By Ronald Raether, Jr., Esq., CIPP
Faruki Ireland & Cox P.L.L.
In my experience, generally, the biggest threat to a company’s cyber security is employees. I’ve noticed that people in my firm and people employed by my clients, are all going out on Facebook—and we all know about the threats that Facebook and others like it can present. So, it’s a big issue that we’re struggling with, finding that balance between having good policies in place and realizing that employees are going to go out on these sites.
Another reason I say employees are a big weakness has to do with social engineering. Unlike forensic testing, the way to address these issues is to train your employees on how to avoid security attacks. For example, Customer Service Reps (CSRs) are trained to be helpful. It’s very easy to manipulate a CSR to provide a password or to reset a password and send it to an email address that’s not associated with the account. If I’m a hacker, I may have to call 10 people before I find the CSR that’s willing to circumvent the policies because they want to be helpful to me.
Another challenge for a company’s security has to do with portability, especially when dealing with laptops, phones and other portable devices. Portability is a very serious issue, especially when it comes to employees. Most organizations issue plenty of laptops, but how many organizations have asset controls in place? Do these companies know where those laptops are? How about when they’re decommissioned—do they know whether they’ve been properly wiped?
There are a lot of issues with laptops, but a common overlooked concern comes up when the employee takes their laptop home and their children get on it and access the Internet. Children don’t have a concept of what is and what isn’t secure on the Internet, and they most definitely didn’t sit in on their parent’s company’s security training.
Ronald I. Raether, Jr., Esq., CIPP, is a partner at Faruki Ireland & Cox. Ron’s broad experience with technology-related issues brings a unique and important perspective to successfully resolving disputes and developing creative compliance programs that blend well with existing business practices. These technology-related matters have spanned a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes. When tackling new matters, this broad experience brings valuable insight not often available from attorneys that focus on a single area of the law. One recent example is Ron’s defense against claims that a company infringed a business-method patent in the wake of the Supreme Court’s decision in Bilski. Ron’s trial experience, including an arbitration in New York City where Ron successfully defended a computer performance dispute for a major provider of computer systems, assures that the plan developed always has the ultimate goal in mind – success.