Legal Field IT Specialists CEO, Robert Finley, responding to law firm partners’ concerns around potential cyber security breaches:
What question do others ask when they hear of a business, especially a law firm, getting hacked with a cyber threat?
Typically their thoughts center around the following question. "ARE THE PARTNERS AND ADMINISTRATORS OF THIS FIRM STUPID...OR JUST IRRESPONSIBLE?"
It's EXTREMELY unfair, isn't it? Victims of all other crimes - burglary, rape, mugging, carjacking, theft - get sympathy from others. They are called "victims" and support comes flooding in, as it should.
But if your business is the victim of a cybercrime attack where client, employee or even patient data is compromised, you will NOT get much sympathy. You will be instantly labeled as stupid or irresponsible. You will be investigated and questioned about what you did to prevent this from happening - and if the answer is not adequate, you can be found liable, facing serious fines and lawsuits EVEN IF you trusted an outsourced IT support company to protect you.
This is why you need to arm yourself with the following must have knowledge.
Is there a magic pill that a business can 'take' to prevent cyber threats?
I have no magic wand and there's no magic pill either. As a matter of fact, there's no one security protection that solves all your cyber-security problems. If there were, I'd be the first to tell you about it and insist that you purchase it as fast as possible. But there's just not.
Can you give me a list of items to use for protecting my law firm from cyber threats?
Since there's no one solution, here's my list of 21 must-have critical protections you absolutely need to have for your business. At the end of this article I'll give you some additional information on how you can have all of these protections in place and automatically monitored for your firm, so please continue to read on.
1. SECURITY ASSESSMENT
You can't make management decisions if you're not regularly assessing where you're at. Therefore, you need to establish a baseline and perform periodic technology assessments.
2. BACKUPS
Local backups and backups to the cloud. Have an offline backup for each month of the year. Perform test restores of your backups monthly, at least. Having this done daily is best. It can even be quickly reviewed each day in a matter of a minute or two.
3. NEXT GENERATION FIREWALL
A firewall separates your business computer network from the bad guys out on the internet and not all firewalls are the same. Your cable provider's firewall is not acceptable! Your firewall needs a Comprehensive Security Subscription, including an Intrusion Prevention System, and that subscription must be actively licensed at all times to help stop the over 80,000 new attacks developed every single day. That's over 29 million new types each year!
4. ADVANCED ENDPOINT SECURITY
Anti-virus software is only about 9% effective against today's threats, so we must use Advanced Endpoint Security. This latest technology replaces outdated anti-virus technology and protects against file-less and script-based threats and can even rollback a ransomware attack.
5. COMPUTER SECURITY UPDATES
Subscribe to an automated "critical update" service to keep the operating systems of your PCs, laptops and servers constantly updated with the latest security updates and patches to minimize risks from security threats and attacks targeting known bugs and security vulnerabilities.
6. 3RD PARTY SOFTWARE PATCHING
Subscribe to an automated "critical update" service to keep common software applications that are found on most computers constantly updated. Ones like Adobe Flash, Adobe Reader, Shockwave, iTunes, QuickTime, Safari, Google Chrome, Skype, Firefox, Java and more.
7. NETWORK SECURITY POLICIES
Apply security policies on your network. Examples of this would include denying or limiting USB file storage access, enabling enhanced password policies, setting user screen timeouts, limiting user access to files not related to that person's job, enforce encryption, and hardening your servers, so they're less vulnerable to attack.
8. ADVANCED EMAIL SECURITY
Most cyber-attacks originate in your email, so subscribe to a security service that scans every email to help protect against payload and phishing attacks, blocks and reduces spam and provides the ability to send encrypted emails. Having Office 365 or G-Suite/Gmail are not enough.
9. ADVANCED WEB BROWSING SECURITY
The 2nd most common cyber-attack method is through your staff's web browsing, so make sure to subscribe to a service that can block malicious destinations and activity before a connection is ever established, even when users are working remotely.
10. ADVANCED INTERNET DNS
Did you know that your competitor can go on the Dark Web and pay about $20 to take down your website using a DDoS attack? At that instant, the cybercriminal's fleet of millions of victimized computers across the world will start sending so much information to your web server that your website will literally go off-line, never to be seen again until the attack is thwarted or canceled. With Advanced Internet DNS your website can withstand these attacks.
11. EMPLOYEE SECURITY AWARENESS TRAINING
During a recent meeting I had with the FBI, they said that their #1 recommendation, even above firewalls & endpoint security, is for business owners to train their employees - and train them often! Teach them about data security, email attacks, and your policies and procedures. Do this by subscribing to a reliable and proven "done for you" web-based video training solution that includes automated fake attacks that are sent to your staff. If your employee clicks on the wrong thing, they'll receive instant remedial training and you'll be notified via weekly management reports.
12. DARK WEB MONITORING
Would you want to know if your username and password, or your staff's login credentials, or your banking login info, or your client data, or your employees' personal identifiable information (PII) were suddenly listed for sale on the Dark Web? Of course you would! Subscribe to a reliable monitoring service that can alert you immediately if your information goes up for sale on the Dark Web, so you can be proactive in preventing a data breach.
13. MULTI-FACTOR AUTHENTICATION
Utilize Multi-Factor Authentication whenever you can…including on your network, banking websites, and even social media. It adds an additional layer of protection to ensure that even if your password does get stolen, your data stays protected.
14. PASSWORD MANAGEMENT
Where do you and your staff currently store usernames and passwords to all your computer systems and websites? Stop wrestling with sticky notes and spreadsheets and start using a real system designed for an organization like yours. Subscribe to a service where you can organize, share, and audit all the important passwords and password-related tasks handled within your organization.
15. LOCAL NETWORK-LAYER VULNERABILITY SCAN
Use a network layer scanner to identify security risks on every system plugged into your computer network (i.e., PC's, servers, VoIP phones, wireless access points, firewalls, switches, printers, and security cameras). Identify rogue systems that haven't been accounted for and identify new risks that have been discovered or introduced.
16. SIEM MONITORING
This type of monitoring helps identify if a cyber-criminal has got their "foot in the door" and is actively trying to access your data or trying to make further changes to your network security, so they can gain even more control. Marriott Hotel disclosed a four-year-long breach involving personal and financial information of 500 million guests at its Starwood properties. I recommend SIEM Monitoring to help identify breaches sooner, before you become front-page news.
17. $2,500 OF BITCOIN
If it's your first time, sometimes it can take up to a week to acquire Bitcoin or other electronic currencies. The last thing you want to do is try to acquire it when you're under attack and your data is being held for ransom because if you can't pay in 72 hours, then your data is gone forever.
18. CYBER INSURANCE POLICY
If all else fails, protect your income and business with cybercrime, cyber-damage and recovery insurance policies. But watch out for exclusion and limitation clauses! I wish I had a dollar for every small business owner that told me they don't have to worry about all the IT security measures I was recommending because they had cyber insurance.
You should see their faces when I ask to see their policy and point out all the exclusions and limitations. Yes, the fine print is important, so make sure to read it.
What is the process I'll have to go through in order to submit an insurance claim for a cyber security breach?
When you make a claim against your cyber insurance policy, the insurance carrier is going to have a specialized IT team review your entire network. The first sign they find that you're not living up to the terms of the policy, they will deny your claim.
They'll do everything they can to find that you've violated an exclusion clause. If your firewall doesn't have intrusion prevention, if your computers don't have security patches applied within 3 days, if the firmware on network devices aren't up-to-date, if test restores of backups aren't done every month, if old hard drives aren't properly wiped, if laptops aren't encrypted, if there's no SIEM monitoring, then they'll DENY YOUR CLAIM.
So, make sure you have an expert review your Cyber Insurance Policy and make sure your IT team is following its terms.
19. MOBILE DEVICE MANAGEMENT
If you're providing company-owned smartphones and/or tablets to employees, then it's critical to protect their data, enforce company policies, configure allowed apps, remotely locate and wipe stolen devices, etc.
20. FULL DISK ENCRYPTION
Whenever possible, the goal is to encrypt files at rest, in motion (think email) and especially on mobile devices. Mobile devices get lost and are easy to steal, so make sure each has full disk encryption.
21. BUSINESS CONTINUITY PLAN
No one can predict the future; however, are you ready with a sound business continuity plan and backup processes in the event of a cyber-attack, fire, or other impending disaster?
How can I easily implement all 21 of these security protections that I need in place?
It can be very complicated, but it doesn't have to be. However, if you're a Do-It-Yourself kind of business owner, I've got some discouraging news. This stuff is expensive and it can get complicated. It's taken me years to not only identify these security protections, but to also hire and develop a highly-trained IT support team that can implement them.
What can I do if my law firm needs assistance setting up security protections from cyber threats?
If you feel that your law firm could use some assistance with setting up proper security for your firm so that you don't experience business-ending catastrophes, call us today. Legal Field IT Specialists provides tailored IT support services to law firms to protect them from the dangers of online threats as well as working with you to ensure that your staff is highly productive & efficient which, in turn, increases your firm's profitability.
