Follow ACC Docket Online:  

5 Cybersecurity Tips Your Mother Taught You

In this digital age, cybersecurity is at the forefront of all business leaders’ concerns. With the new barrage of state data privacy laws, a cybersecurity breach can cost the business and lead to damaging legal action from consumers, vendors, and employees. As business leaders look for the hot new cybersecurity compliance checklist and guidelines, I found that the best advice for keeping a workplace cyber secure came from my mother.

Like many parents, my mother prefers the “old ways” of doing things. She prefers I call her or mail her a paper card instead of sending a text or email; she reminds me not to forget things and stop procrastinating. Below I will highlight some of her great motherly advice and how it can help your business with its cybersecurity goals.

1. Call — don’t text 

Not only should you call your mother more, but you might also want to call your colleagues more too. A lot of hackers use email phishing where they impersonate employees and vendors to gain the trust of your employees to perform monetary transfers. They can even go so far as acting as the CEO. 

Hacking someone’s email is low-hanging fruit and comes with a powerful punch of opportunity. In your email are loads of information about your company and about other companies’ relationship to you. Most business data and private information are discussed over email. Unauthorized access to any employee’s email has a high potential of value for a hacker. In this context, picking up the phone has advantages over the efficiency of email. 

For the most part, only the person(s) on the other end of the call knows what was discussed. Further, if a hacker were to impersonate you via email, a simple phone call referencing an email that was not actually sent by the actual employee would raise alarm bells. In fact, requiring both phone and email confirmations for certain transactions are a great way to beef up security without buying two-factor authentication software. 

Further, employees of national or international corporations work with so many people exclusively through electronic communications. In these instances, even if a hacker called to impersonate an employee, many of us do not even know that the actual employee’s voice sounds like. Giving trusted business partners and fellow employees a ring so that you can at least know the sound of their voice might be the cheapest cybersecurity action you take. While you’re at it, you might as well give your mother a call too; she misses you. 

2. Don’t forget (all of) your keys 

Other than I love you, don’t forget your keys were usually the last words my mother would say to me before I left for school. She would also go through a list of additional keys and security items I would need throughout the day and remind me not to forget those either. 

Like the keys to your car or your home, keys grant access while preventing unauthorized access. One way that we digitally keep keys is by encrypting certain documents. It may be worth the low investment to both digitally and physically encrypt important documents locking documents in a fire safe box and keeping them password protected on your computer.

With so many hackers lurking around cyberspace, arguably the old way is more secure than leaving documents in a password protected cloud. While keeping documents under lock and key restricts accessibility of important documents to local stakeholders, this also restricts accessibility from hackers sitting in their basement. Old style security measures may be your best bet for certain documents, especially if only a few stakeholders know that those copies even exist. 

Further, all proof of ownership documents may come in handy if a hacker suspends digital access. While you are scrambling to recover documents — and potentially access to property — it will come in handy knowing such proof of ownership does not solely live in the digital space that has been taken over by a thief hacker. But like my mother reminded me, don’t forget (or lose) your keys. 

3. Clean your room 

Like most moms, my mother was never happy to come home to find my room in a disorganized mess. You should feel the same disappointment for your company’s electronic filing system. Unless information is required by law to be stored and kept, throw it away. Our computers host hundreds of megabytes of unnecessary data and information about people and contacts that we will likely never use. Aside from legal holds and document retention laws, all other data and information should be deleted.  

Further, organize your information. When going through a forensic investigation, it is easier to create a list of the types of information at risk when you know exactly which drives contain what type of information. If your files and data are organized, your response to a potential hack will also be organized. You can quickly determine how serious the breach or incident is if you know what folders and software have been breached and what information is on it. 

Moreover, you don’t want a company breach to raise personal alarms because you also kept sensitive personal information on your company drives. It should be company policy that employees should not keep personal information on company property so that companies are not at risk for possessing sensitive information that is unrelated to business operations. So, make your mom proud and clean your (data) room. 

4. Don’t procrastinate 

I had a hard-working mother who was always on top of her tasks. She found my procrastination, especially when it came to my homework, inexcusable. Given the frequency of data breaches today, procrastination on creating and implementing data breach protocols is also inexcusable. When setting up a cybersecurity response plane, remember to finalize cybersecurity vendor agreements (insurance broker, lawyer, forensics team, etc.) ahead of time. 

Hiring a forensics team while under a cyber threat is stressful. Redlining the contract while every second counts after a breach is even more stressful. One way to mitigate this is to hire cybersecurity response team members on retainer. That way the related agreements and price have already been negotiated and you are not agreeing to egregious prices and terms because of time pressures. Remember, a cybersecurity breach is a “when,” not “if” situation, so procrastinating on getting your go-to vendors set up will haunt you. 

Another action not to procrastinate on is employee cybersecurity training. Employee trainings are still the best way to protect against data breaches. Procrastinating on getting your employees trained on how to spot a spoofed email or suspect links increases the probability that a low-skilled hacker will be able to penetrate your system. It only takes one link and a convincing “username and password” page to have your employees unwittingly give the hacker access to your systems. 

These hacks require low levels of skill but can cause high levels of damage. Do not wait until the last minute on training or assembling your cyber response team. Training and signing cybersecurity vendors on retainer will require some homework. But remember, not doing your homework is inexcusable. 

5. Watch the company you keep 

If you can’t tell by now, my mother was very attentive. Even when it came to my friend group, she always offered advice. In a business context, you are the company(ies) you keep. Using cheaper vendors to save money will allow vendors with less robust cybersecurity resources to handle your company’s personal information. 

The type of vendors and businesses your company interacts with may be the key to keeping sensitive information safe. Requesting the company’s cybersecurity policies before doing business with them might be a necessary step in forming and maintaining any business relationship. 

Further, when a breach occurs and lawsuits are filed, it will serve your position well to have a vendor cybersecurity policy showing your company’s attempts to keep the breached information safe, and only in respectable hands. Just like my mom told me, bad friends can lead you astray, and so can risky vendors and business relationships. Your data is only as safe as the companies you allow to handle it. 

Final word 

Creating a cybersecurity policy can seem overwhelming and technical. With some of the advice floating around, it may seem like you need an information technology degree to understand how to protect your company. However, by applying the above motherly advice to your company’s cybersecurity policy, you can more easily put your company at a lower risk for higher damages when a hacker attempts to attack your company. And seriously — call your mother.

About the Author

Dredeir RobertsDredeir Roberts serves as in-house counsel for a national design-build firm Core States Group where she drafts and negotiates contracts for the day-to-day design-build process. She has a passion for helping business professionals navigate the murky areas of the law so that they can quickly get back to doing what they do best — work.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.