Secure Information Sharing Practices for Professionals

An editor at The Atlantic was accidentally added to a high-level Signal group chat where Trump administration officials were planning military strikes in Yemen. Yes, you read that right. A journalist, in a chat with top government officials, while they were actively discussing where and when to launch missiles. It's an appalling breach of national security. It’s also a teachable moment for employers. If the highest of federal officials can accidentally include a reporter in a thread outlining imminent military action, your company's employees can accidentally include the wrong person in a message about a client, a deal, a product launch, or a sensitive HR issue. This is your reminder to: ‣ Audit your internal communication tools. Who has access to what, and why? ‣ Train employees to think before they type. Not everything needs to be shared via chat, and definitely not in group messages with unclear boundaries. ‣ Define acceptable platforms. Personal WhatsApp groups aren't secure. Neither are random Slack DMs or rogue Teams channels. ‣ Limit use of informal tools for formal business. If it needs to be preserved, secured, or privileged, it shouldn't live in a disappearing message or outside of your network. And if you don't already have a digital communication policy, here are a few essentials: 1. Specify approved platforms for internal and external comms. 2. Define levels of confidentiality and how/where each type of info can be shared. 3. Address personal device usage (BYOD) and security requirements. 4. Outline consequences for noncompliance. 5. Make it real. Don't just write the policy—train on it, talk about it, and revisit it regularly. Because in today's digital world, one accidental message could be all it takes to destroy trade secret protections, create legal liability, or land your company on the front page.

Top 15 Non-Negotiables in Third-Party Risk Management Working with vendors, suppliers, and partners is essential in today’s interconnected world. Below are 15 non-negotiable elements that every organization should prioritize in its third-party risk management program. 1. Clear Information Security Policies: Require all vendors to follow documented security guidelines that align with your company’s standards and industry regulations. 2. Robust Access Controls: Limit vendor access to the minimum necessary. Regularly review and revoke permissions when no longer needed, ensuring no lingering “back doors.” 3. Multi-Factor Authentication (MFA): Enforce MFA for all vendor accounts to prevent unauthorized access even if passwords are compromised. 4. Encryption of Sensitive Data: Insist on strong encryption measures for data both at rest and in transit to protect information from interception or theft. 5. Network Segmentation: Isolate third-party connections from critical systems. Segmented networks reduce the scope of potential damage if one segment is breached. 6. Regular Security Assessments: Conduct ongoing risk evaluations and audits of vendors’ security measures. Identifying weak spots early prevents larger issues later. 7. Incident Response Planning and Coordination: Have a clear, tested incident response plan that includes vendors. Everyone should know their role and how to communicate quickly in a crisis. 8. Timely Patch and Vulnerability Management: Require vendors to keep software up-to-date. Prompt patching of known vulnerabilities reduces the attack surface. 9. Vendor Training and Awareness: Expect your suppliers to educate their teams on security best practices, from spotting phishing attempts to following proper data handling procedures. 10. Regular Compliance Checks: Ensure that vendors meet relevant legal and regulatory requirements, maintaining a record of certifications, audits, and adherence to standards. 11. Secure Communication Channels: Use encrypted and authenticated methods for sharing information. Avoid unsecured channels that can expose sensitive data. 12. Business Continuity and Disaster Recovery (BC/DR) Plans: Confirm that vendors have robust BC/DR strategies. A strong plan ensures that operations can continue or recover quickly after a disruptive event. 13. Data Minimization and Retention Policies: Limit the amount of data vendors access or store. The less data exposed, the lower the risk if a breach occurs. 14. Periodic Contract Reviews and Updates: Review vendor contracts to ensure they reflect current security standards, responsibilities, and expectations. Update them as the threat landscape evolves. 15. Supply Chain Transparency: Demand visibility into vendor subcontractors and their security practices. Understanding the full supply chain helps identify hidden risks.

As lawyers, confidentiality isn’t just important—it’s foundational. Yet as we increasingly integrate generative AI and other tech tools into our practice, maintaining that confidentiality demands attention. Let’s walk through exactly what you need to know to keep client data secure, even as you harness powerful new technologies. 1️⃣ Know Where Your Data Goes Before using any AI-powered tool, clarify how your data is stored, who can access it, and whether it’s shared with third-party services. 2️⃣ Evaluate Data Security Practices Robust data security is non-negotiable. Always verify a vendor’s data security certifications, encryption standards, and access controls. 3️⃣ Limit and Control Your Data Inputs Use only the data you truly need to provide. The more data you input, the higher the confidentiality risk. 4️⃣ Use Built-in Privacy Controls Many reputable AI tools offer privacy modes or confidential environments that ensure your inputs won’t be used for model training or seen by unauthorized personnel. 5️⃣ Regularly Audit and Review Integrating technology is never a “set it and forget it” scenario. Regularly review and audit your chosen tools and their privacy compliance. - I’m Joe Regalia, a law professor and legal writing trainer. Follow me and tap the 🔔 so you won't miss any posts.

𝗕𝗮𝗹𝗮𝗻𝗰𝗶𝗻𝗴 𝗖𝗼𝗹𝗹𝗮𝗯𝗼𝗿𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻 𝗦𝗮𝗮𝗦 𝗘𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁𝘀: 𝗧𝗶𝗽𝘀 𝗳𝗼𝗿 𝗦𝘁𝗮𝗿𝘁𝘂𝗽𝘀 𝗳𝗿𝗼𝗺 𝗮 𝗙𝗿𝗮𝗰𝘁𝗶𝗼𝗻𝗮𝗹 𝗖𝗜𝗢 As a fractional CIO working with early-stage companies, I often see well-intentioned employees sharing files and resources through public links on SaaS platforms like Google Drive, Miro, and GitHub. The impulse to collaborate and be open is understandable, but unchecked sharing can compromise your company's security. A recent survey found that 58% of SaaS security incidents involved data leakage through public links. Attackers can exploit these open resources to steal proprietary code, access secret keys and credentials, join your video meetings, and more. Employees who have left your company may retain access if links are broadly shared. So, how can we balance the benefits of collaboration with the need for security? Here are a few best practices I recommend to clients: 🔶 Share files with individual users rather than "anyone with the link" whenever possible. This maintains accountability. 🔶 Set expiration dates on shared files and invitations so access eventually expires. 🔶 Remove share permissions from inactive files and projects. Don't let access linger forever. 🔶 Invest in a SaaS security tool to identify public links across your systems. You can't secure what you can't see. 🔶 Educate employees on sharing risks and encourage selective, purposeful sharing. Collaboration doesn't mean everything must be public. With some thoughtful policies and the right tools, you can enable collaboration while closing off unnecessary access that could expose your most valuable assets. As a fractional CIO for startups, my forte is finding the right balance for your company's culture and risk profile. Let's keep your data secure. #cybersecurity #dataprotection #saassecurity #cloudsecurity #infosec #datasecurity #fractionalCIO #startupsecurity

Technology offers not only solutions but also opportunities to rethink how we collaborate across sectors. Looking at how data tokenization enables secure data sharing, I see more than a technical advancement—it is a shift in how we balance value and responsibility. Data tokenization is the process of replacing sensitive data with unique, non-sensitive identifiers—called tokens—that retain the format and analytical usefulness of the original information but without revealing any personal details. The actual data remains securely stored, while the tokens circulate in its place, making it possible to analyze, match, and enrich data across systems without compromising privacy. Sensitive data held by government institutions and non-sensitive public sources are traditionally kept apart. Yet, when these datasets are tokenized and integrated, agencies like child welfare services, law enforcement, hospitals, and even third parties can access enriched insights without ever seeing the original personal information. This is not about surveillance or exposure. It is about designing systems where privacy is respected by default, and insights are gained without overstepping boundaries. Tokenization acts as a bridge, linking organizations that would otherwise operate in isolation. In an age of growing data complexity, trust must be designed into every exchange. Technology can support that trust, but the intent behind its use is what makes the real difference. #DataPrivacy #DataTokenization #DigitalTransformation #DataSharing

NSA and CISA released five (5!) guidance documents last week on the theme of Cloud Security Best Practices, bundled together for convenience in the attached. What's the TL;DR? 🔐 Use Secure Cloud Identity and Access Management Practices: Implement robust authentication methods, manage access controls effectively, and secure identity federation systems to protect cloud environments from unauthorized access. 🔐 Use Secure Cloud Key Management Practices: Securely manage encryption keys using hardware security modules (HSMs), enforce separation of duties, and establish clear key destruction policies to safeguard sensitive data in the cloud. 🔐 Implement Network Segmentation and Encryption in Cloud Environments: Utilize encryption for data in transit, employ micro-segmentation to isolate network traffic, and configure firewalls to control data flow paths within the cloud. 🔐 Secure Data in the Cloud: Protect data using strong encryption, implement data loss prevention tools, ensure regular backups and redundancy, enforce strict access controls, and continuously monitor data access and activities. 🔐 Mitigate Risks from Managed Service Providers in Cloud Environments: Establish clear contracts outlining security responsibilities, continuously monitor service provider activities, and ensure compliance with security standards to reduce risks associated with managed service providers in cloud environments. Some common themes that run through all of these are the need for encryption, implementing access control (with a special call-out for ABAC being a key element of Zero Trust), key management, and monitoring and logging. Also, for those who celebrate it: Happy Pi Day!

The recent inadvertent exposure of classified U.S. military plans by top defense and intelligence leaders serves as a stark reminder that even the most capable cybersecurity tools and well-defined policies can be rendered meaningless if ignored or misused. In this case, senior leaders relied on the Signal messaging app to communicate sensitive data but unintentionally exposed critical information to unauthorized parties. The leaked details—time-sensitive plans for a military operation—could have not only placed personnel in greater danger but also undermined the mission by alerting adversaries to an imminent attack. While #Signal is a widely respected, consumer-grade, end-to-end encrypted communication tool, it does not provide the same level of security as classified government systems. National security organizations typically utilize Sensitive Compartmented Information Facilities (SCIFs) to safeguard classified data from leaks and eavesdropping. However, SCIFs and other highly-secure methods are not as convenient as less secure alternatives—such as personal smartphones. In this instance, Signal's encryption was not the issue; rather, the exposure occurred when an unauthorized individual was mistakenly added to the chat. This human error resulted in sensitive information being disclosed to a reporter. Lessons Learned: This incident highlights critical cybersecurity challenges that extend beyond the military and apply to organizations everywhere: 1.     Human behavior can undermine even the most robust security technologies. 2.     Convenience often conflicts with secure communication practices. 3.     Untrained personnel—or those who disregard security protocols—pose a persistent risk. 4.     Even with clear policies and secure tools, some individuals will attempt to bypass compliance. 5.     When senior leaders ignore security policies, they set a dangerous precedent for the entire organization. Best Practices for Organizations: To mitigate these risks, organizations should adopt the following best practices: 1.     Educate leaders on security risks, policies, and consequences, empowering them to lead by example. 2.     Ensure policies align with the organization’s evolving risk tolerance. 3.     Reduce compliance friction by making secure behaviors as convenient as possible. 4.     Recognize that even the strongest tools can be compromised by user mistakes. 5.     Anticipate that adversaries will exploit behavioral, process, and technical vulnerabilities—never underestimate their persistence to exploit an opportunity. #Cybersecurity is only as strong as the people who enforce and follow it. Ignoring best practices or prioritizing convenience over security will inevitably lead to information exposures. Organizations must instill a culture of cybersecurity vigilance, starting at the top, to ensure sensitive information remains protected. #Datasecurity #SCIF #infosec

Data is every organization’s most valuable asset, but it is also the most targeted. Whether you are managing pipelines, warehouses, or APIs, data security is not optional, it is a necessity. Here are 15 best practices every data engineer must follow to keep systems safe and compliant 👇 1. Encrypt Data at Rest and In Transit Use strong encryption algorithms to secure data during storage and transmission, preventing unauthorized access. 2. Implement Role-Based Access Control (RBAC) Grant permissions based on roles to ensure that only authorized users can access specific datasets. 3. Use Strong Authentication Mechanisms Enable multi-factor authentication (MFA) or OAuth for enhanced user and system security. 4. Mask Sensitive Data in Non-Production Environments Hide confidential information during testing and staging to stay compliant with data privacy standards. 5. Regularly Rotate Access Keys and Credentials Update passwords, tokens, and API keys periodically to minimize unauthorized access risks. 6. Audit and Monitor Data Access Logs Continuously track who accesses what data to detect unusual or suspicious activity early. 7. Apply the Principle of Least Privilege Grant users only the permissions required for their tasks — nothing more, nothing less. 8. Secure Data Pipelines and APIs Protect data transfers using HTTPS, tokens, and strong authentication protocols. 9. Regularly Patch and Update Systems Keep servers, databases, and tools up to date to close potential security vulnerabilities. 10. Implement Network Segmentation Isolate sensitive databases within secure network zones to reduce exposure in case of breaches. 11. Use Data Loss Prevention (DLP) Tools Monitor and control data transfers to prevent leaks, misuse, or policy violations. 12. Backup Data Securely and Frequently Maintain encrypted backups and test recovery plans regularly to ensure business continuity. 13. Follow Compliance Frameworks (GDPR, HIPAA, etc.) Stay aligned with legal and industry standards for data collection, processing, and sharing. 14. Conduct Periodic Security Audits and Penetration Tests Identify vulnerabilities proactively through regular testing and security reviews. 15. Educate Teams on Data Security Practices Train employees to recognize threats, use data responsibly, and adhere to secure handling policies. Data breaches do not happen overnight, they result from overlooked basics. Start embedding these 15 practices today to protect your systems, ensure compliance, and build lasting trust in your data infrastructure.