Clients often ask, “If my password is so strong, why do I need to change it?”  The answer is that you probably don’t need to change it if you never disclose it and never use it anywhere else ever.  Of course, this scenario doesn’t exist.  In practice, we use the same passwords for multiple log-ons.  By changing passwords frequently, we are attempting to achieve enterprise differentiation.  This essentially reinforces a basic tenet of a good employer’s security policy—namely, that employees must have strong and completely unique passwords used only for work.  To be sure that enterprise differentiation is achieved, one final requirement is needed: no repeats.  Otherwise, employees may simply rotate the same two passwords over and over again.

With a little work, standard operating systems can be made to enforce these standards.  Typically, no new software is required, but the policy must be compulsory.  Simply asking employees to change their passwords and sending email reminders likely is not enough to achieve 100 percent compliance.

Enterprise differentiation should be the goal of every business.  Employees are constantly bombarded with spam and spear-phishing attempts targeting an array of data in their daily lives.  If an employee’s bank password is the same as his work password, then the strength of the password is wiped out. In fact, a startling percentage of data breaches originate from legitimate credentials.  Remember, it is very easy for a hacker to figure out where a target works, as this information is almost always publicly available on LinkedIn and Facebook.  The steps outlined above will help ensure that a hacked employee does not result in a hacked employer.

Patch Your Security Vulnerabilities

Almost invariably, software that is released to the public, even very popular software that is widely used, will have security vulnerabilities.  Hackers will attempt to exploit these vulnerabilities.  The stakes can be huge: everyone has the software, and nobody knows about the vulnerability.

Researchers at top technology firms devote a substantial portion of their time to finding these vulnerabilities, or the malware that exploits them, before too much damage is done.  An attack based on a latent vulnerability is called, rather ominously, a “zero-day” attack, because the vulnerability existed at inception and, once known, the developer has zero days to fix it.  For example, as detailed in this account, a group called Pawn Storm recently utilized a latent vulnerability in Adobe Flash to spear-phish various government agencies.  And as new software is released, new exploits will be revealed, attacked and patched.

Sadly, there is little average users can do at the outset to protect themselves from a “zero-day” attack.  The good news is that, very often, the author will respond with a software “patch,” freely provided to all users, to resolve the vulnerability.  This works as long as users actually apply the patch to their system.  Yet, according to HP Security Research’s 2015 Cyber Risk Report, well-known and even decades-old attacks remain effective, because users simply do not patch their software.

An effective patching strategy again starts with management focus.  Frequently, patching means downtime, as it is often difficult or impossible to use applications while the patch is being implemented on users’ machines.  This means scheduling appropriate times for patch implementation and working hand-in-hand with IT to determine when patches are complete.  Ask your IT professional today about their patching strategies and difficulties.

Security Begins with Information Governance

It sounds absurdly simple, but you cannot lose what you do not have.  The storage of unnecessary information, whether it is legacy emails or structured data that is no longer of value remains an enormous obstacle for many companies.  Frequently, overly cautious approaches to data retention result in real costs; indeed, not only does the retained data expand an organization’s threat surface, it also imposes real and potential costs in terms of storage and discovery in litigation.  Federal Rule of Civil Procedure 37 permits an organization to develop and enforce a routine email deletion policy, assuming the information is not subject to actual or threatened litigation.  This rule, which is almost certain to be amended in December 2015 to even more favorable language, acts as a safe harbor for organizations deleting email information in good faith.  Engage your counsel in a discussion concerning your information governance policies and practices.  Every organization is different and every organization has different data needs, but it is very likely that most companies are storing too much extraneous data, vulnerable to hackers and plaintiffs alike.