today’s gener al Counsel oct/ nov 2015
Cybersecurity
content becomes effectively decrypted every time it’s accessed. Still, many companies expend extraordinary effort securing network systems, building higher firewalls, and prohibiting or severely limiting cloud usage. The truth is that it’s pointless to spend so much time and money addressing on-premises network security, when less and less data is actually stored there. Employees are using the cloud whether companies want them to or not, and because employers can’t control this usage, employees begin to take inadvertent risks. Bring-your-own-device culture is on the rise among attorneys. More than 77 percent of lawyers admit to using personal devices at work, and 36 percent of law firms even expect employees to use their own smartphones. What’s more, 90 percent of lawyers use cloud-based file-sharing services like Dropbox or Google Drive on these personal devices, as well. With these kinds of numbers indicating that employees aren’t using company-sanctioned software, mistakes are easy to make. Employee negligence is often cited as the number-one cause of data breaches, and is twice as likely to occur as outside attacks. For instance, consider this: An engineer is asked to provide an overview of her team’s work for potential patent opportunities, so she saves a trove of records, the team’s product roadmap, and more details about the company’s secrets to her work computer. She then syncs it to her Dropbox to review it at home and to have easy access to it on her tablet at the next day’s meeting. That scenario is common, and in some ways it’s prudent. After all, being able to sync to mobile devices and have access to information anywhere boosts efficiency and makes working outside the office seamless. Unfortunately, what’s also all too common is what happens next. The engineer attends the meeting, all goes well, but on the way home she leaves her tablet on the subway. Now all
the company files she’d synced to her tablet are available for anyone to find. Though Dropbox-and most other cloud providers provide security for files on their network and in transit, the files lack encryption protection once they are synced to mobile devices. Employee negligence has many faces. Loss or theft of mobile devices is only one of them, but it’s a big one: Last year, 1.4 million smartphones were stolen, so the odds are good that if you don’t lose yours, someone at your company will. Employees also mis-address emails containing sensitive information, share passwords and leave work files unsecured. best practices
Despite the cloud’s vulnerabilities, it is safer than legacy networks and can be safer still with the right precautions. As mobile devices and BYOD culture become an increasingly normal way to work, securing file synchronization should become a priority. Beyond that, it’s essential to stay abreast of evolving best practices. Constantly considering and maintaining company security is one of the most important things company decision makers can do, especially in the face of changing technology. Here are a few best practices to consider: • Encrypt at the file level. Seek out a security provider that delivers file-level encryption, a level of protection seldom offered by the storage provider itself. This designation means that the data itself is protected, not merely the places where it’s being stored. Your files will be encrypted before they ever reach the cloud, and remain encrypted wherever they reside and when they’re shared or synced. File synchronization security will allow employees to sync client and company files to mobile devices without worrying about them falling into the wrong hands. When a phone or tablet is lost or stolen, the synced files won’t be readable to anyone but an authorized user.
• Embrace the cloud. Understand that employees are using the cloud whether or not it’s sanctioned, and that they prefer to use the software they’re already familiar with. It is predicted that by 2018, 70 percent of all professionals will be conducting business on their personal devices. When a company acts early, adopts apps that users already like, and adds extra security to protect those apps, employees will stop seeking out unsafe workarounds. That greatly diminishes the odds of a breach. • Prepare for a breach anyway. Denying that any company is at risk is simply irresponsible, because the odds are that a breach is inevitable. Having a clear and regularly updated data breach response protocol in place is vital to being able to react promptly and effectively. • Keep tabs on files’ whereabouts and movements. Maintain an audit trail to see when files are being opened and edited and by whom. Grant employees access to sensitive data on a need-to-know basis, and allow auditing software to show who is accessing them. If someone unfamiliar opens a sensitive file, take action quickly to stop a breach. ■
Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information. asaf@sookasa.com
29