August 20, 2021

Summer Cybersecurity Checkup: What Every Organization Should Be Doing

by Paul Unger, Esq., Affinity Consulting Group

The flurry of ransomware attacks this year should be a reminder that none of us are safe and we should be doing more. Here are six items to add to your next leadership meeting.

 1.    Write/Update your Written Information Security Program (WISP). 

In many states, such as Ohio (which was the first state to adopt such a law) , having a WISP that “reasonably conforms” to one of the national data security frameworks like NIST, ISO, IEC or FedRAMP provides organizations with some protections from negligence actions in the event of a data breach.

Just as important as providing businesses protection, having such a program and protocols in place will make everyone’s data much safer. Your WISP should address the following security areas: 
•    Designating employees responsible for the security program (a task force or committee)
•    Identifying and assessing security risks
•    Developing policies for the storage, access, and transportation of personal information
•    Imposing disciplinary measures for violations of the WISP
•    Limiting access by or to terminated employees
•    Overseeing the security practices of third-party vendors as well as contractors
•    Restricting physical and digital access to records 
•    Monitoring and then reviewing the scope and effectiveness of the WISP
•    Documenting data security incidents and responses

2.    Mandatory Quarterly Training for Everyone. 
Schedule mandatory education at least every quarter for everyone in your organization. Cybersecurity practices and education is not a one-time event. Your organization should be regularly revising your WISP and educating your people even more. Most successful cybercrimes involve human error. Talk to your IT folks about implementing a ransomware education and testing solution. 

3.    Multi-Factor Authentication Solution. 
Implementing two-factor (or multi-factor) authentication (also known as 2FA or MFA) is just as important today, or arguably more important than changing passwords or using unique passwords. MFA is important because even if a cybercriminal has your username and password, without the second measure of authentication (usually using a tool like Google or Microsoft Authenticator, a text message notification requiring your intervention, or providing your fingerprint from your smartphone) they will not be able to login to an important service or account. 

4.    Full-Disk Encryption on ALL Computers. 
I recommend full disk encryption on stationary desktop computers, in addition to laptops and mobile devices. Mobile devices like laptops and smartphones are more vulnerable than a desktop computer, but desktop computers can be stolen as well. There are many choices for this type of solution, and it will likely cost you nothing or very little. For example, BitLocker is an encryption program included for free with certain versions of Windows 7, 8, 8.1 and 10. For Mac users, FileVault is included for free with OSX.

5.    Centralize Documents in a Secure Document Management System. 
Most organizations struggled with this problem before the pandemic, but when the pandemic hit, documents and data became even more scattered as individuals made copies of project or case files to work from home. This situation could have been avoided or can be solved by implementing a secure cloud-based document management solution. For law firms, solutions like NetDocuments, Worldox Cloud, iManage Cloud or EPONA are industry standards. For businesses, solutions like NetDocuments, SharePoint, FileCenter, Laserfiche and many others are good examples. Remember, it is impossible to secure and govern documents/data if there are multiple copies scattered in different places and within different solutions. 

6.    Use an Encrypted Password Manager.
Everyone should be using encrypted password managers. Password managers do the following:
•    Secures all your passwords, credit cards and personal notes in an encrypted cloud-based vault that one can access from all your devices.
•    Generates unique and very strong passwords.
•    If desired and appropriate, these vaults allow sharing of certain passwords with colleagues or your spouse. 
•    Look at programs like Dashlane, LastPass, OnePassword, Roboform.