Stakes couldn’t be higher when it comes to a business's cybersecurity. The sensitive information held within any business - big or small is a prime target for cybercriminals. For example a major reason why cybersecurity is so important to businesses is that, 26% of American law firms have experienced a data breach with consequences ranging from loss of data and billable hours to unauthorized access to sensitive information. According to State of Ransomware 2022 Report published by cybersecurity software company Sophos:
- Ransom attacks are more frequent – 66% of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020
- Ransom payments are higher – In 2021, 11% of organizations said they paid ransoms of $1 million or more, up from 4% in 2020, while the percentage of organizations paying less than $10,000 dropped to 21% from 34% in 2020. Overall, the average ransom paid by organizations that had data encrypted in their most significant ransomware attack increased nearly fivefold to reach $812,360
- More victims are paying the ransom – In 2021, 46% of organizations that had data encrypted in a ransomware attack paid the ransom. Twenty-six percent of organizations that were able to restore encrypted data using backups in 2021 also paid the ransom.
- The impact of a ransomware attack can be immense – The average cost to recover from the most recent ransomware attack in 2021 was $1.4 million. It took, on average, one month to recover from the damage and disruption. 90% of organizations said the attack had impacted their ability to operate, and 86% of private-sector victims said they had lost business and/or revenue because of the attack
- Many organizations rely on cyber insurance to help them recover from a ransomware attack – 83% of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack.
- Cyber insurance almost always pays out – In 98% of incidents where the victim had cyber insurance that covered ransomware, the insurer paid some or all the costs incurred (with 40% overall covering the ransom payment).
- 94% of those with cyber insurance said that their experience of getting it has changed over the last 12 months, with higher demands for cybersecurity measures, more complex or expensive policies, and fewer organizations offering insurance protection.
For these reasons and others, the American Bar Association (ABA) added a section on Information Security Policies and data security in the latest edition of the book "Law Office Policies, Procedures, and Operations Manual." In that chapter, Inovo InfoSec CEO Eric Rockwell and CIO Jeff Gulick shared how businesses can maximize their technology investments, standardize the use of technology, avoid costly mistakes, and secure their clients' sensitive information and intellectual property. States such as California and New York have new laws and regulations governing sensitive personal information. The chapter is based on controls from trusted cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) Critical Security Controls (CSC). It offers a detailed look at what businesses must consider when navigating today's complex cybersecurity landscape.
Businesses should implement comprehensive and standardized information security policies and procedures to protect these electronic information assets while staying compliant with data privacy regulations.
10 considerations in assessing your business’s cybersecurity
1. Information Security Policy
An information security policy provides a foundation for ensuring the safety of your firm's information assets and electronic communications systems. It should cover the use of software programs within the organization, data sharing with internal and external parties, device connections to the company's network, the use of the firm's electronic communication systems, access to cloud computing services, and more.
2. Social Media Policy
Social media can support business development and increase your firm's and individual attorney's profile. However, these platforms also pose risks as threat actors can gather information to exploit your clients. Employees must maintain the confidentiality of client information and sensitive personal information when posting on these platforms. Also, they must not share information about the firm's internal policies, procedures, strategy, etc.
3. IT Business Continuity and Disaster Recovery
You must have a well-defined process to handle events that could impact your firm's IT operations and business resiliency. Define recovery point objective (RPO) and recovery time objective (RTO) to understand the extent of data loss and the amount of downtime that's acceptable to your business. Then, you can implement the necessary controls to achieve these objectives.
4. Malicious Software Management
Protect your data and network with antimalware software, malware scanning tools, and review procedures. Work with a cybersecurity company to harden your IT assets to the applicable CIS benchmark. Ensure that security updates and software patches are installed promptly, and all devices are scanned weekly to minimize vulnerabilities a bad actor could exploit.
5. Employee Training and Education
Most data privacy regulations require organizations to provide employee training to ensure that everyone in your firm is fully trained on the use of all equipment and services, including hardware, software, and cloud platforms, and understands how to handle sensitive information securely. Also, appoint a dedicated resource to oversee employee training and provide timely assistance.
6. Cloud Services and Software as a Service (SaaS)
If your firm uses cloud or SaaS platforms as part of the infrastructure, the IT director must maintain a map of these business systems and a clear record of where the firm's data resides. Enforce a business password management policy for accessing these accounts, implement multi-factor authentication and access control, and use providers that adhere to regulatory standards (e.g. SOC 2).
7. Communication Systems
From email and voice over internet protocol (VoIP) phone systems to messaging and video conferencing, you must coordinate many moving parts to ensure seamless internal and external communication without compromising data security. Since most information is transmitted digitally, you must select reputable service providers that adhere to the appropriate compliance standards.
8. Software Programs
Software vulnerabilities can be a substantial security risk. As such, businesses must utilize name-brand and supported software platforms. Don't use open-source, freeware, or proprietary software that is not widely supported. Also, work with a third-party vendor under a maintenance agreement to ensure that all your software programs are up to date.
9. Desktops, Laptops, and Mobile Devices
Provide all employees with supported hardware devices from trusted brands and implement a device management strategy. Bring your own device (BYOD) has become popular in today's work-from-anywhere environment. If you decide to take advantage of the trend and allow employees to use their personal devices for work, enforce a BYOD policy to ensure secure access to your networks and data from within and outside the office.
10. Wireless Networks
Protect the wireless network within your office with a strong password and the proper configuration settings. Segment the guest network and implement controls to deny access to internal resources. Printers, copiers, multi-functional machines, and internet of things (IoT) devices should be on a separate network and not allowed to access the internet unless under special circumstances.
Eric C Rockwell