Week #2—You Are Only As Strong As Your Weakest Link
According to the 2020 Internet Crime Report issued by the FBI’s Internet Crime Complaint Center (“IC3”), the prevalence and cost of cyber-crime increased exponentially in 2020. Cyber-crime reports received by the FBI increased 69% from 2019 to 2020. Reported losses in 2020 exceeded $4.1 billion. Experts have attributed this increase to many factors. In this alert we focus on one– Bring Your Own Device (“BYOD”) policies.
Whether as an official policy or a practice that has evolved out of necessity, many law offices now allow employees to use their own personal laptops, cell phones and tablets to handle business tasks remotely. The practice is referred to as a Bring Your Own Device (or “BYOD”) policy and it can have many benefits for employees and employers. However, it poses additional cybersecurity risks. The comfort of using a personal device can bring with it more risky behavior—reduced vigilance in detecting and avoiding phishing attacks, unsafe website browsing habits, and installation of third-party apps from untrustworthy sources. Also, home routers, personal laptops, cell phones and tablets all provide exposure points for malware or viruses, the security of which depends upon the employee’s technical competence and use of security settings and features. The collection of all of these exposure points makes up a firm’s cyber-attack surface. BYOD practices widen that attack surface and increase the risk that client data may be exposed or that a firm will suffer financial loss from a ransomware attack or business email scam arising out of a hacked email account.
To best protect your practice from risks associated with BYOD practices, we offer the following recommendations:
- Establish a formal BYOD security policy.
- Train employees to recognize exposure points created through the use of personal devices and how to properly secure them.
- Limit and track personal devices used to access client data.
- Train employees on responsible use of mobile devices and safe website browsing habits.
- Require employees to enable all available security protocols on personal devices including using strong passwords, full encryption, and remote wiping in case of loss or theft.
- Require employees to update software and back up personal devices regularly.
- Prohibit employees from saving local copies of client data on personal devices. Consider cloud-based data storage, which often provides greater protection.
- Use a virtual private network (VPN) for remote access to company systems.
The most important recommendations for protecting against cyber security risks from a BYOD policy are to educate yourself and train your staff. If you are working with an IT vendor, consult with the vendor to find out if the vendor offers cybersecurity training. If you do not have access to cybersecurity training through an existing vendor relationship, take advantage of free training materials available online. OBLIC’s Cyber Toolbox is available exclusively to policyholders free of charge and contains training videos and written materials that are ready to use. The Cybersecurity & Infrastructure Security Agency (CISA) also provides educational resources on its website and even cybergames to test employee competence. CyberOhio, the state of Ohio’s collection of cybersecurity initiatives also provides free resources and presentations online. Also, check out the cybersecurity advice for protecting personal devices and developing safe work from home habits provided by The Ohio State University.
If you have any questions or need help navigating these resources, give us a call. We are happy to help.
Gretchen Mote, Esq
Director of Loss Prevention
Monica Waller, Esq.
Senior Loss Prevention Counsel