Over the past few weeks I’ve had the opportunity to speak to several groups. I typically speak on much the same content as is in these posts since it’s what I’ve been doing for so many years; digital forensics, where data resides, what to do when an employee leaves and you think they took your data, etc. Something that continually comes up is the issue of “cyber”, as in “is your computer forensics investigation part of the cyber threat?” or “what is the best software to protect us from cyber issues and does it help with people stealing our information?” Granted, these questions are typically posed at the beginning of a talk before I get into the relationship between cyber and forensics but they speak volumes to me as to what the typical layperson (to include business owners and lawyers) thinks when they hear security, theft, computer and/or cyber in the same breath.
We’re bombarded with constant talk of cyber threats, hacking and database breaches in general and particularly in the media. As evidenced in my talks with different groups, most folks don’t really know what to do with such information other than to be freaked out. I don’t hold myself out to be specifically a cyber security expert, I’m more of an investigator. Having said that, they are related in terms of data theft and cyber breaches since in general, when a breach occurs, data is stolen. And given that I consult with many types of businesses, both pre and post data theft (typically by insiders who already have access!), I am able to speak on this topic and have come up with some perspective on it all. Since I discover the means that data is oftentimes ex-filtrated, on the flip side I can work to find ways to minimize that data leaving to begin with. Having said all that, the first thing I typically tell people is to strip away the cyber moniker and just look at it as data theft. When many hear cyber they think crazy complex IT stuff that they are powerless to do anything with. On the other hand, someone in a discussion once actually said it reminded them of some sort of new drug. Image that, from the makers of Viagra comes Cyber! Seriously though, I find the takeaway from most folks when they hear about the latest cyber incident is “Well, there’s not much I can do about that”, and that’s the wrong takeaway. While there are a ton of qualified cyber security experts out there, there are equally as many that are not, quite honestly. It’s almost as if cyber security is the new gold rush. As a consequence, I run across or have folks come to me after having crossed paths with a number of these less than qualified “experts” that are either more bewildered after talking to them (perhaps intentionally) or just unable to grasp the value of proactive security of their data which obviously should include the “cyber” aspect as well. I put the quotes there on cyber intentionally. If your computer is connected to the internet suddenly the threat is “cyber.” That’s why I say it’s easier and in my opinion best to strip the cyber tag. When you do that, and realize that the biggest threat and most easily defended against aspect of data security is protecting against those that already have access to your data, you can start to grasp the threat and look at it holistically. And when you look at it that way, all you have to do is review the previous posts here. The cheat sheet to protecting yourself from data loss or data theft is to first and foremost minimize access to the data. What that means from a business perspective is that folks only have access to data that they need. In conjunction with that is ensuring that you have data protection agreements that stipulate the data they work on is yours (thus they have no ownership). You’ve paid them to work on it; that was their compensation, they don’t get to take the work product. Another important aspect of an agreement should be the prohibition of bringing in any data that came from a previous employer. Why? If they’ve come to you from a competitor (which happens frequently), the last thing you need is to be accused of having that competitor’s intellectual property and drug into a lawsuit with your new employee.
Shifting back to the “cyber” or connected aspect of our concern, if your system(s) are connected to the internet, and whose aren’t, then yes you have to be concerned. But the reality is not really any more than you already should be for your data in general. Whether that’s your company’s trade secret information that’s stored on centrally located servers for your employees to access or your kids’ digital photos since they were born. Both are painful to lose or have others take advantage of. Rather than go on a rant, I’ll make a final point about our data in general. If you use a computer or some sort of computing device (like a smartphone) and have access to confidential or sensitive data (who doesn’t in some fashion) then you have to be smart about using the device. Everyone wants to know what the best software be it antivirus or anti malware is to keep them protected. The fact is there will probably never be any software you can install on a device to keep you completely safe. The question shouldn’t be what software can I install but more over what can I do (or not do) to best protect data. That’s where being smart about using the device or computer part comes into play. I think training to recognize that and to know what and what not to do are more important that software. We’ll go into some of those aspects with training in future posts.