It seems that hardly a day goes by without a cyber security story hitting the press. The focus is now on the government and its preparedness to deal with potential threats, writes Neeraj Thomas.
The Commons Public Accounts Committee said UK cabinet ministers had taken too long and were still not full equipped to deal with the very real threat of cyber security risks. In a damning summary of the Cabinet Office’s approach to such risks the Chair of the Committee, Labour MP Meg Hiller said:
“Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks. In this context, it should concern us all that the government is struggling to ensure its security profession has the skills it needs.”
However, others state that the report is not entirely fair. For example, Prof Alan Woodward, a computer security expert from the University of Surrey, said:
“Could we say that we are cyber-bomb proof? Probably not, but I’m not sure anyone could. But we are getting better, and the government is taking strides to get its own house in order.”
Most interestingly from my perspective as a solicitor regularly advising clients on cyber security risks, how to prevent them and what to do in the event that they occur, Prof Woodward stated:
“The weakest link in any cybersecurity clampdown remained people. There are still people who copy things they shouldn’t on to laptops or people who decide to connect a nuclear power station to the internet.”
This comment that really jumped out at me. I would entirely agree with Prof. Woodward’s view here. Our practice has seen a significant rise in instructions concerning client’s employees or contractors who copy things they shouldn’t onto a laptop, or email confidential information from their work email account to their personal email account. The risks of such activity are obvious – once confidential information is no longer stored on a company’s secure network, the possibility of its misuse are significantly higher. Whether saved on a “cloud” or within an individual’s email account once it is “out there” the company has no control over who might access such confidential information and where it might ultimately end up.
We are often brought in to advise on urgent issues once the confidential information has left our client’s network but in all cases prevention is better than cure. To go back to Prof Woodwards’ comments, how do we advise clients to try and mitigate the risks of their “weakest link”? There are a number of things which companies can do in this regard:
Implement categorisation of documents – for example ensuring that if certain categories of sensitive information are sent out with a company’s server, a “flag” is raised with IT who can then investigate whether or not such activity was proper.
Ensure company laptops are provided with VPN access – an excuse we often hear from rogue employees/contractors is that they sent emails to their personal email account so that they could “work from home”. Providing all staff with a secure means of “logging on” when working remotely should mean nobody has to use their personal email accounts for work purposes.
Prevent non-company devices from being used with company computers/laptops – rather than emailing documents/information to themselves we are often faced with a situation when an employee/contractor has connected a USB storage device to their work computer and removed confidential information that way. Our advice is always that non company issued storage devices (including mobile phones etc) should not be capable of being connected to company computers/laptops.
Implement effective written policies and maintain staff awareness of their significance -whilst most companies do have policies in place, we often find that staff awareness of these issues is not as high as it should be. Regular training sessions can promote awareness of the risks of misusing confidential information.
Avoid Bring Your Own Device working – ensuring that only company devices can be used on company Wi-Fi and logging into a secure network will prevent staff from easily being able to upload confidential information to their personal devices.
Whilst I am realistic enough to know that we will never eliminate cyber security risks, implementing some of the steps outlined above will at least mitigate those risks and may prevent some of the more “innocent” cases of misuse of confidential information. In so doing the company’s resources can be focussed on where they are really needed.
- Neeraj Thomas is a senior associate at Burness Paull.