Cetrom in @Law Magazine: How Your Data is at Risk

securityThis article originally appeared in the Spring 2017 issue of @Law Magazine. By Christopher Stark, President and CEO, Cetrom on March 7, 2017.

Ransomware, a type of malicious software that encrypts files, blocks access to computer systems and then requires an anonymous payment to get it back unharmed, has the ability to make a dramatic and devastating impact on any type of business and its clients. TechTarget states ransomware is an absolute pandemic and BBC News reports that more than 120 types or “families” of ransomware currently exist.  While there have been a number of attacks on large banks and  corporations that are assured to have heavily fortified systems, hackers are also using ransomware to target smaller businesses, such as law firms.

Law firms are unfortunately targeted due to their sensitive, confidential data, such as contract negotiations, trade secrets, mergers and acquisitions, financial data, divorce details, personal injuries and more. Digital intruders know that having access to this confidential information is troubling to clients, making law firms more likely to pay to get their data back safely. In doing so, this process can cost law firms a great deal of money and will undeniably ruin even the best reputation.

While some law firms may feel they are unaffected by this cybersecurity epidemic, it only takes one click of a mouse to quickly become infected with ransomware. Oftentimes, it occurs when staff opens attachments within fraudulent emails. These emails may appear to contain important client data or a shipping confirmation, but it is just disguised malware, which can an infiltrate their computer—and any computer associated with that computer’s network. Microsoft Malware Protection Center notes your firm’s infrastructure can also become exposed to ransomware when employees access fake or suspicious websites.

Keeping your data and applications safe and secure from ransomware attacks, while increasing your clients’ awareness of malicious software, requires collaboration with your internal IT department and/or managed IT provider. Here are five things you can do to better protect your firm and clients:

1. Perform a Security Audit
As stated earlier, law firms store and access personal and confidential information on a daily basis. It is crucial that firms make certain this data is kept safe and unharmed at all times. In doing so, your firm should perform a security audit– the process of testing and identifying vulnerabilities in your organization’s IT infrastructure in order to ensure that your company assets are fully protected.

Partnering with a third-party security firm to conduct a Vulnerability Assessment or Penetration Test at least once each year can help your firm establish a security breach response plan to:
• Comply promptly with legal requirements.
• Reduce the risk of a data security breach that causes serious harm to the firm’s reputation and finances.
• React quickly to security breaches and not give the appearance of an inadequate response.
• Ultimately close any security gaps that make an organization vulnerable to ransomware.
Additionally, the planning process should allow law firms to identify:
• All of the personally identifiable information (PII) and sensitive data.
• All organizational compliance requirements.
• Procedures for analyzing and containing a potential data security breach.Once you’ve developed a disaster recovery and business continuity plan, they should be reviewed and tested each time the IT environment changes. In the event of a ransomware attack, these plans are invaluable. IT Business Edge notes that disaster recovery plans can help your firm get systems back up and running after a cybersecurity attack and that business continuity plans enable staff to remain productive while cybersecurity issues are being resolved.2. Use Back-up Protection
When ransomware infects an organization’s IT infrastructure, it can restrict access to critical information stored within the computer system. Because of this, it is important for your law firm to be proactive in updating security measures. Your firm’s data back-up procedure is a key security measure that should be top of mind. Not only does having duplicate copies of your most important information saved in a remote location keep it safe from ransomware, but it also prevents loss of information during computer crashes and hard drive failure. To prevent any type of loss and avoid wasting precious time and money attempting to recover data, get into the habit of backing up files and documents on a daily basis. TechAdvisory.org advises small to mid-size businesses that work with critical client information to perform daily backups.Once you have established data backup procedures, you should also consider where your data backups are being stored when revamping security measures. Many organizations store their backups to on-site servers within their IT infrastructure, making their data vulnerable to attacks. To ensure your data backups will not be infected by malicious malware, you should store data backups on servers at a secure off-site storage facility or data center. This will allow your organization to restore its IT infrastructure from the most recent backup in the event of a ransomware attack.The right cloud service provider will provide guidance on cybersecurity measures and updates on looming security threats while assisting with the data backup and recovery processes to fill the gap in areas where you feel your organization’s security practices are lacking. As a result of partnering with a cloud service provider, your organization will have an added level of protection to counter ransomware threats.

3. Increase Levels of Security
Hackers tend to focus on systems that are easy to access. So the more levels of security you have, the more likely they will move on to avoid wasting time and effort.

It’s important to secure all of your systems, not just your hardware. By implementing network-wide security solutions, such as anti-virus, web filtering, firewalls and password protection, your hardware and employee devices will have the same level of security. Data should never be protected by a single password, no matter how creative or complex that single password may be. Digital intruders have the intelligence to hack into systems, track keystrokes and uncover patterns to consequently gain access to data. When a hacker has full access to private data, including emails, social media accounts, or personal and financial details, your firm is at risk to fall victim to fraudulent acts, which can result in a ruined reputation and create costly lawsuits.

With this in mind, law firms should consider implementing Two-Factor Authentication, also commonly referred to as 2FA. Two-Factor Authentication requires two of the following three mechanisms:
1. A unique username, password, number combination and/or security question only, and only, the user knows
2. A possession the user has (a smartphone, computer or tablet)
3. Inherence (a fingerprint, retina scan or face recognition)For example, Google is now requiring its users to enter a password when logging into an account. Following the data entry, a code will be sent to a user’s phone via text, voice call or the Google mobile app. The user must type in this code to gain access to his/her account. Google users even have the option to not to use Two-Factor Authentication again on that particular computer to save time in the future. Users can still be assured future safety because when anyone else tries to sign in from another computer, Two-Factor Authentication will once again be required. This technology can be implemented to better protect, not only your data, but your client’s data from cyber threats.

4. Monitor Activity

Law firms tend to fall victim to ransomware attacks because of their lack of monitoring on-going activity. By simply using a tool to monitor network activity, firms can gain visibility into existing weak entry points that have caused past breaches and use that information to avoid possible future breaches. Law firms can track activity by creating a log of past security “events” and input the data into a security information and event management (SIEM) system. This system will give you a holistic view of your entire organization’s security. By using both preventive and predictive safety practices, you should be able to ensure that your valuable data is safe and secure.

5. Educate Staff and Clients

Avoiding ransomware cannot be made possible without an educated staff and clientele. Anyone who has access to network files and data has individualized passwords to log into business applications or uses any type of device to get to the cloud needs to understand how to identify potential threats.

As mentioned earlier, emails containing suspicious attachments and fake websites can lead to your firm becoming infected with ransomware. To minimize the likelihood of your staff opening these types of emails or websites, collaborate with your internal IT department to develop and implement cybersecurity training courses. Cybersecurity training courses will help educate your staff on the different types of ransomware threats.

Firms should consider disallowing files with certain extensions in mail attachments that are unnecessary to your business and ensuring that the programs which are allowed to open attachments are up to date. Having out-of-date programs leaves too much room for error when dealing with cybersecurity threats. Administrative personnel should take initiative by only permitting approved programs to be opened and only allowing users to modify files needed to do their work. Files staff have no reason to modify should be restricted to ‘read only’ access for them.

Losing laptops, tablets and smartphones can also result in a security breach. Oftentimes, this carelessness can be an open invitation for cyber villains that are looking to compromise data. Make sure your staff is cognizant of where their laptops and mobile devices are at all times.

In addition, your organization can conduct research using websites like ID Ransomware, and follow IT-related current events in order to alert your staff to the different variations of ransomware that are striking companies across industries. Once your employees become well-versed on threats and how to avoid them, then they can pass along their knowledge to your clients as advisory services.

Examining your IT infrastructure, updating security measures, and educating staff and clients will help you protect not only your organization, but your client base.

While keeping up with cybersecurity threats in an IT industry driven by constant innovation can be challenging, relying on your IT department and providing them with the resources they need to stay informed will enable them to keep you up and running at all times. And if they appear to be falling behind, don’t be afraid to see outside help. A cloud service provider with extensive experience and knowledge can help beef up your security practices.

Besides providing the best legal services to your clients, your firm’s top priority must be keeping your IT infrastructure and your clients’ data safe from any cybersecurity threats, including ransomware. Ransomware isn’t going away any time soon- if anything, these types of malware will continue to become more dangerous- so consider taking these steps now.