You can’t protect what you don’t know you have. And if any of it’s on a computer, it could disappear or be taken before you know it if steps aren’t taken to protect it. So, in addition to the advice we provided in the article that just went out on cybersecurity, here is a sister follow up and it requires that someone in each company sit down and log and keep track of the following:
1. What kind of data does your company have anyway? If you have employees, you have personnel information, for starters. If your company builds or makes things, you probably have processes or designs or molds or specially outfitted equipment that no one else has. And most companies have client/customer/patient/student lists as well as marketing, investment, and planning documents they wouldn’t want to share with the public. If you run a restaurant, you may have recipes that are specially created you don’t want to share or, if a manufacturing facility, an invention or chemical mix or method of manufacture that would cost you your edge if competitors could copy it. Those are examples of what might be called “intellectual property.” All of that is data you have and much of it is data you likely want to protect.
2. Once you have listed what you have, now you have to identify where that data is stored, and who has access to it when and how. This could be tedious! But hopefully some solace comes from the fact that losing that data, or having someone else steal it, would be more painful. Not taking these steps could also affect insurance coverage if data is lost when the loss might have been prevented. Many deals and requests for proposals (RFP’s) now require a company to show that it is taking steps to protect the company using cybersecurity measures as well as training. Why all that? Well, if another company wants to hire yours to do work for it, it will want reassurance that its data won’t be compromised in sharing information with yours, as just one example.
3. You next need to determine what steps your company is taking to protect that data now that you know where it is and who might compromise it because of their access (usually unknowingly). What are some basic systems protections?
a. Make sure you know how to keep your operating systems updated or have an IT person or company who can set that up. Operating systems need to be set for automatic updates. Turning off computers at night or rebooting promotes the installation of updates (as well as clean out system clutter). Employees need to be reminded to have their smartphones and tablets also set to update automatically.
b. Update your antivirus program and use an anti-malware program. Then ensure that both are set to check for updates frequently and scan each device on a set schedule in an automated fashion along with any media that is inserted (USB thumb and external hard drives) into a workstation. Wait – scan thumb drives? Among other things, employees should not be allowed to put thumb or jump drives or flash drives into company computers without them being checked first. They can carry viruses that are then put right on the computer the drive is being put into.
c. Have a strong password policy. IT policies should require complex passwords, meaning at least eight characters with a combination of upper and lower case letters, numbers and special characters. Computer settings should require that employees change their passwords at least four times per year and employees should not be able to utilize any of the previous ten passwords. It’s a best practice to require each employee to have their own password and not allow anyone else to know except for HR and any IT person.
d. Use secure connections, everywhere. Employees should be trained on how to connect securely to the company’s information resources either by utilizing a VPN (virtual private network) or other secure connection (look for the https: in the web address bar). Employees should be told not to do any confidential work on public WiFi and only connect to WiFi for firm work if they are sure it is authentic (by verifying with the SSID/password with the client). Public WiFi is, simply put, never secure. Another option is to have employees use a 4G LTE mobile hot spot or connect through that capability in their smartphone.
e. Provide regular training and education. In addition to reviewing policies, employees should be educated on current cybersecurity attack methods such as phishing and pharming, and threats including ransomware and social engineering used by hackers to get access to a user’s computer (for example, NEVER provide your login, password or confidential information over the phone and to people you don’t know).
f. Train on email risks and how emails can lead to security issues. Employees should be reminded to be skeptical of emails they did not expect and are out of character. Employees should be shown how to hover over an email link before clicking or to look at email properties to see if the sender’s email address matches. They also need to be regularly reminded to not click on or open suspicious attachments. If there is any question about a link in an email, it is better to go to the website directly by typing the address into a browser than to risk clicking on the link.
g. Think about getting cybersecurity insurance. Look at whether to get both first-party insurance to cover the company’s direct losses resulting from a breach (downtime, recreation of data, direct remediation costs) and third-party insurance to cover any damages to a client whose data may have been compromised.
4. Have a plan on how your company will both respond to a breach as well as recover from a breach.
5. Think about coming to Central Maine Human Resources Association’s program on IT for employers which takes place on June 19. Go here to register: http://cmhra.org/events/#!event/2018/6/19/everything-employers-should-know-about-it-and-internet-security-chapter-mtg
This article is not legal advice but should be considered as general guidance in the area of employment and corporate law. Rebecca S. Webber, Bryan M. Dench, Amy Dieterich , James F. Pross and Jordan Payne Hay, are employment and labor law attorneys; others at the firm handle business and other matters. You can contact us at 207.784.3200. Skelton Taintor & Abbott is a full service law firm providing legal services to individuals, companies, and municipalities throughout Maine. It has been in operation since its founding in 1853.