You’ve likely seen it in the news: cybercrime is on the rise. But it’s not just hype. Numerous studies show that more companies are being attacked. The attention is attracting new actors, emboldening experienced ones, and driving up the cost of preventing, insuring against, and recovering from cyber incidents. Cyber criminals are profiting from disrupting organizations, stealing critical data, and sometimes holding it hostage.
Large enterprises aren’t the only targets. In fact, according to a study performed by IBM, sixty-two (62) percent of all cyberattacks are directed at small or mid-sized businesses.
You can, however, dramatically reduce the chances that your firm falls victim. Do you know the old saying about two people who encounter a bear in the woods? As one is lacing up his sneakers, the other exclaims “What are doing? You can’t outrun a bear!” To which the first person replies “I don’t have to outrun the bear, I just need to outrun you!” Similarly, your firm doesn’t have to be capable of withstanding every possible type of attack. Sufficient defenses, in the form of good practices that are consistently followed, can encourage attackers to move on to easier targets.
Additionally, The Center for Internet Security (CIS) publishes a detailed set of best practices – 18 controls, in fact – that are publicly available for organizations to learn and adopt. Details are provided at the end of this document.
Armed with advice from your insurance broker and the CIS control measures, your team will be in a better position to assess your firm’s risks or navigate a conversation with a cybersecurity services provider.
Insurance companies (of course) have to stay abreast of what it takes to prevent an attack and recover if one occurs, so even just discussing cyber insurance requirements with your broker can be enlightening. Why do your own research when you can “borrow” theirs?
Understanding what it takes to qualify for cyber insurance (and get reimbursed in the event of a loss) will provide your firm with a useful “checklist” of important cybersecurity protections.
To get your process started, have your team consider these questions:
While cybersecurity is a complex topic, approaching the implementation of stronger defenses in phases will render it less daunting.
We recommend that you assign one person in your organization to be the cybersecurity leader to organize this project and report on security activities regularly. Pursue the project in three phases:
Perhaps much like a legal case, it’s best to start with understanding “the facts” – an inventory of the devices and software that are connected to your network. By collecting this information first, your team can develop a more clear understanding of what needs to be protected. This exercise is also likely to expose a few easy-to-resolve gaps in security right away.
In particular, encourage your team to thoroughly understand what information is at risk. Here are some examples of data to identify and inventory:
CIS offers detailed Critical Security Controls (1 & 2) for creating a thorough inventory of hardware
and software assets.
As a law firm, you likely identify with the adage that people are your organization’s greatest asset. They are, unfortunately, also the most likely targets for cyber criminals. The majority of successful cyberattacks start by duping a person into clicking a link or otherwise taking an action that exposes your systems to malware.
You can help your people become good stewards of your firm’s information and systems by:
In order to complement cybersecurity training provided to your employees, your systems need to be configured with a baseline of protection to prevent easy entry by cyber criminals. Regular system maintenance should include:
CIS Critical Security Controls 3-10, 12-16, and 18 provide recommendations for protecting your assets and training your employees in cybersecurity best practices.
As the saying goes, hope for the best, but prepare for the worst. All of your team’s hard work to prepare your defenses may ultimately fall short. Therefore, you’ll also want to plan your response to a cybersecurity incident.
Common examples of what can happen include: a denial-of-service attack that shuts down your website, a malware attack that results in a loss of important data, a ransomware attack that holds data hostage, and the theft of a system (like a laptop) containing unencrypted data.
Similar to the second phase of your implementation plan, this third phase requires both technology and people solutions. Given your law firm’s dependence on information (vs. capital equipment or other assets), AND the fact that you operate in earthquake-prone and fire-prone California, you may have a head start on this phase. Sound disaster preparedness practices will help your firm recover from a cybersecurity incident quickly.
What your team can do:
CIS Critical Security Controls 11 and 17 provide guidance for responding to a cybersecurity incident and quickly and securely recovering your data from backup sources.
Preparing your firm’s systems and people to prevent and recover from a cybersecurity incident may be an added expense. The benefits, however, are significant. Using the right tools and establishing sound practices may prevent a costly attack, mitigate legal consequences, help your firm qualify for cyber insurance, and allow your operation to recover quickly.
Pursue the three phases of cyber security implementation that are recommended for small and mid-sized organizations that we’ve outlined here. Additional resources are included below.
Center for Internet Security [↗]
CIS® is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. Their CIS Controls and CIS Benchmarks are global standards and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer global community of experienced IT professionals.
Endsight is a California-based outsourced technology support provider. Companies that hire us expect their technology to perform. And they count on us to make it so. While we ensure their systems operate effectively and their investments in IT align with their business goals, our clients get to concentrate on employing that technology to thrive. Our team of experts, ranging from the CIO level to readily-available help desk specialists, collaborate to provide comprehensive IT support to small and mid-sized businesses - nonprofits included. In the realm of cybersecurity, we help organizations assess vulnerabilities, tailor and implement protection measures, train staff, and maintain effective practices.
1144 Jordan Lane
Napa, CA 94559
(510) 280-2000
6359 Nancy Ridge Dr
San Diego, CA 92121
(858) 587-8000
(833) ENDSIGHT
(833) 363-7444