I write about hacking and data security periodically, even though sometimes I get the feeling legal professionals try hard not to think about the subjects. But the stories in this realm bear repeating. Corporate data security is a real concern for many, many corporate attorneys, and especially in-house counsel.
Data security problems used to stem most frequently from weak firewalls or unencrypted equipment. But more and more, the biggest sources of risk and liability are just dumb or technologically overeager employees.
What kind of computer trouble are you and everyone you know getting your company or firm into? Let’s see….
From the Wall Street Journal:
Hacking attacks against companies are growing bigger and bolder—witness a string of high-profile breaches this year at Sony Corp., Citigroup Inc. and others. But gone are the days when hackers would simply find holes in corporate networks to steal valuable data. Large companies have grown wise to the threat of hacking, and have spent the past 30 years hardening the perimeters of their networks with upgraded technology.
These days, criminals aren’t just hacking networks. They’re hacking us, the employees.
Well, not me, technically. I don’t have a “real job,” with “benefits,” or “health insurance,” or a “work computer.” Point is, the technology would be good enough to keep companies safe much of the time, but us humans, who still sometimes feel the need to email our passwords and click dodgy links, have become the chink in the chain.
Especially now that Twitter, Gmail and Facebook are basically a de facto standard in many workplaces. (If your organization officially prohibits those sites and you think everyone follows the rules, you might be a touch over-optimistic.) Employees even cause problems when they’re trying to help:
We also open a Pandora’s Box of security problems by circumventing company tech-support rules and doing work with personal gadgets and consumer-grade online services like Web email and cloud storage services.
This is a tough one. If you’ve done something like this at your job — updated your computer’s Flash player, web browser, switched to Chrome because why in hell does anyone still use Internet Explorer?, or tried to set up a work-related Google doc — raise your hand. If you’re not raising your hand and you are under 40 years old, stop lying.
The whole thing sucks. It puts the lawyers and bean counters in a bind. When you can’t access a client’s website because your PC’s Flash player is out of date, but you can’t update it yourself and have to call the Help desk, and they tell you the system-wide upgrade won’t happen until Thursday — obviously everyone is wasting a lot of precious time.
But without all the controls, some 97-year-old executive who still prints out every email (this actually happens) might accidentally turn on his computer and do God knows what. Even if the
negative Nancys lawyers manage to institute the proper hardware protections and employee policies, someone might still use Gmail for official (government) business or simply lose an important flash drive. There’s only so much you can do to prevent this kind of shenanigans:
Consider what happened in March at EMC Corp.’s RSA security unit, the maker of computer login devices used by thousands of other companies. A hacker sent emails to two small groups of employees that looked innocent enough, including a spreadsheet titled “2011 Recruitment plan.” The message was so convincing that one employee retrieved it from the “junk mail” folder and then opened the attachment. Doing so introduced a virus inside RSA’s network that eventually gave the hacker access to sensitive company data and enabled later attacks against RSA’s customers.
As Dave Grohl says, “Life’s a bitch, but keep on truckin’.”
If you have any thrilling — or uber-successful — data security stories from the attorney perspective, please send them to firstname.lastname@example.org with the subject “Data security.”
What’s a Company’s Biggest Security Risk? You. [Wall Street Journal]
Christopher Danzig is a writer in Oakland, California. He previously covered legal technology for InsideCounsel magazine. Follow Chris on Twitter @chrisdanzig or email him at email@example.com. You can read more of his work at chrisdanzig.com..