Checklist for Becoming Cyber Secure

Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

NOTE: This material is intended as only an example which you may use in developing your own form.  It is not considered legal advice and as always, you will need to do your own research to make your own conclusions with regard to the laws of your jurisdiction.  In no event will ALPS be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Checklist for Becoming Cyber Secure

This checklist is intended to help those who have a desire to become more cyber secure know where to start. It may also be helpful in identifying areas of concern that can and should be discussed with IT support personnel. Most importantly, be aware that cybercrime attack vectors will continue to change and evolve as will the sophistication of the attacks. Becoming cyber secure is an ongoing process, not a once and done effort. That said, here are the basics; and note that when the word “devices” is used, this word is meant to include computers, servers, all mobile devices and any home computers that are being used for work.

____ Cyber criminals often target older devices and software, so keep hardware and software as current as possible because newer devices and applications typically include improved security features. Also note that software which is no longer supported, meaning security updates are no longer issued, cannot ethically be used.

____ Keep your server in a locked room because physical security matters!

____ Install robust Internet security software suites on all devices.

____ Utilize effective intrusion detection systems.

____ Use a spam filter.

____ Disable popups through browser configurations and/or install an ad blocker on all devices.

____ Keep all software on all devices up to date by promptly installing all critical security patches as they are released.

____ Determine where all office data is stored by creating a network diagram and make sure this diagram remains current because it will be useful to digital forensic experts in the event of a security breach.  In addition, this diagram can and should be used to create a security policy that responsibly addresses every situation where any data resides.

____ Identify all laws and regulations which may apply to your data in order to make sure you are in compliance with these laws and regulations. For example, does your firm hold data which is governed by HIPAA, HITECH or Sarbanes Oxley? Do you hold personally identifiable information?

____ Password protect all devices.

____ Use two-factor authentication when and wherever possible. This is particularly important with all banking and financial sites.

____ Develop a password policy that mandates the use of strong passwords (or passphrases) if the device or application will accept them.  Strong passwords are defined as being 16 characters or more in length using a combination of uppercase and lowercase letters, numbers, and special characters.  Note: Every application and device in use should have its own unique password and no password should ever be reused once changed.  The use of a password manager can make this task easier and more secure than, for example, storing passwords in a file labeled “passwords” or writing them down and placing that list in a desk drawer.

____ Prohibit the sharing of user IDs and passwords with anyone, to include others within the firm.

____ Have your IT support person change the default values, for example default passwords, on all wireless routers, server operating systems, etc. because these values are freely available on the Internet.

____ Wireless networks should be set up with proper security to include enabling strong encryption. This means you must disable WEP and WPA encryption and require WPA2 encryption. If the router supports WPA3 encryption, use it. Do not overlook home networks if home computers are being used for work.

____ In order to prevent access to your firm’s confidential data, setup a properly configured wireless guest network.  No guest should ever have direct wireless access to your firm’s network.

____ Backup all data, periodically do a test restore of the backup, and store the backup in accordance with a disaster recovery plan because floods, fires and ransomware attacks happen. Backups must be encrypted if taken off site or stored in the cloud, and if using a cloud vendor, the vendor should not have access to the decryption key.

____ Any mobile device that goes off site and contains any client confidences must be password protected, should have the ability to be remotely wiped if lost or stolen, and should be encrypted. This includes jump drives, external hard drives, laptops, smart phones, and tablets.

____ Limit privileges and access as appropriate. For example, does everyone in the office need access to the firm’s financial or employment records? Can everyone download and install anything they want on any device they have access to? Can everyone make changes to the system configuration? Don’t make it easy for cybercriminals. Place limits on what people can do. Such limits can either be set up electronically via file permissions or physically via a locked door or cabinet.

____ Encrypt any email if it contains confidential information or use a secure client portal.  Check with your IT support for help with proper installation and configuration of your selected solution.

____ Encrypt all data you place in the cloud. Some cloud companies advertise that they encrypt your data but only do so while the data is in transit. You must make certain your data is encrypted “at rest” as well. Better yet, don’t rely on the cloud provider for this at all. Encrypt your data before placing it in the cloud to enable you to have control over the encryption key.

____ Read the terms of service of any third-party vendor that will hold your confidential data.  Remember, the standard of reasonableness applies. At a minimum, you need to know and understand what happens to your data while in the hands of an outside vendor in order to allow you to responsibly address any concerns.

____ Mandate that all work-related Internet sessions be encrypted and prohibit the use of unsecured open public Wi-Fi networks. This does mean that access to the office network must always occur using a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.

____ Prohibit the use of any public computer for any reason. This would include the use of computer stations made available in the business center of a resort or hotel just as one example.

____ Have a policy that prohibits the jailbreaking of any mobile device that will be used for work. Jailbreaking is defined as modifying the operating system from its original state.

____ Never allow a non-employee to have access to your network absent appropriate oversight. In a similar vein, immediately cut off all avenues of access to the network for anyone who has been terminated. Terminated individuals should never have access to any office computer or network plug, even if it’s to simply download personal files, absent a trusted escort.

____ Provide mandatory data security and social engineering awareness training to everyone at the office at least every six months.

____ Develop a cyberbreach incidence response plan and provide the necessary training. At its most basic, if anyone suspects a device has been breached, teach them how to immediately disconnect from the Internet and/or the office network and instruct them to contact IT support immediately. They should never try to resolve the problem themselves!

____ Purchase a cyber liability insurance policy.

____ Check your internal and Internet-facing network security at least annually to make sure your network is secure. This can be done by having a vulnerability assessment or penetration test done.

____ Properly dispose of any device or digital media that has or had any business-related data on it. Don’t overlook digital copiers, digital cameras, memory cards, CDs, DVDs, jump drives, backup tapes, etc. All devices and media must be digitally wiped clean and/or physically destroyed. This does mean that devices cannot be given away for personal use, donated, recycled, or sold unless the entire drives have been overwritten.  Note: a restore to factory default settings is not an acceptable alternative to wiping a drive.