This is the fourth in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Cybersecurity attacks might conjure up images of hackers in hoodies clacking away in the shadows, but did you know that your own employees pose as great of a security threat if not more?  According to CA Technologies’ 2018 Insider Threat Report, 66% of the organizations surveyed consider malicious insider attacks or accidental breaches more likely than external attacks.  A 2018 Ponemon Institute report found that of the 3,269 insider incidents it evaluated, 64% were related to negligence, 23% resulted from a criminal or malicious insider, and 13% resulted from stolen credentials.  Findings like these raise the question: Does everyone in your organization really need access to all your data?

Probably not.  Employees
should have the information they need to do their job, of course.  But granting unlimited access to information is
dangerous.  Employees need not even have malicious
intent to pose a threat.  If an employee’s
credentials are compromised, all the data to which the employee has access
rights is at risk. 

A similar risk applies to third-party contractors with access
to company data (web developers, freelancers, bookkeepers, outsourced HR
administration services, etc.).  Contractors
should have no more access to information systems than necessary to perform
their scope of work.  Some mistakenly
believe a non-disclosure agreement is a substitute for limitations on access.  A NDA could provide you a remedy if a contractor
misuses company information, but it isn’t as effective as access controls in preventing
information from falling into the wrong hands.

Limiting access to data has another benefit.  If you want to claim that certain information
is protected as a trade secret (note that trade secrets are often the subjects
of NDAs), you’ll have to demonstrate that you took precautions to keep the
information secret.  As an example, the
definition of “trade secret” in Hawaii’s trade
secret protection law
requires a showing that the information at issue “is
the subject of efforts that are reasonable under the circumstances to maintain
its secrecy.”  Similarly, technical
limitations to access may be necessary to enforce claims under the Computer
Fraud and Abuse Act (CFAA), as the Ninth Circuit Court of Appeals ruled in a
recent decision.

Access controls should be one of the considerations in structuring and organizing your data systems.  A well thought out system segregates data so that granting access isn’t an all-or-nothing proposition.  “Internal gatekeeping” of data goes a long way toward preventing loss from cybersecurity incidents.

The post Cybersecurity For Small Businesses Tip #4 – Stand Guard (Control Access) appeared first on LegalTXTS – A Luminate Law Blog.