Bar News - September 20, 2017
Solo and Small Firm Cybersecurity Guide: Data Security on a Shoestring: Steps You Need to Take Right Now
By: Ryan Barton
1. Learn to recognize phishing and scam emails and make sure all staff have training (1a).
2. Change passwords for all sensitive accounts to complex, unique passwords (1b).
3. Implement a secure method for sending confidential data – don’t just email it (2d).
4. Secure your bank account with Multi-Factor Authentication and make sure staff know not to wire money based on an email request (even from you) (2e).
5. Turn on automatic patching for your workstations (4a).
6. Procure a cyber liability insurance policy to cover residual risk (5f).
As a lawyer at a small firm, you recognize the need to protect your firm and your clients’ data. You agree the digital world is rapidly becoming a more dangerous place. And you know you need to act. The question is… by doing what, exactly?
If your firm is large enough to have an IT budget or IT staff, then the answer is clear: bring in a team with a proven track record, appropriate for the size of your organization, to help assess risk, solve challenges, and build the right information security program for you, that covers data, devices, and people. The risks are significant and the costs for the appropriate defenses have decreased enough to make them accessible to many organizations.
But, if your budget or inclination means that you are the one to lead your organization’s information security efforts, then you’ll want to leverage publicly available resources and take a risk-based approach.
Start with the areas of greatest risk, and intentionally make consistent progress. Always remember, security is a discipline – not a product or an initiative. Just as an organization’s legal and financial risk never goes away, so too its risk to information security. Consider the following elements:
1. Secure Your Staff
It is the way we use technology, and the intrinsic gullibility we have as humans, that creates the greatest risk.
- Enroll in training. Ninety-one percent of cyberattacks start with an email – if staff can recognize these attempts and avoid them, risk is dramatically decreased. Enroll in a cybersecurity training course or seminar personally, and make it mandatory for all staff, both new and existing. Online security awareness training is available from numerous vendors and training companies, or for free from the Small Business Administration.
- Practice password discipline. Change your passwords now. Make each password unique, complex (long and with multiple character sets), and not based on a dictionary word. Easy passwords can often be cracked by an attacker within minutes. And if you reuse passwords, then a breach anywhere you’ve used that password makes you vulnerable… everywhere. There is a place called the dark web – the encrypted, anonymous, seedy underbelly of the Internet. Hackers share troves of usernames and passwords they have gathered from sites that have been hacked like Adobe, Dropbox, and LinkedIn, so anytime you reuse a password, you make yourself vulnerable. You can check to see if one of your passwords may already be on the dark web by searching your email address at haveibeenpwned.com.
- Implement Multi-Factor Authentication (MFA). On any service of high impact, implement more than just a password – Multi-Factor Authentication adds a second layer of defense to a password by also requiring a token or a text message. Google, Dropbox, ShareFile, Amazon, Office 365, most banks, and many more services natively support MFA.
2. Secure Your Data
Understand the data that carries the greatest risk of harm to you and your clients – or has the most value to an attacker.
- Inventory your data. Perform a thought exercise: If all our data became public, what damage would result? Identify those pieces of data that would cause damage and document what they are, and where they are stored. Example: Do you store Social Security numbers? If so, how many? Where are they stored? Do you store client data that would be highly damaging to clients if it leaked (such as intellectual property, or mergers and acquisition activity)? How much? Where is it stored?
- Receive data securely. Setup a secure, encrypted method for clients to send you sensitive data. Discourage the use of emailing you highly confidential data, and leverage a service such as www.sharefile.com instead.
- Store your data securely. Store confidential data in designated locations, such as on locked-down shares on a server, or in a service like ShareFile. Store as few copies as possible, and only in areas you are confident are appropriately secured and encrypted.
- Send data securely. Utilize an email encryption service (such as Office 365 Message Encryption or Zix) or secure file-sharing service (such as ShareFile or Delivered Secure). Do not simply send sensitive data via email. Avoid insecure services like FTP.
- Secure your money. Implement MFA on any online financial accounts, especially those that could be used to wire money. Train staff to ensure fraudulent invoices aren’t paid, and that everyone is aware of wire fraud scams (where a scammer impersonates someone in authority and emails finance requesting a wire to a certain address). The FBI recently announced that they have identified over $5 billion in business losses due to email compromise scams like those described at www.ic3.gov, the FBI site for filing and reporting Internet crime complaints.
3. Secure Your Infrastructure
Ensure that the services and networks you rely on are appropriately secured for your needs.
- Secure Email. Use a business service such as Office 365 or Google G Suite Business, and ensure it meets your compliance requirements and is configured by an IT professional who understands security. Do not use a personal email address (or allow staff to do so).
- Secure remote access. If you are remotely accessing your network, ensure it’s done in an encrypted fashion, such as through a VPN. Ensure that “Remote Desktop Protocol” is not open to the outside world (port 3389 on your firewall).
- Secure cloud hosts. Ensure that any cloud providers you use meet your compliance and security requirements. For example, Dropbox for Business adds security and compliance elements, but a personal Dropbox account does not meet HIPAA requirements or have appropriate security for businesses with confidential data.
- Secure wireless. If you have a wireless network, make sure it is encrypted with WPA2, and with a very complex passphrase. Do not ever use open, public wireless networks to access sensitive data! These open wireless networks are often set up by hackers to capture all the data you transmit.
- Secure firewall. Use a business class firewall, with multiple layers of protections built in, and keep an active service agreement on the device, so it stays supported and updated by the firewall vendor.
- Secure server. If you have a server, make sure it is configured or reviewed by an IT professional who understands security. Check it regularly to ensure it is fully patched and all updates have been applied, and replace it whenever the operating system is no longer supported (example: Windows Server 2003 is no longer supported by Microsoft and is not a secure operating system).
- Secure backups. Backup your data multiple times, and to more than one location – but ensure that any offsite backups are fully encrypted and that you know exactly where your data is stored and who has access to it.
4. Secure Your Devices
- Secure workstations. It is imperative that each computer receive updates to the operating system and applications regularly, as patches are released to fix security flaws. Enable automatic updates (via Control Panel) for Windows, and also enable automatic updates for any Adobe products, third-party browsers (such as Chrome or Firefox), and Java. Install any new updates as soon as they become available. In addition, ensure that a business-grade antivirus is installed and up-to-date, and that all accounts on the computer have long, complex passwords. Do not set users to have administrative rights to their computers if possible; create a separate administrative account to install software.
- Secure mobile devices. Make sure all mobile devices have passcodes (setting a passcode encrypts the device), and that the setting is enabled to wipe the device after X incorrect tries, to protect against loss or theft. Install updates to the operating system whenever they become available, and only install apps from the App Store (for Apple devices) or Google Play (for Android devices) – never from clicking a link (as this may install malicious software).
5. Secure Your Organization
- Understand your compliances. Seek to answer these questions: Does the data you store and clients you serve cause you to fall under MA 201 CMR 17.00 or HIPAA? Do you process credit cards and need to comply with the Payment Card Industry Data Security Standards? Do any of your clients impose cybersecurity contractual requirements?
- Perform annual assessment of risk and evaluation of security. Once a year, follow an intentional process to assess risk and evaluate the performance of your information security defenses.
- Pay attention to physical security. Lock sensitive data away at the end of each day, establish appropriate office locks and key/access card control, and consider alarm systems and camera systems.
- Assess your vendors. Evaluate any vendor who has access to your data against security best practices, and establish a contract that outlines clear expectations and requirements – whether it’s an IT provider or a cleaning company.
- Build policies. Utilize templated resources to build information security policies and ensure all staff understand and abide by them. The SANS Institute provides a policy template library.
- Procure cyber liability insurance. You can mitigate cybersecurity risk, but never eliminate it. Any organization with sensitive data should have a cyber liability policy that is appropriately sized for its exposure, based on the number and type of sensitive records or client arrangements. Some legal malpractice policies include cyber liability coverage. Seek an insurance agent, such as the NHBA Insurance Agency, that understands the uniqueness of cyber liability policies and can advise appropriately.
6. Make Progress Every Year
Start by doing what you can, but commit to continually improving your defenses and increasing the maturity of your information security program.
The challenge is great, but these simple disciplines eliminate the vast majority of the risk. And threats are proliferating at such a rate that reality is quickly becoming as stark as: act now, or be breached.
Ryan Barton is CEO of Mainstay Technologies, a New Hampshire-based cybersecurity and IT services firm. For more information please visit www.mstech.com, or contact him directly.