One way to mitigate the increased risk of cyber attacks is to look to low-cost and no-cost solutions that can offer an immediate risk management benefit without added expense or complexity. NYC Bar Insurance and CyberLock Defense have prepared this list of 12 low-cost and no-cost ways to help legal professionals prevent cyber attacks.
1. Identify Key Accounts and Systems
Every firm has key accounts and systems they need to run. An inventory of your vulnerabilities can help illuminate opportunities to protect them.
Think through all the key accounts and systems vital to your firm. Ask yourself if you could continue to operate without issue if something were to happen to them. Jotting down a few notes about protecting these key vulnerabilities is a great place to start as you put your cyber risk management plan together.
2. Establish a Written Funds Transfer Policy
Your digital financial transactions are a primary target for cybercriminals. A funds transfer policy can help minimize your risk. Prior to any funds transfer, follow these steps:
- Require verbal verification of all new financial account numbers and any previously verified account number that has changed for any reason.
- Require the other party to recite their account number to your employee while on the phone.
- Train any employees that have the ability to transfer funds on behalf of the business to follow the policy according to these procedures.
3. Activate MFA Security Features
Cybersecurity experts now recommend turning on an optional built-in security feature called Multi-Factor Authentication (MFA) to reduce the risk of unauthorized remote access to your computer network, accounts and systems. MFA works by only allowing remote connections that have been verified with an extra security step.
For many networks, it’s as easy as switching on a setting that enables MFA for anyone who will be remote accessing your computer network.
4. Carry Out Patch and Update Maintenance
Patch and update maintenance is important for cyber risk protection as new software vulnerabilities are regularly discovered. Follow these steps:
- Take an inventory of devices, systems and applications and update where needed.
- Create a process to regularly download, test and install patches within 30 days of release on your computer network.
- Audit your network to ensure patches and updates are successful and monitor for future releases.
5. Back Up All Computer Systems and Data
A cyber attack can result in the loss or theft of your firm’s trade secrets, client data and financial records. This can cause a truly great deal of damage from which it’s difficult to recover, so having adequate backup system protections in place is crucial.
It’s fairly easy to set up a system that will handle backups for you automatically. Plan to back up all the systems and data on your network at least weekly.
6. Isolate Backups from Your Primary Network
Backups stored alongside your other data on the same network are little help in the event of a cyber attack. If your network is compromised, you want to make sure your backups remain unaffected.
It is best to keep multiple, redundant backups stored fully isolated from your primary network and in a separate geographic location to avoid contamination in the event of a network intrusion.
7. Remove Unsupported Operating System Versions
Many popular operating system versions are no longer supported by their developers. That means companies no longer make or release updates to patch their security vulnerabilities.
Examples of unsupported operating systems include Microsoft Windows 7, Microsoft Windows Server 2008 and others.
It’s important to depreciate these versions and upgrade to supported operating systems, as even one unsupported system connected to your network can compromise the whole network.
8. Scan and Filter Content on the Network
Incoming emails and files can contain viruses that easily infect your computer and spread throughout your whole network. Often, all that’s required is to open a suspicious email or download an attachment.
A simple solution is to activate security features to scan and filter email and web content for malicious items. The security system can quarantine the item and alert your administrator that a problem has been detected.
9. Use Tools to Authenticate Incoming Mail
Special tools such as Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-Based Message Authentication, Reporting & Conformance (DMARC) exist which can authenticate incoming email and prevent phishing scam attacks.
However, this one can be tricky, so don’t despair if your first thought on seeing SPF is suntan lotion. If you have an IT provider or network/server administrator, they should be able to recognize these options. Otherwise, simply contact us and we can provide a written guide on implementation.
10. Secure or Disable All RDP Endpoints
Remote Desktop Protocol (RDP) is a popular Microsoft Windows component used to connect to a computer remotely that can introduce serious security vulnerabilities if improperly configured.
Either protect your RDP with MFA (multi-factor authentication) or disable it on all network endpoints.
Similar to #9, if you have an IT professional and they’re unsure about this technical solution, simply contact us for help on how to implement this risk management control to secure your system.
11. Encrypt All Sensitive and Confidential Information
Data encryption is an essential tool that automatically scrambles data to protect it from prying eyes and unscrambles the same data so that authorized parties can work with it.
Computer systems, software applications and online services all have built-in settings to turn on encryption while data is “at rest” and “in-transit.” In addition, most email providers can add specific encryption when needed.
12. Restrict Network Administrative Privileges
Computer networks rely on a graded system of access levels to help protect critical parts of the network from both accidental and intentional changes. Having administrative privileges allows a user to make changes to the system, such as downloading software onto the computer network.
Limit the number of employees with these high-level privileges to a select few to help protect your firm’s computer system.
With these simple low-cost and no-cost solutions, you can significantly reduce the risk of a cyber attack impacting your law firm. For help with any of the above, please contact CyberLock Defense and we will be glad to assist.
Make sure part of your cyber risk management planning includes purchasing the right cyber liability insurance policy.
For more information about how to protect your firm, please contact us today at NYC Bar Insurance.