As more people continue to work remotely, it is becoming increasingly important that everyone understand why security is critical and what is at risk.
It’s becoming more and more difficult to stay current with all the cybersecurity threats that individuals and businesses face. The “bad guys” are focusing not only on accessing data, but they are continually sending emails, texts and phone calls. They are targeting smaller business entities with the assumption that these businesses do not have the appropriate protection in place. As more people continue to work remotely, it is becoming increasingly important that everyone understand why security is critical and what is at risk. We all understand the importance of locking the doors to our homes and apartments as well as our automobiles. Cybersecurity is just as important, and in many cases, cyberattacks can be more detrimental than experiencing a home or auto being vandalized. Let’s review some of these cyber threats and ways to protect your firm from them.
Understanding the Risks
With a ransomware attack, an attacker typically gains access to a victim’s computer system, and in order for the victim to access his/her files, a payment is required. To prevent this, all software applications should be kept current. For instance, Windows 7 has already reached its sunset as of January 14, 2020, meaning it will no longer be updated with new protections. Spend the money to upgrade to Windows 10. Consider the expense as insurance. Spend the money to get a virtual backup of all data as well. It is relatively inexpensive and can be easily obtained. If data is stored in the cloud, be sure the provider has appropriate backup, and that it is physically located at another site.
When acquiring any software application, be sure to do some research. It’s a red flag if an application is free or complimentary. Be sure to check with other end-users in the legal industry. There is nothing wrong with doing a little research on the internet as well. Optimally, working with a qualified technology consultant will ensure that the application is safe, secure and appropriate.
It is okay for an end-user to check their SPAM folder, but no file sent from an unrecognized email address should be opened. If you’re unsure, it is best to delete the email. Many email addresses look familiar, such as Amazon, AT&T, Verizon, IRS – just to name a few, but if there is a period or a space in front of the name, it is probably fraudulent. Make it a habit to hover the cursor over the sender’s email address, before opening the email, to see if it is recognized. If it is not, just delete the email. DO NOT open or respond to it.
Scams and Phishing
It is common for an employee in the accounting department of an organization to receive an email from a recipient that appears to be the owner or supervisor instructing them to wire money to a specific account. But all employees must be educated so that any time anyone (owner or otherwise) requests money to be wired, that the request is confirmed by speaking to the person making the request. Information about owners and employees can be obtained from the company’s website, and fake emails from owners to employees can be used to steal money via wire transfer.
Some additional tips to consider in avoiding falling victim to a phishing scam:
- Look for misspellings or poorly worded sentences. If you’re unsure, pick up the phone and call the sender.
- Email scams often offer something intriguing. Remember: if it is too good to be true, it probably is. No one who has millions of dollars is reaching out to share it. Do not respond to this type of email, just delete it.
- Do not send personal or confidential information electronically when it has been solicited without cause. For example, the IRS or the Social Security Administration is not emailing you out of the blue to request personal information. If you’re unsure, pick up the phone and call the sender.
- With respect to clients, firms should never maintain financial information. There are several providers that process credit card transactions, so law firms no longer have to keep clients’ financial information.
Organizations must make securing electronic data a priority and continue to invest in its security.
Everyday Protections & Best Practices
BYOD and Frequent Reviews
More and more people will be working remotely on a permanent basis. Not only should an organization require a Work From Home (WFH) Policy to be implemented, but it is also very important that all hardware be inspected routinely whether it is an employee’s personal equipment or company provided. Making sure that compromised applications have not been downloaded to any device and that all equipment still needs to be inspected regularly should be incorporated into the WFH Policy. The policy should also include how passwords should be implemented and stored. Many firms actually include clauses in their WFH Policy that gives them the ability to wipe a device clean in the event that it is lost or stolen. This allows client information to stay confidential in instances where privileged client information is stored on one’s device, but may be met with some resistance from employees who wish to retain control over their personal devices.
People use common sense when protecting personal belongings. For instance, someone would not ask a stranger in a restaurant to watch his/her wallet while he/she visits the restroom. Commuters do not leave their computers three seats in front of them on a train. When going on vacation, it is common to ask a neighbor to watch the house and pick up the mail. This similar common sense must be applied when using email, answering unidentified phone calls and responding to texts.
Frequent and mandatory training must be administered to all employees – no one is exempt. Training does not have to be daunting and can be as simple as a five-minute reminder that appears on someone’s computer perhaps once a month. For example, a fake phishing email can be a great learning tool. If an end-user does not respond, good. If an end-user does, that person needs to be educated as to why opening the email was not appropriate. Protecting employer and client data must become just as important as protecting personal belongings.
The financial industry receives the most cyberattacks of any industry; second to it is the legal industry. Many lawyers believe that their professional liability insurance protects them from a cybersecurity attack. When an organization’s data is breached, to comply with regulatory statutes, all interested parties must be notified. It is estimated that notification costs will approximate $140 per record. Professional liability insurance usually does not cover these costs. Work with a cyber insurance broker and review the firm’s policies. Cyber liability insurance is a necessary expense today; it is not an option. One attack could easily bankrupt a law firm and its owners.
Electronic data and transmissions are as common as the air that we breathe today. Organizations must make securing electronic data a priority and continue to invest in its security.
Written by CARET Legal partner, Gail Ruopp. Gail Ruopp has acquired more than 25 years of professional experience in senior law firm management, initiating best practices in administrative operations, including: financials, accounting, lateral recruiting, personnel, day-to-day operations, systems management, and firm marketing.