Yesterday I delivered a keynote presentation on the critically important topic of Security & Privacy at the Association of Legal Technologists Ctrl ALT Del 2019 Conference in sunny Scottsdale, Arizona. As a huge baseball fan I unfortunately just missed the opening of Spring Training in the Arizona Cactus League.
My primary message point was that in our world of rapid technology advancement that has generated and will continue to generate massive amounts of data, data privacy and data security are the big issues of our time in the technology space – especially as cybercriminals become more sophisticated, bolder and also include some nation-states. Every company is increasing transforming into a data company and in order for all organizations to continue to earn trust with their clients and customers, we all need to be even more laser focused on data privacy and data security.
During my keynote I highlighted these “Top 20” cybersecurity best practices for ALL organizations to embrace – regardless of their size or industry:
- Set the “Tone at the Top” for Cybersecurity: Senior leaders in all organizations need to appreciate, understand and embrace the importance of privacy and security in our data-first world so that they and their organizations can make the appropriate cybersecurity investments.
- Get Help: As the data privacy and security landscape continues to change and grow more complex, don’t be shy in seeking out the assistance of subject matter experts.
- Conduct a Cybersecurity Audit: If you haven’t already done so, consider having a highly reputable cybersecurity expert conduct an audit on your organization’s technology infrastructure to help identify security gaps and areas for potential vulnerabilities.
- Focus on Data Classification: Be sure to clearly understand, classify and conduct an inventory of your organization’s different data types.
- Develop Thoughtful Written Information Security Policies (WISPs): Develop meaningful and easy to understand WISPs for your organization – and make sure you follow them.
- Employees & Data Access: Carefully consider which employees need to have access to certain types of more sensitive data and when they exit your organization be sure to immediately shut off their access to your company’s network and data.
- Conduct Cybersecurity Training: Periodically deliver meaningful privacy and security training to your employees either in-person or online – but make it interesting to capture their attention.
- Transparency: Be very proactive in communicating to your customers the specific steps that your organization takes to protect data. As an example at Microsoft we embrace this type of transparency via the Microsoft Trust Center.
- Use Strong Passwords: It seems like we live in a password world. Make sure to avoid reusing old passwords, generate strong passwords, consider using a password manager and as technology continues to advance, we will increasing become passwords free as passwords will probably become a relic from the past.
- Embrace Multi-Factor Authentication (“MFA”): Many cybersecurity experts agree that simply using MFA or two-factor authentication practices can go a long way to preventing cyber-related intrusions.
- Be Careful of Phishing Attacks: Be wary of emails from financial institutions, social media sites, etc…that seem legitimate, but upon closer inspection are imposter emails that seek private information from you and which may contain malware. Microsoft Office 365 Advanced Threat Protection provides protection against phishing attempts.
- Download Security Updates: Don’t ignore installing the latest versions of technology solutions that may contain more robust data security protections.
- Work with Hyperscale and Trusted Cloud Services Providers: Generally speaking, large, hyperscale and trustworthy cloud services providers that operate state-of-the-art and highly secured data centers can do a much better job at protecting data than organizations who seek to secure data via their own servers in a traditional “on-premises” computing environment.
- Conduct Careful Evaluations of Technology Providers: It’s always important to conduct thorough due diligence on the privacy and security practices of any technology provider, vendor or third party that may have access to your data.
- Be Social & Secure: We are all spending a greater part of our day using social media so please be sure more to be cyber smart when using Twitter, LinkedIn, Facebook, etc….as social media is a key vector for cybercriminals.
- Be Cyber Aware in Public: Leading technology increasingly enables many of us to work remotely, but when you use public WiFi, always be sure to use a Virtual Private Network (VPN) and be careful not to disclose confidential information in public places.
- Develop Your Incident Response Plans: Build a clear playbook for what to do in case your organization suffers a significant data loss incident and stress test that response plan like a fire drill.
- Consider Acquiring Cybersecurity Insurance: Another risk-mitigation technique is to acquire cybersecurity insurance from a reputable provider – but please be sure to clearly understand the scope and limitations of any such insurance.
- Careful Emails & Texts: Unfortunately our digital worlds may eventually be compromised at some point in time so always, always be careful with the contents of your emails and texts and assume they could one day appear on the front page of The New York Times.
- Learn from Others: Embrace a “growth mindset” mentality in this area by understanding the lessons from companies that have endured significant data loss incidents and learn from organizations like the International Association of Privacy Professionals (IAPP), the Cloud Security Alliance, the National Cyber Security Alliance and the Microsoft Secure Blog.
All in-house counsel have a tremendous opportunity to help their organizations earn more trust with their customers by actively encouraging their organizations to embrace leading privacy and security practices. Also a big thanks to Legaltech News for publishing an article about my keynote.