The hardest aspect with this approach is deciding what data needs extra protection, but there are several tricks of the trade that were brought up by the panelists at the Protecting the Company;s Crown Jewels in the age of Information Security Trends at the the LegalTech conference being held in New York City this week.
This can run the gamut from properly locking down personal mobile devices used for business to teaching staffers about spearphishing and general data security hygiene.
The Bring Your Own Device (BYOD) trend can be particularly worrying to any organization, said Sabito Morley, vice president of IT infrastructure and operations for DaVita Kidney Care, adding that people tend to view these as a personal device and not concern themselves with its security.
“For BYOD you must require people to put some app like Mobile Iron on the phone to encrypt it and have an agreement with the person that upon separation from the company it can wipe the device,” Morley said, adding a concession has to be made to allow the former employee to keep his or her personal data on the phone.
Jason Stearns, director of the legal and compliance group at Blackrock, agreed adding an additional layer of protection should be built in by continuing to give important executives corporate devices as they are the most likely to be targeted by hackers.
The problem of workers and outside vendors making mistakes that can lead to a security lapse can even occur while inside the home office, Stearn said. This can be something as simple as leaving papers with sensitive information strewn about an unattended desk or workers using an app like WhatsApp to pass around data not realizing it is outside their protected system and vulnerable to interception, said Gail Rodgers, a partner at DLA Piper.
The panelists also agreed a data breach is most likely to happen when an employee either consciously or unconsciously allows the breach to happen. Innocent mistakes in this category are usually due to spearphishing attacks.
Morely pointed out that one in 40 spearphishing attacks are successful with this attack vector now being one of the top profit generators for hackers. To combat companies have to impress upon staffers the importance of ensuring the emails they open are legitimate or install software that can spot these attacks.
Morely said there is software that can tag an email that comes from outside a company. This can help people determine if an email is dangerous or not by simply looking at the tag and who supposedly sent the email. If it's labeled coming from the outside, yet the return address is the HR department or CEO than it becomes more obvious the email is malicious.
The final lesson imparted by the panel is to delete old data. Stearns said 70 percent of most stored content is no longer needed and can be eliminated and once it is out of the system it is no longer a danger, he said.