On 6 June 2012, the business social networking site LinkedIn reported that cyber attackers stole the login information of 6.5 million users. This number later climbed to 117 million. Among those usernames and passwords was a Dropbox employee. In a perfect world, this story ends with the Dropbox employee changing their LinkedIn password. No harm, no foul. This is not that story...
On 1 August 2012, news broke that Dropbox was hacked. The Dropbox employee used the same password for both LinkedIn and Dropbox. When the attackers accessed that employee's cloud drive account, they downloaded files that included 68 million Dropbox usernames and passwords.
The Dropbox breach highlights a bigger problem than employees ignoring password policies and even storing confidential information inappropriately. As users, we all treat our cloud drives like physical hard drives. We don't stop and ask ourselves is this file secure. We save it to a folder on our computer and then enjoy the convenience of accessing it across all of our devices. We ignore that is transmitted to a Web server, often one beyond our control. We forget that our files may not actually exist on any hard drive that we own.
Now, think about what information you store on your business's computers and devices. How many files detail trade secrets? Do your invoices include confidential client information like names, addresses, and phone numbers? How does HR store employee information such as identification numbers, bank account information, and performance reviews?
To put this in perspective, in 2018 a single stolen confidential record cost the company $148 on average worldwide, up 4.8% from 2017. That's across all industries. For the healthcare industry, the average cost was $408. In the financial services industry, a single stolen record cost $206 on average.
Now, multiply those averages by your total number of clients, your total number of employees, and the number of clients and employees affiliated with any subsidiary companies. Does that number scare you?
By all accounts, the 2012 Dropbox breach was not catastrophic. The breach of confidentiality ended with Dropbox. It didn't snowball to include confidential files owned by other businesses that were stored on Dropbox. We won't get that lucky again.
Unfortunately, outside service providers and cyber attackers are not the only causes for breaches of confidentiality. Your employees and contractors, including freelancers, are other potential sources.
For example, in 2015 Carilion Clinic terminated multiple employees after they accessed high-profile patient medical records "without a legitimate patient-care need." They're not alone. According to Verizon's Protected Health Information Data Breach Report, 58% of all breaches of confidentiality in the healthcare industry involve insiders.
By following these encrypted messaging best practices, you can prevent confidentiality breaches whether they originate internally, from a service provider, or from cyber attackers targeting your organization and minimize the risks associated with confidentiality breaches.
List out all information collected from clients and employees, business practices, and trade secrets. Divide it into two categories: information protected by law and information crucial to your business operations.
For instance, usernames and passwords, client mailing addresses, and employee phone numbers all fall under the first category. As a rule, you treat any information that people give you is confidential even if it's not required by law because this protects your reputation and helps ensure compliance with data protection.
The strategy for your company's planned expansion into the Chinese market belongs in the second category. By treating your business practices and trade secrets is confidential, you protect your future profits.
Using your company's list of confidential information, craft a confidentiality policy that details what data your company considers confidential and the procedures employees must follow to protect this information. Keep the language plain and focus on simple steps.
Remember, your employees do not care about your company's obligations under Article 25 of the GDPR. All they care about is what and how.
Restricting access to confidential information limits the damage that individual employees can cause by leaking sensitive information. For instance, some healthcare organizations only allow physicians unrestricted records access for their current patients.
Here's the catch. With confidential information, there is a fine line between too little and too much. At times, an employee may need to access sensitive information that your confidentiality policy indicates should not be available to them. When you place these access controls, you must also create procedures for your employees to access information from another department or that's above their pay grade. These procedures should ask why the employee needs the information and include a time limit for the response and an appeals process.
As a general rule, if you can pick it up in your hand like a tablet, cell phone, laptop, it must be encrypted. Cloud storage must include end-to-end encryption with at rest encryption.
In practical terms, you cannot enforce a security policy that prohibits employees from using public Wi-Fi networks, especially if you allow them to bring their own device. Instead, educate your employees about the dangers of not considering data protection and privacy, and don't forget to include horror stories. DarkHotel and the Evil Twin attack are particularly effective.
Within your network, enact security policies that disallow the reuse of old passwords and enforce organization-wide periodic password resets that conform to your password policy.
Your employees will hate this. Why should they replace their tried-and-true password that combines their eldest child's birth date and their dog's name with one they can't remember? Teach them.
Use the 2012 LinkedIn-Dropbox debacle to illustrate the dangers of using the same password for multiple services. Then ask them what if the stolen password also linked to their Amazon account. A thief logs into their Amazon account and sends himself a €500 gift card paid for with their hard-earned money. Make the consequences personal for them, not your company.
Use this opportunity to encourage them to turn on two-factor authentication for their personal accounts.
Although you can tell your employees that they shouldn’t reuse their company password for personal accounts, you can't enforce this policy. Enabling multifactor authentication protects your company from a repeat of the 2012 LinkedIn-Dropbox attacks by placing an additional layer between the cyber attacker and your employee accounts.
Internally, we use Adeya's secure containers feature in combination with our confidential information definitions and confidentiality policies, which include nondisclosure agreements.
The secure container is our answer to cloud storage. It includes file hosting and file sharing and allows defined working groups, which make day-to-day project management easier
From a technical standpoint, the secure container utilizes end-to-end military-grade (AES-256) encryption with both in transit and at rest encryption. Our organization's installation also requires multifactor authentication, which we strongly encourage.
To find out more about Adeya's Secure Container, how it can replace less secure cloud storage solutions, and how it's integrated with our communications and collaboration suite, contact us.