Checklist for Becoming Cyber Secure

Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

NOTE: This material is intended as only an example which you may use in developing your own form.  It is not considered legal advice and as always, you will need to do your own research to make your own conclusions with regard to the laws of your jurisdiction.  In no event will ALPS be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Checklist for Becoming Cyber Secure

This checklist is intended to help those who have a desire to become more cyber secure know where to start. It may also be helpful in identifying areas of concern that can and should be discussed with IT support personnel. Most importantly, be aware that cybercrime attack vectors will continue to change and evolve as will the sophistication of the attacks. Becoming cyber secure is an ongoing process, not a once and done effort. That said, here are the basics; and note that when the word “devices” is used, this word is meant to include computers, servers, all mobile devices and any home computers that are being used for work.

____ Cyber criminals often target older devices and software, so keep hardware and software as current as possible because newer devices and applications typically include improved security features. Also note that software which is no longer supported, meaning security updates are no longer issued, cannot ethically be used.

____ Keep your server in a locked room because physical security matters!

____ Install robust Internet security software suites on all devices.

____ Utilize effective intrusion detection systems.

____ Use a spam filter.

____ Disable popups through browser configurations and/or install an ad blocker on all devices.

____ Keep all software on all devices up to date by promptly installing all critical security patches as they are released.

____ Determine where all office data is stored by creating a network diagram and make sure this diagram remains current because it will be useful to digital forensic experts in the event of a security breach.  In addition, this diagram can and should be used to create a security policy that responsibly addresses every situation where any data resides.

____ Identify all laws and regulations which may apply to your data in order to make sure you are in compliance with these laws and regulations. For example, does your firm hold data which is governed by HIPAA, HITECH or Sarbanes Oxley? Do you hold personally identifiable information?

____ Password protect all devices.

____ Use two-factor authentication when and wherever possible. This is particularly important with all banking and financial sites.

____ Develop a password policy that mandates the use of strong passwords (or passphrases) if the device or application will accept them.  Strong passwords are defined as being 16 characters or more in length using a combination of uppercase and lowercase letters, numbers, and special characters.  Note: Every application and device in use should have its own unique password and no password should ever be reused once changed.  The use of a password manager can make this task easier and more secure than, for example, storing passwords in a file labeled “passwords” or writing them down and placing that list in a desk drawer.

____ Prohibit the sharing of user IDs and passwords with anyone, to include others within the firm.

____ Have your IT support person change the default values, for example default passwords, on all wireless routers, server operating systems, etc. because these values are freely available on the Internet.

____ Wireless networks should be set up with proper security to include enabling strong encryption. This means you must disable WEP and WPA encryption and require WPA2 encryption. If the router supports WPA3 encryption, use it. Do not overlook home networks if home computers are being used for work.

____ In order to prevent access to your firm’s confidential data, setup a properly configured wireless guest network.  No guest should ever have direct wireless access to your firm’s network.

____ Backup all data, periodically do a test restore of the backup, and store the backup in accordance with a disaster recovery plan because floods, fires and ransomware attacks happen. Backups must be encrypted if taken off site or stored in the cloud, and if using a cloud vendor, the vendor should not have access to the decryption key.

____ Any mobile device that goes off site and contains any client confidences must be password protected, should have the ability to be remotely wiped if lost or stolen, and should be encrypted. This includes jump drives, external hard drives, laptops, smart phones, and tablets.

____ Limit privileges and access as appropriate. For example, does everyone in the office need access to the firm’s financial or employment records? Can everyone download and install anything they want on any device they have access to? Can everyone make changes to the system configuration? Don’t make it easy for cybercriminals. Place limits on what people can do. Such limits can either be set up electronically via file permissions or physically via a locked door or cabinet.

____ Encrypt any email if it contains confidential information or use a secure client portal.  Check with your IT support for help with proper installation and configuration of your selected solution.

____ Encrypt all data you place in the cloud. Some cloud companies advertise that they encrypt your data but only do so while the data is in transit. You must make certain your data is encrypted “at rest” as well. Better yet, don’t rely on the cloud provider for this at all. Encrypt your data before placing it in the cloud to enable you to have control over the encryption key.

____ Read the terms of service of any third-party vendor that will hold your confidential data.  Remember, the standard of reasonableness applies. At a minimum, you need to know and understand what happens to your data while in the hands of an outside vendor in order to allow you to responsibly address any concerns.

____ Mandate that all work-related Internet sessions be encrypted and prohibit the use of unsecured open public Wi-Fi networks. This does mean that access to the office network must always occur using a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.

____ Prohibit the use of any public computer for any reason. This would include the use of computer stations made available in the business center of a resort or hotel just as one example.

____ Have a policy that prohibits the jailbreaking of any mobile device that will be used for work. Jailbreaking is defined as modifying the operating system from its original state.

____ Never allow a non-employee to have access to your network absent appropriate oversight. In a similar vein, immediately cut off all avenues of access to the network for anyone who has been terminated. Terminated individuals should never have access to any office computer or network plug, even if it’s to simply download personal files, absent a trusted escort.

____ Provide mandatory data security and social engineering awareness training to everyone at the office at least every six months.

____ Develop a cyberbreach incidence response plan and provide the necessary training. At its most basic, if anyone suspects a device has been breached, teach them how to immediately disconnect from the Internet and/or the office network and instruct them to contact IT support immediately. They should never try to resolve the problem themselves!

____ Purchase a cyber liability insurance policy.

____ Check your internal and Internet-facing network security at least annually to make sure your network is secure. This can be done by having a vulnerability assessment or penetration test done.

____ Properly dispose of any device or digital media that has or had any business-related data on it. Don’t overlook digital copiers, digital cameras, memory cards, CDs, DVDs, jump drives, backup tapes, etc. All devices and media must be digitally wiped clean and/or physically destroyed. This does mean that devices cannot be given away for personal use, donated, recycled, or sold unless the entire drives have been overwritten.  Note: a restore to factory default settings is not an acceptable alternative to wiping a drive.

Deal with Me: Transaction Insurance Leaders Chat featuring Will Hemsley

Join Matt Simpson and Dan Auslander for their second episode of “Deal with Me,” a series of podcasts designed to provide insights—both personally and professionally—into the people that lead the Transaction Insurance industry, and increase the understanding of the Transaction Insurance marketplace, products, and trends. Their guest for this episode is Will Hemsley.

Listen below to episode two:

 

 

In his current role at Ambridge Partners, Daniel Auslander is responsible for maintaining and developing their brokerage relationships.  Ambridge, a managing general underwriter, is a market leader in the Transactional Insurance product lines with a keen interest in expanding its product portfolio – including Directors & Officers Liability and Intellectual Property Insurance.

Mintz Member Matthew T. Simpson focuses his practice on helping his clients navigate increasingly complex corporate transactions including leveraged buyouts, recapitalizations and minority investments in the United States and abroad. He is a leader of the firm’s transactional insurance practice, offering his clients increasingly creative and effective ways to distinguish themselves in competitive processes while mitigating downside risk, and acts as underwriting counsel to a leading transactional insurance underwriter.

Will Hemsley
Partner

Will is a co-founder and partner of HWF and has extensive experience in advising on and structuring insurance solutions for M&A transactions. Will is the go to person for many leading M&A lawyers due to his strong track record of structuring and executing transactional risk policies on many of the most complex transactions insured. HWF is a specialist M&A insurance broker which structures bespoke insurance solutions for transactional risks, specialising in Warranty & Indemnity, Tax, Contingent Risk, and Environmental Indemnity products.

With offices in London and Germany, the team has advised on over 2,000 transactions spanning 51 countries, with deal values ranging from £5m to in excess of £8bn. The business has grown substantially since its launch in 2014 and last year recorded £10m of revenue.

Vishing – An Old Scam with a New Twist

Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

Criminals have been using phones to try to scam people out of money or into disclosing personal information for years and they have tended to find success with victims who were not very tech-savvy.  Unfortunately, change is afoot.  Today, the practice of making phone calls or leaving voice messages purporting to be from a legitimate company in an attempt to persuade a callee into doing something that is not in their best interest is known as vishing, which is a term that combines the words “voice” and “phishing.”

Vishing attacks take phone scams to a whole new level of sophistication by making it more difficult for even tech-savvy folks to recognize the scam.  In part, this is because criminals now have the ability to make it appear as if they are calling from any phone number they wish in order to try to convince a callee they are calling from an organization the callee would normally interact with.  Making matters worse, due to the amount of information available on social media websites coupled with the vast amount of personally identifiable information that has been stolen via cyberbreaches like the one that occurred with Equifax, criminals have all the information and tools they need to try and perpetrate a very convincing scam.

Perhaps an example is in order. Suppose you receive a call from someone claiming to be from your bank.  The caller is quite pleasant and professional.  She’ll tell you there has been some suspicious activity in your account and she will also accurately provide a little personally identifiable information.  Here’s a typical script.  “I’m calling from [your bank]. Someone’s been using your debit card ending in 8774. I’ll need to verify your Social Security number, which ends in 3006.  Is this correct?  Now, if you will provide me with your full debit card information, we can stop this unauthorized activity.”  If you were to receive such a call, how do you think you might respond? Let’s change the facts just a bit.  The call was received by an employee at your firm and the account of concern was the firm’s trust account.  How do you think your employee might respond?

Here’s what’s actually going on.  The number displayed on caller ID will be the correct phone number of your bank; but that information is misleading.  The criminal will use a program that allows her to display the bank’s number on your caller ID even though the call will be placed from a different number.  In addition, and prior to calling you, she will also determine where you bank and obtain whatever personally identifiable information she can find on the Internet.  Finally, by acting quite concerned and professional she will hope to convince you she is the real deal.  If she is successful with that, the odds of you assisting her in accessing your account in order to remove the suspicious charges and authorize the sending of a replacement card are pretty good.  Should you in fact do so, you will have just turned over complete access and control of your hard-earned money to someone else.  And again, if the attack successfully targeted a firm employee and the firm’s trust account, things are going to be a whole lot worse.

There are a number of steps one can take to avoid falling prey to these types of scams; but the most important one is this.  Just because someone has personal information about you doesn’t mean you can trust them, so never volunteer information or assist someone in accessing any account, financial or otherwise, if you didn’t initiate the call.  The best course of action would be to say thank you, tell them you will call back, hang up, and call the bank yourself in order to determine if something is amiss.  Now that you know, make sure everyone else at your firm knows as well.