What YOU can do to prevent and mitigate data breaches

The past few months have been marked by major global cyberattacks. In May, WannaCry, the largest-ever cyberattack targeting commercial applications, inflicted damage that Bloomberg estimated could exceed $2.5 billion in costs to insurers and $4 billion in costs to affected companies. In June 2017, the Petya cyberattack caused serious business disruptions at such large corporations as Siemens, Mondelez and Maersk, not to mentioned more recent and media covered cases such as Equifax. In some cases, hackers demanded payments for victims in exchange for restoring their files and/or refraining from publishing sensitive company information on the Web.

The two ransomware attacks came on the heels of others suspected to have been supported or orchestrated by hostile governments to spy on or sabotage public and private entities in such strategic sectors as utilities, energy, finance, law enforcement and even emergency services, constituting what some characterize as full-on cyberwarfare. Cyberattack weapons and techniques continue to outpace cybersecurity legislation and law enforcement, and in today’s hyper connected world, security threats can originate anywhere and can happen at any time.

Although the press has focused on large businesses at risk for data breaches, small or “under-the-radar” operations are no safer from attack. In fact, most of the funds paid to hackers come from small and medium-sized businesses lacking business continuity plans or the technology and knowledge to protect their data. And while many of the recent data breaches have involved at least one hacker, companies are also under constant threat from “peopleware”: employees who fall for phishing scams, fail to update antivirus software, download apps from unreliable sources, or use unsecured networks and personal devices to access sensitive company information from home or while on the road.

For professional services firms, among them legal departments, law firms, accountants and auditors, data is the main business and reputational asset: they work with, produce and are expected to protect sensitive client documents. That makes a failure to secure information tantamount to leaving their office doors—and their clients’ doors--open at night for criminals to ransack. One need go no further than the Panama Papers scandal, in which 11.5 million documents detailing a Panamanian law firm’s financial and attorney–client information dating back to the 1970s were leaked in 2015 by an anonymous source.

With digital technology here to stay, can we truly mitigate or avoid cybersecurity problems? The good news is that we can. Proper preventive data security measures can help firms big and small avoid devastating business losses, reputation damage and penalties applied by clients and government agencies. IT systems have long had the capability of monitoring user identities and geographies, administering permissions and data controls, encrypting documents and performing a host of other functions the typical office server was not designed to record or process.

Based on my more than 20 years of experience providing IT systems for the professional services industry, I recommend the following best practices for the small and mid-size legal departments, law firms, accountants and auditors I support:

Compare apples with apples. Not all data management systems are alike, so compare them to determine whether they truly provide the levels of cyberprotection they promise, whether they can scale easily as your company grows or widens its scope of operations, and whether they can be tailored to meet specific or future needs. As the expression goes, being penny-wise with cybersecurity can often prove dollar-foolish: if a system seems too good to be true, it probably is.

Consolidate and replicate. Secure your documents and contents in one single place to make security easier, not to mention facilitate the tracking and location of important files. Consider managing all your documents in the cloud, even if it’s a private one, establishing proper security levels for external threats. Cloud-based systems are quick and easy to set up and the best way to consolidate and secure sensitive information, not to mention facilitate access from different locations. Make sure your software automates remote data replication, allowing your firm to continue in business even if information has been hacked. Be sure to properly and frequently back up all your data in a different digital and physical location. Test your backup recovery at least once a year as part of your data loss prevention plan (DLP).

Think beyond security. Beyond security features such as email quarantine folders and junk boxes, some integrated software systems also offer timesheets, back office support functions, workflow tools, semantics search, business intelligence, machine learning and other artificial intelligence tools. By collecting and analyzing company data, making search easier and automating company functions, these tools can provide insights on how to save costs and explore new revenue streams, while maximizing the consistency of documents and productivity across teams. Such technologies can also identify potentially dangerous behaviors such as the above-average duplication of (or access to) files from a specific user, signaling a potential future data breach or an employee’s possible plan to leave your firm.

Restrict access in a way that makes sense. Establish criteria for classifying projects that should have limited access, and ensure sensitive information can be accessed only by the executives who need to use it, in a way that secures sensitive data without adversely affecting productivity and collaboration. Many data breaches come from people grant prior access (via email or file share link, for example) to information, so make sure your system monitors who accesses your information remotely—and that it can restrict access immediately to employees, clients or other partners no longer associated with your firm.  In the case of more complex policies such TOR (Transfer of Responsibilities to the final user), such systems can help you reduce potential liabilities.

Plan ahead. Build a Disaster Recovery Plan (DRP) to respond to natural disasters, data breaches and other critical situations with the potential to impact your company’s operations and/or reputations, even if the situations have not occurred before. Pay attention to critical issues presented by your industry and competitors. If your data is in the Cloud, the contingency plan must allow for the uploading of data from a remote backup and the ability to grant access to that backup to employees who might have to work remotely.

Focus not just on software, but on people and processes. Before shopping for computer system to secure your data systems, make sure the right people in your organization (both on the IT and client services sides) are the ones identifying problems and needs, choosing the best-in-class software to address those needs, structuring processes and assembling the right team to implement the new software solutions. No software, as sophisticated as it may be, will work if it does not fulfill company needs and if personnel cannot—or don’t want—to use it.

Train team members new and old to:

a)       Use encrypting tools when sharing or sending files with sensitive information.

b)       Avoid keeping computers or other devices logged on to networks overnight or at other times when they are not being used.

c)       Be careful downloading files, particularly if they come from an unknown sender, and be suspicious if known senders send information they wouldn’t normally share.

d)       Regularly update the antivirus and operating system updates on the personal devices they use to conduct business.

e)       Change the passwords of the personal devices they use to revise e-mails or other corporate applications.

f)        Implement security measures such as biometrics on the apps offering them.

g)       Activate device location tools on their personal devices used for company business to erase and block remotely activated cell phones or other devices if lost or stolen.

h)       Back up their phones even if they have to pay a small fee for it.

In conclusion, information is an asset that needs to be protected. Today’s software systems, when properly chosen and implemented, can help you operate safer, not to mention smarter.