Posts

How Safe Is Your Law Firm From Data Breach?

With the pressure of minimizing data security breach threats mounting on firms, law firms are expected to set aside a considerable percentage of their budget to tackle information security challenges. According to a survey released by Chief Cost Management (CCM) with the sample comprising primarily of major companies, law firms are expected to spend nearly $7 million on enhancing in-house security by identifying security gaps in their networks.

Quotation Mark

 

Identifying cybersecurity priorities and knowing what makes a reasonable investment will help law firms gain the highest returns on their information security budgets. Otherwise, they risk spending too much and draining firm profits, or spending too little and jeopardizing the privacy and integrity of their information assets

–Len Levy, President, CCM

According to the report from CCM, more than two fifths of the companies surveyed have annual gross revenues between $100 million and $500 million. Law firms have considerable information assets, which, if lost due to a data breach, can significantly compromise their business integrity. Jerry Brandt, who wrote an article in 2012 regarding the bleak security conditions of law firms, referenced a study highlighting that more than 80% of law firms do not employ two-factor authentication and nearly 60% do not encrypt their laptops.

Managers, therefore, need to ask critical questions to ensure the safety of their law firm. Here are 5 questions every law firm should ask to assess their security risk level.

What level of confidential information do we collect?

For any business to determine its level of data security risks, it should first consider the type of information it stores on its data servers. If the stored data is highly sensitive and cannot be replaced or substituted easily, then the risk of a data breach can be regarded as very high. Law firms in particular are a trove of confidential information, which if stolen can mean immense financial and legal ramifications. Data pertaining to confidential information about clients, their weak points, clients’ intellectual property relating to patents and copyright information, client’s contact and address details, and confidential attorney-client information are stored on the networks of law firms.

Law firms and lawyers are required to meet a number of legal responsibilities to ensure that sensitive client information is not compromised in any manner. If a data breach occurs that leads to the loss of such essential information and data, a company could face a number of legal problems.

Which third parties gain access to our data?

Another factor to consider is the number of third parties that can acquire, access, and exploit a company’s confidential data records. Lawyers, for instance, are frequently required be on the move and work from their laptops. There is a possibility that third parties such as employees, friends, and clients themselves can gain access to important files and folders pertaining to a case and steal important information that can lead to a successful case.

The American Bar Association in 2011 urged lawyers to safeguard communications between them and their clients from unauthorized disclosure from the lawyer or other persons. Also, in 2010, the State Bar of California questioned whether the confidentiality between the client and the lawyer was compromised if the technology used to store the information was exposed to unauthorized access.

The issue was raised after an attorney used his laptop to conduct research from his home by using internet from a public Wi-Fi network and communicate to the client via e-mail. The California Bar considered the attorney to have acted incompetently and urged that he take appropriate steps to fortify sensitive information from others.

Who are the main stakeholders?

Businesses should also take into account the impact of a data breach upon its various stakeholders. In the case of law firms, the main stakeholders are the clients. However, there are also a number of other stakeholders that can be impacted such as board members, regulatory authorities, the press, and investors.

In the case of a data breach, it is important to outline in advance which stakeholders should the loss of data be communicated to first. Law firms would first report the news of a data breach to their clients, then to their board members and law enforcement agencies.

The law firm Foley & Lardner for example, provides 24/7 hotline 365 days a year to enable clients to speak with a designated data security attorney to provide counseling on what to do during the first stages of a data breach.

Have we experienced a data breach in the past?

Previous incidents of data breaches can also reveal a lot about the security condition of a firm. Revisiting the details can provide important learning tools such as indicating which measures worked well and which did not and the areas for improvement. Perhaps a firm did not have the assets to invest in a next generation firewall or implement an advanced company-wide network security program.

Furthermore, firms should delve into the minute details of how third parties gained access to the data, the channels used, whether the breach occurred internally or externally, and the location of the hacker.

How do we prevent future attacks?

Businesses need to embrace the fact that there is no fail safe button for data breaches and must ensure that any data breach that occurs is detected and managed quickly. The security team can investigate the root cause of previous incidents and implement or upgrade their intrusion detection systems and encryption methods to safeguard their data from sophisticated malicious software programs.

More importantly, it needs to ensure that employees are provided with an on-going training that incorporates the latest security measures and viruses that all need to be aware of. Attorneys need to make sure that they do not conduct any research on and for clients without using a highly secure internet connection and that e-mail are checked on a daily basis for any indication of malicious activities.

Other measures such as using two-factor authentication, passphrases, and having a periodic data backup and recovery routine should also not be overlooked.

 

 

2015: Another Record Year of Data Breach, What Your SMB Needs To Know?

The year 2015 is expected to be a particularly tough one for small and medium size businesses (SMBs) as the escalating threat of cyber security crimes threatens to engulf the business landscape. SMBs are not only unaware of the risks; they lack the resources and expertise to mitigate them.

High-profile cases of cyber security theft of companies such as Apple and Sony last year stirred up a rigorous debate over the eruption in cyber crimes and the steps governments, thought leaders, and IT department managers alike can take to ensure that the integrity of companies in this regard, is protected.

A report published by Verizon titled “2015 Data Breach Investigations Report”, sheds light on the growing sophistication of data breaches in companies in 2014 and some of the issues that exacerbate the threat level.

Report details

The report from Verizon unveils the eye-opening reality of cybercrimes and how many of the poor cyber security standards have gone unnoticed for several years. This report reveals the following statistics from last year:

  • A total 79,790 security incidents have been recorded
  • A total of 2,122 data breaches were confirmed
  • Top targets of cyber attacks were in public and financial services companies
  • Phishing attacks are on the rise

The statistics reveal astonishing facts about the poor security infrastructure in companies that has allowed malicious software to run rampant within their systems, undetected. The rise of phishing highlights the fact that companies and the security industry alike have not been able to adjust their security codes and systems over the years.

Hackers have thus been able to exploit their negligence by being able to compromise the data integrity of companies in far less time. The report mentions how many of these poor security breaches have escaped the eyes of security experts for the last 8 years, almost a decade. This finding coincides with a report from SOPHOS titled ‘Security Threat Trends 2015’ which highlights how major flaws have not been addressed for the past 15 years.

It is for this reason decades-old phishing exploits constitute nearly one-fifth of all reported incidents. Furthermore, the weak security standards have also shown to prolong the time it takes to discover a security breach. In 60% of all cases, cyber criminals managed to hack into a company’s confidential data records within minutes.

Therefore, SMBs are left with major security challenges if they do not take active steps to curb these security threats.

What SMBs can do to counter data breaches?

As calamitous as the report findings might seem, there are various methods SMBs can implement to curb the threat level.

Staff awareness is crucial

One of the ways SMBs can address the rising threats of security breaches is through educating its staff on the imminent nature of threats and teaching preventative measures to quell any possibilities. E-mails have become an easy source for malicious software to infect data, despite improvements in data security.

The notorious incident involving US President Barack Obama’s emails, which were hacked and read by Russian hackers last year, shows the extent to which e-mails can be a gateway for security breaches.

Thus, it should be company policy for employees to get security training that would involve increasing their responsibility for identifying and avoid opening junk e-mails and to always scan for viruses before opening them. Other considerations such as regular page refreshing can also be cultivated in the workforce, along with rewarding successful employees with prizes to instill a reward mechanism in departments.

Upgrade anti-virus software

Contrary to what many would think, anti-virus software is still beneficial in tackling most online threats. Verizon’s report highlights that anti-virus programs are slow to update their malicious software tracking codes. This causes viruses such as malware to be updated far more quickly and escape the threat detection software in many anti-virus programs.

“We continue to see sizable gaps in how organizations defend themselves. While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. This continues to be a main theme, based on more than 10 years of data from our ‘Data Breach Investigations Report’ series.”

–Mike Denning, global security vice president, Verizon Enterprise Solutions

Firms thus need to invest in implementing better anti-virus programs as a way to counter the risk of security breaches.

Consult a network security consultant

SMBs can also resort to seeking expert advice from a network security consultant to learn more about the different ways their organization can protect themselves from security breaches.

“In 2014, DDoS attacks became much more sophisticated. Though much of the reporting focused on the size of attacks, a more troubling trend was the advancement in attack techniques”

–Barry Shteiman, Imperva

Upon expert advice, companies can help identify the hidden and unusual channels through which cyber criminals compromise data security and the protocols and IT systems they can employ to fortify their business operations.

Bottom line

2015 will prove to be another tough year as SMBs and large multinational corporations alike face the brunt of the growing cyber security risks. However, as multiple stakeholders begin to realize the nature of the impending risks, counter-strategies in the form of newer government legislation and security systems, can be expected to be better sources of protecting confidential data of firms.

5 Tips To Better IT Security for SMB

If you haven’t followed the technology news lately, chances are good you missed the recent security breach news of Target and Blue Cross: Customers won a $10 million settlement against Target relating to the retailer’s Dec. 2013 data breach; in the meantime, nearly eleven million customers suffered exposure of their personal data with Premera Blue Cross.

Whether you’re a small firm or big blue chip company, data security threats have been on the rise. But why? Actually, the problem is often related to people rather than anti-virus software and gateways. Granted, new protocols to keep your network locked down are offered by some of the major security firms throughout the U.S. However, if your technicians are not updating your software, you may suffer invasion.

Plan Scheduled Updates

One of the most critical components of protecting your network can be done by simply scheduling your software updates at least twice per month or more. Again, it’s the people factor that causes companies to operate everyday while also exposing their systems to hackers. Your IT technicians should set a day at least twice per month to evaluate your current software and inquire about updates.

Amazingly, more and more companies are getting attacked through gateway breaches which should have thwarted malicious threats.

Code Script Trojans

Too often your network, website and private data was developed by outdated coding languages. Information leaks often occur in the following scenarios:

• Multiple cross-site scripting is an area where hackers look to invade. For example, the .Net coding language is prone to vulnerabilities.
• Another area to consider is if you run outdated versions of ColdFusion. Once considered the premier database management software, ColdFusion has since suffered SQL invasions as more companies invest in big data systems.

Unauthorized VPN Access

Another part of your network to review is your VPN permissions. Face it. Every company has vendors and customers who sometimes have administrative credentials to access parts of their networks. The problem for some are these types of exposures can become a threat.

Many companies leave the task of updating their access credentials to lower-level IT techs. Bad idea. Remember, your network is only protected if your doing regularly scheduled audits of your authorized users.

Management of Users

Do you know how many users can access your data? Chances are likely you don’t. The problem many companies face is the challenge of monitoring network access by un-authorized users. Remember, people are always going to attempt to infiltrate your data. How you monitor and react to intrusions is your best defense. We recommend you develop a master list of authorized users (employees, vendors and customers) and the permissions of their credentials.

It’s not enough to wonder who’s accessing what parts of your systems. Instead, smart IT security managers employ vigilant evaluations of all users.

Poor Password Strength

If there’s one area you need to assess, it’s your user passwords. Too many are often chosen for memorability rather than security strength. Although it’s simple to remember ‘1234’ or variations of memorable characters, your users need to embrace alpha-numeric complexities.

Your best defense is to meet with your network security administrators to develop a core set of robust password parameters every user should adhere to using. For example, a highly-complex password like ‘C^d!4dj~vyQa’ is far stronger despite the effort it takes to input.

If your company uses roaming profiles for your employees to use multiple work stations, we advise you to consider mandatory password updates at least once per month to protect your networks.

USPS Data Breach: Neither Snow nor Rain nor Heat nor Gloom of Night Keeps Intruders from Their Appointed Rounds

Employment with the US Postal Service was once considered the benchmark of job security. The same cannot be said of the security of their personal employee data.

According to USPS officials, a recent breach affects the entire staff of 800,000 postal workers. The data exposed includes “names, dates of birth, Social Security numbers, addresses, dates of employment and other information”. Fortunately, “other information” does not include credit card numbers, though as a precautionary measure, USPS employees will be given one free year of credit monitoring.

The only compromised customer data involves “customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014 and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, e-mail addresses and other information for customers who may have provided this information.” In a formal statement, the USPS asserts that “we do not believe that potentially affected customers need to take any action as a result of this incident”. USPS officials emphasize that no financial systems within USPS facilities or USPS affiliates were affected (such as USPS.com, Click-N-Ship, the Postal Store, PostalOne!, FedEx or UPS) .  Lastly, Passport application data was not compromised.

Unlike other recent breaches involving retailers Home Depot and Target, the suspected instigators of the breach are the Chinese Government, who (along with the NSA) are notorious for their intrusion attempts on government information systems (they deny the accusation). James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies, states that “they’re just looking for big pots of data on government employees” as “a way of building their inventory on U.S. persons for counterintelligence and recruitment purposes”. He also notes that “China would be interested in amassing large sets of data that can be analyzed for previously unknown links or insights”. Lastly, Lewis notes that the Chinese Postal services, unlike the USPS, holds large amounts of data on its citizens, and that they may have incorrectly assumed the same of USPS and overestimated the nature and type of data available.

The USPS has come under fire for their reporting of the breach – particularly the fact that the breach occurred in August but was not reported until recently. House Oversight and Government Reform Committee Chairman Darrell Issa (R-CA) and House Oversight Committee Subcommittee on Postal Service Chairman Blake Farenthold (R-TX) are leading the charge. The committees released a joint statement using terse language: “…the Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter. The Committee will be seeking information about why the Administration waited two months before making the news of this attack public and preventing victims from taking proactive measures to secure their own information. We have not been told why the agency no longer considers the information classified.”  In a letter addressed to Postmaster General Patrick Donahoe (himself a victim of the attack) ranking committee member Rep. Elijah E. Cummings (D-MD), went as far as to say that “The increasing number of cyber attacks in both the public and private sectors is unprecedented and poses a clear and present danger to our nation’s security.” In reply to the critics, the USPS states that “Communicating the breach immediately would have put the remediation actions in jeopardy and might have resulted in the Postal Service having to take its information systems offline again” (the latter statement refers to The Postal Service taking systems off-line on November 8-9 as part of their intrusion mitigation efforts).

Joining the USPS in the Incident Response are the Federal Bureau of Investigation, Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. The FBI, in their own statement, urged the public to “report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.” An FAQ (Frequently Asked Questions) document is available from the USPS at http://about.usps.com/news/fact-sheets/scenario/customerFAQs_Final.pdf

Dropbox Software Glitch: Lost Files May be Restored, What About Lost Confidence?

Mr. Murphy (of Murphy’s Law fame) has a way of seeing to it that data is lost when you need it most, and he is apparently undeterred by the Cloud Computing Revolution.

Still reeling from the iCloud breach, the Cloud Computing industry faces another PR hit – lost files due to a software glitch in the popular Dropbox application. The glitch is the latest in a series of incidents involving Dropbox, including an August 2012 security breach in which customer email addresses were stolen from Dropbox employee’s accounts, and recent concerns about Dropbox’s approach to addressing security vulnerabilities and notification of breaches.

Kudos to Dropbox for their response to this latest incident: a prompt mea culpa, a succinct explanation of the problem and who is affected, a quick software patch, and a free upgrade to the Dropbox Pro product. According to a company post on Hacker News, the file loss occurs if you use the Selective Sync features and the application is shut down or restarted when a selective sync is in progress. Dropbox has patched the desktop client, retired older versions of the Dropbox client, and ensured that users have the patched version. Affected users may receive a free one year subscription to the Dropbox Pro product which offers basic collaboration features and 1 TB of storage (normal pricing is $9.99 a month or $99 a year).

Some users report years of lost data. One case in particular has gone viral; that of Jan Čurn, co-founder and CTO at photography software platform VirtualRig Studio. Čurn has used Dropbox since 2009 and reports losing 8,343 files stored over that five year period. While the whereabouts of Čurn’s files have yet to be determined, Dropbox has been able to restore some user files, contacted affected users, and provided listings of restored files. It remains to be seen how much data can be restored.

It is important to note that the software bug is not related to security or malicious hacking, and that the bug affected personal users and not business users. Cloud storage products for Business Use require flexible user and file permissions setup, state of the art encryption standards, history logging, and remote administrative features. An example is the Secure.Share product from ComputerSupport.com. Aimed at small to medium sized business, it offers military grade, 448-Bit Blowfish encryption. Data is encrypted both in transit and at rest using SSL, and two factor authentication can be utilized. Accounts are managed from a single dashboard, and versioning and update notification features similar to Microsoft SharePoint are available for document collaboration. Additional security and administrative features include File History Sharing and remote data wiping.

Unfortunately for the affected Dropbox users, many used Dropbox as their sole document repository. The takeaway (painfully learned by the affected Dropbox users) is that personal cloud storage is not a substitute for regular backups.  You’ve heard it before (and like me, have ignored it and paid the price) – regularly back up critical data and ensure it is two separate locations. This was true in the era of 5 ¼” inch Floppy Disks and is true today.

What Can You Learn from JP Morgan’s Data Breach

On the heels of the Home Depot data breach comes another case of customer data being compromised, this time from the largest bank in the United States. JPMorgan Chase reported that information from more than 76 million households and 7 million small businesses may have been compromised when hackers gained access to its systems on an administrative level.

Account holder names, addresses, phone numbers, and email addresses are thought to have been revealed, as well as internal notes about those account holders. JPMorgan Chase asserts that there is no evidence that information like account numbers, passwords, birth-dates, or social security numbers was leaked in the breach.

What This Means for Business

As TechTarget pointed out, in both the Target and JPMorgan Chase data breach, no full-time Chief Information Security Officer (CISO) was overseeing operations. In the wake of these breaches, businesses are beginning to realize the important role risk management and security play in business today. In the coming years, businesses will likely see the CISO role become a very important specialty in the field of technology, attracting higher salaries and the best talent in the field. For small businesses, these duties will be entrusted to the provider, who will staff the best and brightest to oversee cloud servers for a large number of clients.

How to Protect Yourself

Without information like social security numbers and birth-dates the collected information isn’t enough in itself to risk identity theft, experts say. However, a JPMorgan spokesperson points out that consumers should always keep an eye on their accounts. The biggest problems may come from the email addresses that were compromised in the breach, with this information potentially being used to launch phishing attempts. Through these attempts, information such as social security numbers and account passwords could be obtained. Small businesses should remind users to never click on links or download attachments from unknown parties. When they receive an email about an existing account instead of clicking on the link on that email, users should always go to the site on their own and update any information there.

Safeguarding your business’s applications and systems is your business’s top priority, since securing your own customer data is an important part of your long-term success. By ensuring that your employees keep their own passwords as secure as possible by avoiding phishing attempts, you’ll be taking a vital first step. When working with a cloud provider, be sure to ask questions about the role they take in preventing hacking attempts and keeping your data safe.

5 Million Gmail Usernames, Passwords Hacked! What to Do Now?

 

Gmail Hacker

The news that five million Gmail usernames and passwords were stolen alarmed many in the industry. If Google’s servers aren’t safe, whose are? But Google quickly followed up the news with an announcement that the information was taken from a website not belonging to Google. The company has searched its own systems for signs of a compromise and have found nothing.

What to Do Now

Since Gmail powers many workplace email accounts, it’s important that businesses first protect any email accounts that might contain company data. Even if one employee is using a Gmail account for work duties, that employee should take measures to ensure his account is protected. To be safe, business leaders should send instructions to all employees on safeguarding their Gmail accounts, even if they don’t use them for work purposes.

Protecting your Gmail account is easy. The first step is to change your password, which can be done by clicking the down arrow next to the gear in the top-right corner. Choose Settings, then Accounts and Import. Change Password is at the top. You’ll be prompted to enter your old password and your new one twice. Try to shoot for a “Strong” password rating. Once you’ve changed your password, you’ll be taken to another settings screen. If 2-Step Verification is disabled, click the link to set it up and go through the steps. You’ll be notified via phone call or text message every time someone tries to access your Gmail through an untrusted device.

User Security

To help their own systems remain secure, businesses should urge employees to use passwords that are difficult to guess. Administrators can set this up as a requirement on all applications and file servers, making each employee have a combination of letters, numbers, and special characters in every password.

Another trap business users fall into is that of using password keepers. This is a solution to the many passwords we’re all required to keep up with, letting users remember one strong password to access all sites and applications. While acknowledging the usefulness of such tools, it’s important that businesses explore the encryption being used by the particular password keeper being used. If your administrator is responsible for keeping up with everyone’s master password through a console, the security on the console should be investigated, as well.

The Gmail breach is yet another reminder of how vulnerable electronic systems are. If your business employs the best industry-standard software for security and encourages safe password polices, your users can stay safe during large-scale hacking attempts.

3 Things Your Business Should Learn from the Home Depot Data Breach

HomeDepot Data Breach

Experts say it may be the biggest data breach in U.S. history involving consumer credit and debit cards, with customer data stolen from more than 2,000 stores across the U.S. Home Depot is currently investigating the possible breach, which is believed to have possibly affected more than 40 million payment cards. Last year’s Target breach, which made national headlines and had a negative impact on the company’s stock, impacted more than 70,000 payment cards.

The reports are bringing concerns from consumers, who aren’t sure if their own cards may be affected. But businesses of all sizes should be concerned, as well, because the September 2nd warning of “unusual activity” to Home Depot from its bank could happen to any business. Before it happens to your organization, here are three things you can learn from the news about Home Depot’s data breach.

Data Security Should Be Tightened

While no amount of security is impenetrable, a business can protect itself by employing the latest security on each server that holds customer data. For retailers and ecommerce sites that use payment processing service providers, it’s important to contract with respected providers who employ the latest security to keep your customer data safe.

Data Breaches are Expensive

When the dust settles down on the Home Depot scandal, the company will still face months of backlash from the negative publicity. Target is still feeling the aftereffects of its December 2013 data breach, having lost the trust of the public and its investors. For months after the security issue, some customers are hesitant to use a credit card while shopping at an affected store, even after a business assures customers things are once again secure. The damage to a brand’s reputation can be financially devastating, potentially even forcing smaller businesses to close.

Microchips are Essential

Even as the news about these data breaches emerges, financial institutions are issuing cards with microchips that help prevent fraud. Merchants must upgrade to new terminals to accept these new cards, but once installed, these microchips will interact to identify the card, protecting credit card data and reducing the risk of data theft.

If your small business deals in customer payment information, it’s important to take as many measures as possible to protect that information from a data breach. Breaches can be extremely costly, potentially dooming a business to failure, so the future of a company may rest on its data protection procedures.

Take This Checklist to Avoid Hollywood Hacking Scenario!

Leaking private photos of Hollywood’s top celebrities strikes the warning alarm of cloud security again. While arguing and discussions around cloud vulnerabilities never cool down, this time the Hollywood sensation is more a lesson about how to use cloud adequately rather than a “to use, or not to” debate, especially for business users.

Why? Simple, we are living in the cloud epoch and the world is just not heading back! So, what can we learn from the disaster this time?

First of all, use cloud attentively and carefully! Keep it in mind that you are on cloud, right now and almost for every second! No matter what you do, what devices you use and what’s the size of your business, hardly you do not use cloud – as a matter of fact, you may be part of the cloud already!

Well then, simple NO.1, DO NOT use simple, easy-to-hack-down passcode – something like a birthday, street number or phone number, or even combinations of them. Sounds easy and common sense? – Yet 70% business cloud users are not following this NO. 1, simple password policy!

Second, always consider additional security methods to further safeguard your data! Secondary encryption and two-factor authentication are among the top options.

“Secondary encryption” enables the account’s owner to take matters in his/her own hand to protect the data. Rather than relying on built-in encryption or SSL transfers that cloud providers have within their infrastructure, you can leverage other encryption programs such Box Cryptor or TrueCrypt. These programs essentially encrypt your files on the fly prior to storing it on the cloud so that your files remain unreadable even if a hacker manages to steal your password or breach your cloud provider’s normal defense mechanisms.

“Two-factor authentication” may sound jargony and unfamiliar, but it’s actually something you use all the time nowadays. Remember those requests asking for a four or six digits verification code in addition to your username and password, which are usually sent to you via text message? Those random generated, time sensitive codes are “two-factor authentication”. For business users, it can be a lot more varied and strengthened and it can be both virtual and physical, which enforces another powerful defense line for your data security.

Well, as short as this checklist is, it may save you from big trouble and loss! And if you want to learn more, check our IT Security blogs and fuel you up with more professional data-protection tips!

And share this Infographics with you IT management team:

data-security