Cybersecurity in the Workplace

Transcription

1 Cybersecurity in the Workplace Stephanie K. Rawitt, Esq. Jonathan D. Klein, Esq. ARIZONA CALIFORNIA DELAWARE ILLINOIS MICHIGAN NEVADA NEW JERSEY PENNSYLVANIA WASHINGTON D.C. WEST VIRGINIA IRELAND

2 Fun Fact: The #1 greatest cyber threat to your business is your very own employees. 2

3 Anatomy of an Employee Threat 3

4 The Most Dangerous Employees The Innocent Employee: An employee who makes an honest mistake during the course of his or her employment at your business, but nonetheless makes a mistake that could still have dyer consequences for your business. The Careless Employee: An employee who knows what should be done to protect your business yet does not take action, potentially causing harm. The Malicious Employee: An employee who, despite training and institutional policies in place at your business, knowingly and intentionally takes adverse action to harm your business for an illicit reason. 4

5 Key Security Questions Have you performed a risk assessment of your business? Do you have the appropriate policies/plans in place? Do you have an actionable incident response plan? Have you trained your employees lately on cybersecurity? Have you updated your privacy policy? Do you have a recent terms & conditions on your site? Would you consider your business security aware? If you answered NO to any of these, why is that? 5

6 Security Is a Team Effort Management Information Technology (IT) Staff Human Resources (HR) Staff Employees 6

7 What Does Risk Assessment Mean? Step 1: Identity Information Assets (data, software, hardware, appliances, infrastructure) Step 2: Classify Information Assets Step 3: Identify Security Requirements (statutes/regulations, contracts, common law, business needs) Step 4: Identify Risks 7

8 What Policies Should You Consider? Non-Compete/Non-Solicitation Policies Cybersecurity Employment Policy Employee Social Media Policy Computer-Issued Technology Equipment Policies Employee Privacy Rights Workplace Computer Policy Employee Exit Protocol Cybersecurity Incident Response Plan Privacy Policy/Terms of Use 8

9 Non-Compete/Non-Solicitation Policies Allows you to hire, contract, and otherwise operate your business without fear that business knowledge and advantages will soon be used against business! Provides a degree of protection for your business related to employees; Trade secrets and confidential information are protected; Prevents the following illicit actions by current and former employees: Going to work in a similar role for a competitor; Contacting your customers; and Using confidential information about you/your customers after they leave. 9

10 Cybersecurity Employment Policy Applies to all employees, contractors, volunteers, etc. who has permanent or even temporary access to your business systems and hardware; Emphasizes the importance of cybersecurity (including risks); Should outline effective password management; Describes phishing s and scams employees may experience; Helps employees understand how to protect sensitive information; Highlights security protocols when not using business hardware; Outlines what to do if business hardware is lost or stolen; and Explains to employees to use common sense and take an active role in security. 10

11 Employee Social Media Policy It is important for your business to keep track of what employees are doing, especially on issues that pertain to the workplace! Outlines how your employees should conduct themselves online; Helps safeguard business reputation while encouraging responsible online use; Should be considered a living document as social media changes fast; Defends against legal trouble and security risks; Empowers employees to share your business message to the public; Creates consistency across social media platforms; and Focus on the big picture so as to stay current with social media trends. 11

12 Computer-Based Equipment Policy Applies to any technology provided by your business to an employee; Should set out guidelines for approved use; Should outline security risks and rules related thereto/expectations; Should identify prohibited use (careful not to run afoul of the NLRB); Should remind employees that equipment is that of the business and clarify privacy expectations or lack thereof; Security login procedures/process; Even not a cyber issue, address off the clock policies; and Discipline for violations.

13 Employee Privacy Rights Policy Comprehensive, state-dependent written policies can defeat employee s expectation of privacy when it comes to the use of workplace technology; Reiterates that employees have no expectation of privacy in connection with data stored in or transmitted via computer, , phones, cell phones; Discusses that your business, as the employer, have the right to monitor any work-issued device (e.g., workplace computer, laptop, cell phone); Highlights that your business, as the employer, may monitor sites depending on content/subject-matter of site visited on work technology; and Notes that your business, as the employer, has the ability to, and can, monitor incoming and outgoing phone calls placed on work-issued technology. 13

14 Workplace Computer Policy Considers Internet usage, site management, and website blockage; Policy limits computer use to work-related activities; Applies universally to all employees (unless express permission granted); Discusses employee privacy rights (as noted previously) or lack thereof; Outlines before or after work, lunchtime, and other off-the-clock issues; and Reiterates procedures for employee exist and post-employment issues. 14

15 Employee Exit Protocol Outlines procedures when an employee resigns/is terminated; Should include, but is not limited to, the following: Knowledge transfer meeting; Procedure to collecting workplace items; Outlines transition period and plan; Highlights requirements on last day of employment Contains checklist for ensuring all business information protected; Reviews information for exiting employee; and Discusses preservation of employee electronic data. 15

16 Cybersecurity Incident Response Plan Preparing for WHEN your business may experience a cyber-related breach and/or incident, not IF your business may be breached. Words to Live by: Identify & Protect + Detect, Respond & Recover 16

17 Privacy Policies Essentially a consumer notice on your business website; Provides details about business procedures related to information collection; Drafted by lawyers, made for laypersons visiting your business website; Requires consultation between business/lawyers; NO ONE SIZE FITS ALL must be tailored to your business; Should contain information demonstrating regulatory compliance; Must be published conspicuously on your business website; and Periodic review and updating of privacy policy is the norm. 17

18 Terms of Use/Terms & Conditions Essentially a contract between your business and a visitor to the site; Sets the rules for any person visiting your business website to follow; Contains prohibited activities for any person visiting your business website; Even though may not be required, a smart page to have on your website; Can limit liability, set governing law, even set arbitration v. litigation; Contains notice provisions for copyright infringement, legal action, etc.; Protects your right to the content on your business website; NO ONE SIZE FITS ALL must be tailored to your business; and Periodic review and updating of terms is the norm. 18

19 19 Cybersecurity Insurance Even with appropriate protections and tools in place, your business should still consider cybersecurity insurance as a fail safe to protect your business from cyber risks. Some basics about cybersecurity insurance: Standalone coverage usually; Helps business recover faster from data loss; Transfers some of financial risk of security breach; Investigate current coverage before you apply; and Know the limitations of your coverage (likely will not cover theft of IP). 19

20 Cybersecurity Exercise Consider the following scenario: Your business has a network engineer or IT professional (as the case may be) in his mid-50s who you have decided to fire for cause. Somehow (and unrelated to this exercise), the network engineer or IT professional finds out that he is going to be imminently fired and decides to reset your business servers to their factory settings. What policies should govern the employee s actions? What do you do now?

21 QUESTIONS? Stephanie K. Rawitt Jonathan D. Klein