Dave Kinsey 2014-05-06 23:26:33
As computer technology around us continues to advance, so too do the opportunities for cybercriminals to infect and hack into your systems. The number of stories in the news about cybercrimes is frightening, and law firms could be an easy target. THE FBI WARNS LAW FIRMS OF THEIR EXPOSURE The FBI began warning firms that they were being targeted by hackers as early as 2009. Last year, Mary Galligan, then special agent in charge of the FBI’s New York field office, repeated the warning, “As financial institutions…become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” FBI warnings highlight how criminals see law firms as back doors to data of their corporate clients. Hackers can potentially gain access to your firm’s data in several ways, including weak passwords, phishing emails and cloud-based storage systems. HIPAA – NARROW SCOPE, BROADER IMPACT The scope of the Health Insurance Portability and Accountability Act (HIPAA) is limited to regulations regarding Protected Health Information (PHI), but it has also helped to provide additional clarity regarding security and breach notification standards. January 2013’s “Omnibus Final Rule” called for direct liability for business associates and their subcontractors and required compliance with a number of rules by Sept. 23, 2013. The results were very telling. When companies like Google and Dropbox refused to sign Business Associate Agreements (BAA), their servers instantly became non-compliant locations to store PHI. These developments logically raise the question: Is it OK to store ANY confidential information with a company that will not sign a BAA? Additionally, while the security rule does not explicitly require encryption, the generally accepted standard is that losing any electronic device containing PHI, unless it is protected by both a password and encryption, is a reportable breach. SIX WAYS YOU CAN REDUCE YOUR RISK Have you taken appropriate steps to meet your fiduciary duty for protecting confidential client information? Avoid having to inform your clients that their personal information may have been compromised. Get serious about security now rather than waiting for an incident. Consider implementing the following guidelines to reduce your risk: 1. Implement a policy at your firm regarding passwords. Passwords should be stored using safe up-to-date systems that store the passwords in an encrypted format. Consider policies at your firm to enforce long and complex passwords that are difficult to guess and to forbid password sharing. Ensure that your accounts are locked out after a reasonable number of bad login attempts. Avoid setting password reminders that are easy to decipher (as these password reminders are accessible to hackers). And of course never write down your password on a sticky note and tape it to your laptop! 2. Take appropriate precautions with tablets, phones and laptops. Tablets and phones used by your staff for business purposes can also be vehicles for cybercrime, as they are easily lost or stolen. Protect these systems with passwords and encryption. iPhones and iPads are already encrypted out of the box, and it’s a fairly simple step to implement and enforce encryption of Android phones and tablets. Additionally, remote wiping capability exists for systems that have been stolen. This works best and most reliably with the latest devices and software connecting to the most current version of Microsoft Exchange, although some of this functionality is available in earlier versions. I also strongly recommend that you configure phones and tablets to automatically reset to factory specifications after a maximum of 10 incorrect PIN entry attempts. Laptop encryption is more easily accomplished than ever with the latest PCs that use Microsoft BitLocker and Trusted Protection Module (TPM) chips. Educate your people to notify the appropriate person regarding any potential data breach or system loss in a timely manner. 3. Be very careful about what you are storing in the cloud. Hackers, malware and spyware remain serious issues for cloud environments, so you should review the security and encryption policies of your cloud provider. Be especially careful with password selection and storage for cloud accounts. Ensure that the transfer and storage of files are fully encrypted. Google and Dropbox are non-compliant locations for storing PHI! Even if you are not storing PHI, many jurisdictions have laws protecting other private information such as Social Security or credit card numbers. Carefully consider where your data is stored. 4. Stay current. Ensure that your network and computers are regularly patched. Security holes are regularly uncovered and software updates are released to plug those holes. Support for Windows XP ended April 8, and no security patches are being developed and deployed for these systems. Retire any XP systems to reduce security risks to your entire network. Deploying good, regularly updated antivirus/ malware is also a good logical step and should be part of your security strategy. 5. Employ a network-based security layer. Web content filtering technology substantially enhances protection by eliminating connections between your network and the most likely malware sources. Known distribution sites for malware can be blocked by sophisticated network devices, effectively preventing malware from reaching your systems. Be sure your subscription is routinely updated. I’ve seen far too many expensive network security devices that are either misconfigured or which have expired subscriptions making them virtually worthless. 6. Be aware of malware and ransomware precautions. Most viruses and spyware are inadvertently installed by system users. Educate your employees on proper precautions: • Don’t click on links from emails you don’t recognize. • Never provide personal information or pay money in response to phishing emails or ransomware. • Be aware that even if it appears that your computer is operating normally, malware may still operate in the background. Certain types of malware have been known to capture personal information such as usernames, passwords, and credit card numbers through embedded keystroke logging programs. REVIEW YOUR FIRM’S SECURITY SYSTEMS ROUTINELY. Security should be a significant consideration in your technology planning and review. Technology changes rapidly, so what worked a couple of years ago may no longer be the best approach today. To ensure your system is protected against cybercrime, feel free to contact me for more information.
Published by Target Market Media . View All Articles.