[BreachExchange] Five Tips for Training Employees on Effective Cybersecurity Practices

[Destry Winant]

http://www.lexology.com/library/detail.aspx?g=fe77267a-5f70-4f40-883f-0c36c8cdb6af

In today’s digital age, all employees who routinely use computers or
have access to electronic data should receive at least basic training
on cybersecurity, including best practices for data management. The
failure to adequately train employees can expose employers to
significant legal, financial and reputational risks. Federal and state
regulations protect the privacy of a variety of information, including
financial, student and health information. Violations of these laws
can result in significant regulatory fines, customer and vendor
lawsuits, and incalculable losses due to reputational harm, and loss
of trade secrets and other confidential information. While fines and
lawsuits can often be resolved by writing a check, rebuilding your
customers’ trust in your ability to safeguard their personal or
proprietary information after a breach is a difficult and arduous task
with no simple solution. Prevention is therefore key.

Proper employee training can help reduce the risk of a data breach and
the resulting legal liability and reputational harm. This article
provides five tips for employers to train employees on data management
best practices.

1. Ensure that employees properly manage passwords.

Electronically maintained confidential information and trade secrets
are often protected by little more than a password. Therefore, proper
password management is critical to any cybersecurity program. The
technical barriers to data entry are only as good as the passwords
that unlock them. Employees should be required to use passwords that
are a certain length, contain upper and lowercase letters and special
characters. Also, when possible, more sensitive information should be
protected by two-factor authentication. This type of login requires
the user to not only enter their password, but also to provide
additional verification through a physical access tool such as phone
or e-mail confirmation. This way, even if a password is compromised,
access to the system will still be barred without the physical access
tool.

The need for two-factor authentication is best demonstrated by the St.
Louis Cardinals hacking scandal. In that instance, an employee left
the Cardinals for the Houston Astros and in the process turned in his
team laptop, along with the passwords associated with it. Upon joining
the Astros, the employee used a similar password as the one he used
with the Cardinals. A Cardinals employee was able to guess the “new”
Astros password and access the employee’s emails and the Astros’
confidential scouting database. The Cardinals employee was caught and
sentenced to 46 months in jail. The Cardinals paid a $2 million fine
and forfeited its draft picks. The use of two-factor authentication
would have avoided this scenario because even if the Cardinals
employee had guessed the password, he would not have had the physical
access tool needed to login.

2. Track all portable devices used by company employees.

Portable devices such as mobile phones, tablets and laptops allow
employees to easily work from anywhere outside the office. This can be
a boon to productivity but also requires extra diligence on the part
of both the employee and the employer.

Company or customer information contained on a portable device must be
protected from threats outside the confines of the office. It is much
easier for someone to steal a laptop or hack into a wireless network
than to breach an internal database. For example, in 2014, a company
was assessed a fine of over $1.7 million under the Health Insurance
Portability and Accountability Act ("HIPAA") due to a stolen laptop
containing unencrypted health information. Similarly, in 2016, a
healthcare company in Illinois was fined $5.55 million under HIPAA for
numerous violations, including losing an unencrypted laptop with over
2,000 patient files. Encrypting data and devices with two-factor
authentication, as discussed above, would have avoided these hefty
fines.

Human resources or information technology ("IT") departments should
also train employees on best practices regarding remotely connecting
company devices to Internet wireless spots. Particular caution is
required when connecting to “Free Wi-Fi” spots that are not password
protected. Perpetrators often set up wireless connections to steal
information from users’ devices. Also, employers should develop and
implement policies that require employees to report the loss of a
portable device immediately to IT or management to minimize any
damages from the loss or potential loss of any confidential or
customer data contained on that device.

Finally, companies need to track the location and possession of
company devices and have policies for the collection of devices and
data stored on personal devices when employment terminates. Otherwise,
employees may attempt to steal data for a competitor of the company.
While federal and state trade secret laws provide remedies against
employee misappropriation of trade secrets, as a practical matter, it
is hard to prove theft of trade secrets from a company device when the
company has lost track of where the device is located. Also, without
established data management policies, it is difficult to retrieve
company information stored on a personal device from a terminated
employee. Absent a policy, agreed upon when the employee was hired,
that employee has ownership of the phone, which could make retrieving
the information extremely costly and difficult for the company.

3. Train employees to recognize phishing emails and other scams.

Companies should train employees on phishing and spear-phishing
emails, which are often designed to manipulate the recipient into
clicking a link that contains malware. A phishing email may be
obvious, as it is likely to contain broad information that is aimed at
millions of people. A spear-phishing email, on the other hand, uses
information specific to the recipient. One source of information that
hackers may use to craft a spear-phishing email is an employee’s
social media accounts. These accounts can be massive resources of
information, allowing someone to craft an email that appears
legitimate. Employees should be instructed on the benefits of managing
privacy settings on their social media accounts to limit access to
friends, family or people they know.

Employees should also be trained on how to handle any request for
transfer of electronic information. A popular scam involves an email
that appears as if it is being sent from a person high up in the
organization requesting a copy of that year’s W-2 tax forms.
Spear-phishing emails often are designed to convince employees to
respond quickly and without thinking. The email may contain a subject
line creating the impression that an urgent reply is needed. Employees
need to be trained to check with an authorized employee before
transferring money or sending any other personal or company
information that has been solicited electronically. This simple extra
step could prevent a loss of money or information that could expose a
company to liability from federal and state regulators, customers and
vendors.

4. Train employees on the importance of specific categories of data.

Most employees understand that social security numbers and credit card
information are sensitive pieces of information that must be
protected. But employees may not be aware of regulations concerning
other types of information that your company may collect and the
importance of keeping such data safe. A company’s disclosure of
personally identifiable information could subject it to state privacy
breach notification laws. Indeed, forty-eight states have their own
breach notification laws, including Illinois, Indiana and Ohio.
Companies and their employees need to be cognizant of what these laws
require. Notably, the applicability of the notification laws is not
governed by where the company is located or has offices. Instead,
companies are subject to the laws of the states where their customers
are located. Therefore, an Illinois company with customers in
California is subject to California’s breach notification law, along
with any other state where its customers are located.

Further, federal laws such as HIPAA (health information),
Gramm-Leach-Bliley Act (financial information) and the Family
Educational Rights and Privacy Act (student information) may also come
into play when certain types of information are involved. These
federal laws carry with them their own of notification requirements
and potential penalties. With these numerous state and federal
requirements, employees need to be aware of the importance of the
information with which they are dealing and the governing laws.

5. Emphasize that cybersecurity is everyone’s responsibility.

Companies must stress the importance of data governance to every
employee in the company. It cannot be the sole responsibility of the
IT department to keep company data secure. Even the best IT department
practices can be undermined when employees fail to follow best
practices regarding data management. Employees must be trained to
understand the importance of data management to the company.
Disclosing electronic information could trigger data breach
notifications procedures under state and federal law and cause severe
financial loss, as previously discussed, and incalculable reputation
damage to a company. Every employee needs to regard data governance as
a priority.