Law Firm Security Q&A (8-3-2021) with CEO Robert Finley

Legal Field IT Specialists CEO, Robert Finley, answering some questions from firms regarding 6 Steps To Better Cyber-Security Hygiene:

What sort of situations are you finding in your discussions with other small businesses concerning IT security?  Are you able to share some insight concerning what situations you are seeing and how they could be rectified?

Over the course of a few months, we interviewed over sixty companies and discovered a number of alarming realities. First of all, most people tend to use the same password (or some slight variation) for everything. This is extremely dangerous and very poor practice. Even if you slightly differentiate each password, this habit makes it rather simple for cybercriminals to pick you off like low-hanging fruit.

Many executives and business owners are overwhelmed at having to maintain all of these different passwords, so it's easier for them just to have one password for everything. This greatly increases the risk of being compromised. Because hackers usually take the path of least resistance, a dark web search for your company's domain name can reveal that your credentials have been compromised. This discovery uncovers that your Microsoft or LinkedIn account, was breached and now that login information is available to them.

By the way, if you are using the same password for your Marriott account, or any breached online service for that matter, that you are using for other online services (Office365, G-Mail, Internal Domain login, Word Press, Online Banking, etc....) you will want to change those immediately.

All too often a hacker searches the dark web to find that your consumer-grade file sharing utility account was breached. So, they now have this information and gain access to other applications like your customer database or your financial software package. Gaining access now requires very little effort because they have your login credentials. So, if you are using the same password for everything and one account gets breached, automated scans and scripting techniques rapidly expose other accounts you have that are now unprotected.

The following are 6 steps you can use that we compiled from our interviews with other small businesses like yours:

STEP 1: UTILIZE STRONG PASSWORDS

Throughout my interviews, I noticed that most people are unaware that security tools exist that can help you manage and utilize strong passwords across multiple sites and services. As a business there are a number of things you can do proactively to protect your information and deal with this liability. There is real risk involved here and there are really only three things you can do with this type of risk:

1. Accept the risk - In my opinion, this is like burying your head in the sand. However ill-advised, lots of business owners and executives choose this path every day.
2. Transfer the risk - In some cases, you can transfer a portion of this risk to a third-party or through cybersecurity insurance. There are still significant liabilities here if you have a breach and must notify customers or authorities.
3. Mitigate the risk - There are several things you can do immediately to diminish the risk associated with cybersecurity data breaches.  I'll cover these in the following steps.

STEP 2: TRAIN YOUR EMPLOYEES

The first thing that you have to do is train your employees. Make sure that they understand the necessity of having strong passwords and know how to recognize an e-mail phishing attempt that is trying to gain access.

During my interviews, I heard several stories of businesses affected by fraudulent wire transfers. When a person's credentials are compromised and a cybercriminal gains access to their email, the criminal typically then sends an email impersonating the business owner or CEO of the company to an internal employee, requesting them to make a wire transfer.

In one case, $50,000 was transferred from an internal office person to a hacker using an email from their boss. The employee didn't have an alternate verification process or policy in place to confirm this was indeed a real request from the boss. All they had to do was pick up the phone and call their boss to confirm whether this was a legitimate transaction or not, and the hacker's plan would have been foiled. That's why one of the questions on most cybersecurity insurance applications asks if you have a secondary mechanism in place to verify the identity for any requested wire transfer of funds.

One of the biggest risks that any business has today isn't necessarily what firewall they have, or what end-point protection they are using. These are crucial cybersecurity tools, and you absolutely need them. Effective cybersecurity has multiple layers of protection including firewalls, backup, and security event and information monitoring. However, the greatest risk to any small or mid-sized business is their employees. Even good employees with good intentions will make big mistakes if they aren't given access to cybersecurity awareness training.

The right kind of training can help employees recognize a phishing attempt in which a hacker is trying to get them to click on an e-mail link designed to capture their user ID and password, or one that could install ransomware or malicious software on the network.

Let's say you have an employee who receives an e-mail that appears to be from Apple confirming their recent purchase of a $30 app. The email contains a PDF receipt attachment. The entire e-mail is a phishing attempt.

Clicking on the PDF reveals what looks like a receipt from Apple. At the bottom of the PDF, there's a "helpful" link with a note that says if you did not authorize this transaction, you could click the link to get a full refund. Clicking on the link brings the user to an exact replica of the Apple Account management portal.

If you enter your login credentials, you'll get a message that your account has been locked for security reasons. The hackers have now gained access to your account!

You must train your people so they can know how to recognize these types of threats.

STEP 3: SEARCH YOUR COMPANY ON THE DARK WEB

It is absolutely imperative in today's business environment to use a service that will search the dark web on your company's behalf for compromised credentials.

The Dark Web is a sublayer of the Internet that is hidden and unindexed by typical and conventional search engines. Google, Bing, and Yahoo only search 4% of the indexed Internet. The other 96% of the Web consists of databases, private, academic and government networks, and the Dark Web. It is estimated that the Dark Web is 550 times larger than the surface Web and growing. Because you can operate anonymously, the Dark Web holds a wealth of stolen data, illegal activity, and is a cesspool of cybercrime. It is a place where online criminals can buy anything at auction within the cyber-underground.

Hackers can buy a person's identity, Social Security Number, credit card information, or email login. Also, this information is continually being updated and regurgitated back and forth and sold amongst hackers.

For the longest time, it was only the bad guys who had access to this information. However, the good guys can now access the dark web as well. Under a subscription model, the good guys can search the dark web for a business domain to see if the business has any compromises. Moreover, if they do have compromises, you can do something about it and immediately update those accounts.

During my interviews, I was able to share the results of dark web scans with business owners. In one instance I discovered that the business owner had his credentials breached. When I asked him if he was using this particular password for anything else, the owner said, "Yes, I'm using that password for everything." Needless to say, we spent some time discussing better "cyber-­hygiene."

Compromised credentials that are bought and sold on the dark web reveal some very weak passwords. It's never a good idea to use family or pet names in your passwords. People can find that information out pretty quickly just by looking at your social media profiles. Social media surveys are another way that hackers can find out confidential information about you. So be cautious and conservative here. Some of these surveys are identical to secondary security questions for online password resets when you forget your password.

Once your compromised credentials are on the dark web, you don't get off the dark web. All that information is out there being publicly shared with criminals. What you can do is change and update your user ID or passwords and use this as another compromise detection mechanism.

STEP 4: UPGRADE TO NEXT-GENERATION ENDPOINT PROTECTION

Antivirus is essential, but antivirus only protects you against what it knows about. Antivirus is kind of like getting the flu shot. Some people get the flu shot every winter season, hoping it will protect them from that season's version of influenza. However, the shots can sometimes be 10 - 15% effective, and unfortunately, many people still get sick. Moreover, some people never get the flu shot, and they don't get sick at all.

Most antivirus software solutions only protect you against what they know about in their database of virus signatures. In today's cybercrime world, a hacker can take a known virus that an antivirus could detect, and they can modify it by changing one thing, and now it is a whole new and undefined, zero-day, virus. Antivirus cannot adequately protect you if it doesn't recognize this new virus signature or scan everything.

So, I recommend that people replace their antivirus with next­ generation endpoint protection, which uses artificial intelligence, machine learning, and deep learning, to understand what is going on in the computer systems to protect systems better.

STEP 5: MAINTAIN A DNS FILTERING SUBSCRIPTION

As another initial layer of protection, DNS filtering can circumvent many malicious websites designed to steal your information. DNS stands for the Domain Name System, and it is like the internet phone book, resolving every domain name with an IP address. Cybercriminals prey on human error and will craft replica logon websites that look identical to sites you use every day.

A DNS filtering subscription can help protect you from many types of online scams and malicious sites.

STEP 6: REGULARLY UPDATE YOUR SYSTEMS

Ensuring you have regular, systematic, security patches and updates on all of your computer systems today helps keep your systems running smoothly. Having proactive security updates and incremental patches applied regularly is crucial for any device on the Internet. All those devices have to be patched and maintained to protect you.

These are just a few of the precautionary steps that business owners can take immediately to protect themselves. In addition to having a good backup and disaster recovery solution, you can mitigate this risk and avoid the hassle, headaches, and costs associated with not following best practices.

To get some help protecting your firm and to put the above best practices in place for your firm call us today. Legal Field IT Specialists provides tailored IT support services to law firms to protect your firm from the dangers of online threats as well as working with you to ensure that your staff is highly productive & efficient which, in turn, increases your firm's profitability as a whole.