Why doesn't data security get the respect it deserves?

Data breach “horror” stories have become a new staple in today’s business environment.  The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases.

Wells Fargo accidentally leaked thousands of sensitive documents, but not in the sophisticated way it’s often in the media. The bank wasn't hacked, and its computers weren't encrypted by Ransomware. 

A lawyer representing Wells Fargo in a lawsuit has to now explain how she inadvertently turned over confidential information about thousands of bank clients.  She just inadvertently sent 1.4 gigabytes of files to a former financial adviser who subpoenaed the company as part of a lawsuit against one of its current employees.  The data set includes at least 50,000 customers' names, Social Security numbers and sensitive financial info according to The New York Timeswhich confirmed the contents of the documents, the affected clients are some of Wells Fargo's wealthiest, with investment portfolios worth tens of billions of dollars.

Will the NJ based law firm have potential liability exposure to it’s lawyers? 

Only time will tell. 

Judges in New York and New Jersey have issued orders barring further release of the documents, requiring the plaintiff to delete any document copies, and requiring the plaintiff to give the digital file to the court for safekeeping.

For nearly two decades, I have been assisting businesses of all sizes dealing with ESI (Electronically Stored Information) being misappropriated, lost, stolen, or spoliated.  Over 50% of the cases deal with theft of trade secrets, restricted covenant and non-compete's, spoliation and within the past decade data breaches.   

Seventy-four percent of organizations felt vulnerable to insider threats, while almost half of surveyed security professionals said that insider risks had increased in the past year, resulting in greater rates of stolen data and security breaches. (Source : A recent industry study by Delta Risk).

The business sector continues to have the highest percentage of total breaches reported — 54.7 percent at the six-month mark.

NOTE: I SAID REPORTED! 

MUCH OF THE MEDIA AND WHAT IS KNOWN IS ONLY A SMALL PERCENTAGE OF CASES REPORTED.

Although data security and breach response are constantly in the headlines, studies demonstrate that organizations remain unprepared to effectively respond to a data breach.

Is your organization ready? 

Business leaders need to take a different approach and peel the bandages off from the past and identify what and where their "crown jewels" are.  Information security has, by necessity, changed a lot from a strategic perspective.   Back in the day, tall walls and clever architecture were all we needed to keep criminals out… Castles emerged in Europe in the Medieval period during the 10th century, built to provide protection from enemies. Later, castles became status-symbol residences for monarchs and royalty (the crown jewels).   The weakest part of the castle’s defenses was the entrance. To secure access to the castle, drawbridges, ditches and moats provided physical barriers to entry. 

It's no longer good enough to ensure end-to-end protection within the walls of your enterprise.

In the case of Wells Fargo and their outside law firm, this should prove as a wake up call for third parties, any one of whom could cause real financial and reputational damage if compromised.

So why are firms not spending more time focusing on understanding what and where the sensitive data is?

Throwing Money at Cyber Security is NOT the Answer. 

Before spending a penny, or a dollar, more on any technology, one must ask:

Have we got the basics right?

It’s often the basic hygiene, the basic controls that are overlooked in the search for the panacea that does not exist. Most security breaches can be prevented by having layered cyber security controls throughout the enterprise, however most organizations are spending a large amount of money protecting their perimeter from the hacker hooligans, however while that is necessary, it’s something that is often unstoppable.  Meaning, if your firm is targeted by a hacker, or a hacking organization...no matter how secure your perimeter is, most security experts will confirm that there is nothing you can do to prevent it from happening.  

For years, I’ve been saying “People are the weakest link”.  In converse, they are also the best front line of defense to prevent or determine a possible cyber incident.

Unfortunately, Cyber ignorance or "cyber fatigue" has set in. 

As stated earlier, most organizations are building defenses around the castle, however don’t have good controls around the data in their business which is the most vulnerable.  

Please feel free to contact me for a fixed fee "Ethical Hacking" assessment or if I can be of any assistance to you.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”. 
LinkedIn | Twitter | Email | Speaking Events

The official NY DFS Cyber Security Regulations are in...

The New York State Department of Financial Services (NYDFS) has launched a significant initiative to impose detailed cyber security requirements on covered financial institutions. The Final Rules, published here, go into effect on 1 March 2017.

The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program.  The regulations impose significant, yet minimum cybersecurity requirements, and mandate board of director involvement and accountability. 

Where does this have an impact?

The NYDFS proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law. 

Who are the Institutions regulated by DFS?

While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. You can see the other NYDFS supervised businesses discussed here.  Below you will find a brief definition of each of the above types of institution that we supervise and a brief description of the laws under which we regulate them.

What Do You Need to Know?

A a first step, determine whether your organization is covered. Note, The scope of the regulations are broad, but there are exemptions.

Step 1 - Is my company exempt? If so, an exemption certificate of exemption must be filed with NYDFS within 30 days of that determination. **

**Exemptions: 

1- “fewer than 10 employees, including any independent contractors of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity.” (Section 500.19(a)(1)).

2-  Covered Entities with less than US$5M in gross revenue from its New York business operations (or its affiliates’ operations). Note - Some larger financial institutions with a smaller New York “footprint” may qualify for either (or both) of these new limited exemptions. 

3- Certain captive insurance companies that do not control, use, or possess Nonpublic Information beyond that information relating to its parent and affiliate companies.

Step 2 - Retention a Chief Information Security Officer (CISO) must be designated no later than 28 August 2017.  

Step 3 - Organizations need to understand and/or update their risk profile.

NOTE- The types of entities listed above receive only limited exemptions under the regulations. 

How does this impact my business?

The requirements for cybersecurity program must serve six core functions:

  1. IDENTIFY INTERNAL AND EXTERNAL CYBER RISKS;

  2. USE DEFENSIVE INFRASTRUCTURE;

  3. DETECT CYBERSECURITY EVENTS;

  4. RESPOND TO AND MITIGATE IDENTIFIED OR DETECTED CYBERSECURITY EVENTS;

  5. RECOVER FROM CYBERSECURITY EVENTS AND RESTORE NORMAL OPERATIONS; AND,

  6. MEET REGULATORY REPORTING OBLIGATIONS.

In addition, the cybersecurity programs must include regular employee training on cybersecurity, and contain controls sufficient to monitor user activity and detect unauthorized user access.

When does this compliance go into effect?

The requirement dates for the Final Rules are as follows:  

* September 1, 2018 is a Saturday. New York law provides that when a compliance date falls on a weekend or holiday, the due date is the next business day – in this case, Tuesday, September 4, 2018 (as Monday the 3  is Labor Day).

Questions:

For several years, Digital4nx Group has been providing "Ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.  

For many organization and especially organizations which are regulated by DFS, Digital4nx Group will providing a solution called Cyber Vigilance™.   This annual service is a set of proactive services designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.  

For more information, please give us a call or learn more about the program here and return the attached questionnaire for a fixed fee price.

Always seek experienced legal advice.

Is Cyber Fatigue putting everyone in danger?

I am sure that most people today are simply tired with the consistent news about hacking the election, a financial services firm who has been compromised, or worse your PII (Personally Identifiable Information) and PHI (Protected Health information) is being sold on the Dark Web. 

A majority of computer users suffer from “security fatigue” — a weariness of or reluctance to engage with cybersecurity — that leads them into risky behavior online, according to a new study by scientists from NIST (The National Institute for Standards and Technology).  In short, they found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.”  In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.

The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms. 

Cybercrime activities like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work. 

If the US Government, Fortune 500 companies, High Tech firms, Financial Institutions, Health Care Organizations and Universities with all of their resources were unable to stop the attacks... 

What possible chance can a small/medium business have?

The answer is: more than you would think.  

Digital4nx Group, Ltd. recognizes that the greatest vulnerability in most organizations comes from their own people.  

We have been providing fixed fee "ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses.  The goal of an ethical hack security exercise is not to reveal deficiencies in the performance of your IT team, but rather to support them. We often find that IT teams are pressured to make things easy-to-use and functional, maintain software updates and patches, and keep the users up and running.  

Our ethical hacking assessment aids the IT team, giving them a road-map for making their networks much more secure, identify the sensitive information which the organization maintains, and improve the best reasonable security measures for that organization.

Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security. 

Even small businesses can interrupt this chain of events at several points, making it much more difficult for a cyber criminals to gain a foothold.  

We commonly find that we gain some of the initial access to a companies systems by tricking users into providing their passwords.  Once we have those passwords, we can leverage them to gain additional access to other systems.  

The below techniques are simple and inexpensive:

  • Make sure everyone in your company understands phishing schemes and how to recognize them.  A phishing scam is an attempt to trick someone into providing username and password information to a hacker.  Spearphishing is a phishing attack customized to a particular individual.
  • Do not allow people to have administrative privileges on their computers.  This prevents them (or viruses acting under their credentials) from installing hacking tools on a computer.
  • Change passwords regularly and use different passwords for different accounts.  In other words, the password to your work computer should be different from the one you use on, say, your Yahoo account.  Password manager software (such as LastPass, KeePass, Dashlane,...) makes it easy to track and change passwords.
  • Ensure your computers install security updates from Microsoft, Apple, and Adobe automatically.
  • Install antivirus software on your computers
  • Install a firewall if you don’t have one, and review your firewall to tighten it up as much as possible.  A firewall is a device that stands between your network and the rest of the world, blocking unauthorized access.
  • Configure spam filters to be as restrictive as possible and use Sender Policy Framework (SPF) records to reduce the likelihood of phishing messages.
  • Confirm backups run regularly and periodically test those backups.

 

Questions?  Concerns?  Want some help conducting a cyber security risk assessment?  Give us a call, we’re happy to help.

PS- For those who are not cyber fatigued and interested in reading about the Department of Homeland Security report detailing Russian civilian and military efforts to hack organizations, companies, and educational institutions in the United States, you can read it here.

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program.  The regulations impose significant, yet minimum cybersecurity requirements, and mandate board of director involvement and accountability. 

The NYDFS proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law. 

While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. You can see the other NYDFS supervised businesses discussed here.

The requirements for cybersecurity program must serve six core functions:

  1. identify internal and external cyber risks;

  2. use defensive infrastructure;

  3. detect cybersecurity events;

  4. respond to and mitigate identified or detected cybersecurity events;

  5. recover from cybersecurity events and restore normal operations; and,

  6. meet regulatory reporting obligations.

In addition, the cybersecurity programs must include regular employee training on cybersecurity, and contain controls sufficient to monitor user activity and detect unauthorized user access.

For several years, Digital4nx Group has been providing "Ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.  

For many organization and especially organizations which are regulated by DFS, Digital4nx Group will providing a solution called Cyber Vigilance™.   This annual service is a set of proactive services designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.  

For more information, please give us a call or learn more about the program here and return the attached questionnaire for a fixed fee price.

What is the right type of security assessment for your firm?

The most common question when evaluating which solution is the best fit for your organization is:

" What's the difference between a vulnerability assessment and penetration assessment? "

 

The two are often incorrectly used interchangeably due to marketing hype and other influences which has often created much confusion.  

With that in mind, I’d like to try to clarify the distinctions between vulnerability assessments and pen tests and hopefully eliminate some of the confusion.

From our perspective, a Vulnerability Assessment, deploys an automated tool which scans the IT infrastructure and reports the results. The tool's job is to identify all systems and the associated applications and services they are running.  Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits. All the problems the tool has identified are then presented in a vulnerability assessment report.

It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them. 

"vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart."

A Penetration Assessment simulates a real-world attacker which takes actions on the external and/or internal systems that aim to breach the information security of the organization. Using many tools and techniques, the penetration tester aka "ethical hacker", attempts to exploit critical systems and gain access and/or administrative control to sensitive data. 

This assessment typically uses vulnerability scanning as well as other manual proprietary methods tools to efficiently get a picture of a company's fundamental security and to identify attack vectors into the organization.  

Unlike vulnerability assessments, ethical hacking takes into account mitigating controls and the potential impact of a vulnerability. Using the human factor, aka "Social engineering", often piecing together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one of your systems security.

Many factors are considered when performing a risk analysis.  A risk analysis doesn't require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others -  to the company if the vulnerability were to be exploited.    

When a risk analysis is completed, a final risk rating with mitigating controls that can further reduce the risk. Business decision makers can then take the risk analysis, suggested mitigation controls and decide whether or not to implement them.

In summary,  a technician runs a vulnerability scan while a hacker performs a penetration test. The tools used for a penetration test are varied and dynamic, but it is not the tool that performs the test; rather it is actually the tester. 

Vulnerability Assessments are often automated and looks for known vulnerabilities in your systems and reports potential exposures. A vulnerability assessment answers the question: “What are our weaknesses and how do we fix them?”

Penetration Assessments are designed to actually exploit weaknesses in the architecture of your systems.  A penetration assessment simply answers the questions:     “Can someone break-in and what can they attain?”    

Ideally, you will want to run a penetration test once a year.  Vulnerability scans should be run continuously.

  NOTE: Penetration tests should be run by an outside consultancy so that the benefit of independence can be garnered.  

Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.

Misunderstanding can put your company at risk – and cost you a lot of money!

Still have more questions on where to get started or need assistance on conducting an evaluation of your organization’s security posture? 

Contact Digital4nx Group, Ltd. to find your organizations information security weaknesses and the valuable assets an advanced threat can obtain.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”. 
LinkedIn | Twitter | Email | Speaking Events

PRESS RELEASE : IS YOUR COMPANY CYBER VIGILANT™?

Corporations are faced with the unenviable task of trying to defend their networks against various types of intrusive attacks.  While it’s true that many companies are vulnerable, weekly news of the next breach occurs and technology environments have gotten increasingly complex. It is increasingly harder than ever to watch over your entire infrastructure.

Digital4nx Group is proud to announce that it has released its annual Cyber Vigilance™ program.  

This proactive annual service is designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.  

For one low monthly payment, we offer a complete solution of services, year round, to help keep you protected and focused on the most current threat vectors. 

Click here to inquire more about the program or complete a questionnaire

Don't be harpooned...

Business Email Compromise, or BEC attacks have been observed targeting top executives in companies large and small. The fraudsters who specialize in this fraud have a new trick up their sleeves.

In a recent case, a firm hired a new CFO in January. Within weeks of his arrival, he received spoofed emails from the organization’s CEO, asking human resources and the accounting department for employee W-2 information.

Fraudsters go for W-2 information because it contains virtually all of the data they would need to fraudulently file someone’s taxes and request a large refund in their name.
These scams are quite sophisticated and have been very successful.  What's different about them is that the thieves are not taking the money directly, they are persuading employees in trusted positions unknowingly to send it to them.

They often attempt to find out when the executive might be travelling and often compromise other employees’ inboxes beforehand via a phishing attack to gain access and scan the content for keywords that show whether the company regularly wires transfers. Once access has been gained, they will tailor the emails with wording to make it appear as though the executive is in urgent need and not in the office by adding “sent from my mobile device” as the signature. 

Be Wary!

Digital Evidence Reveals the Kink in the Supply Chain!

A manufacturer of consumer healthcare products began receiving complaints on their consumer information line. The complaint line determined that the products were purchased at a discount chain and varied in color, texture, odor, and taste. The manufacturer immediately deemed the product was unusable and tainted.

The company, through a law firm, hired a New York based private investigator who purchased several products that were counterfeit.  The product name and packaging of the product appeared to be an exact knockoff as the legitimate product, which included the company’s trademark symbol. 

A case was filed in the Southern District of NY after the company found the copyrights and trademarks had been violated and a Federal Judge deemed it sufficient to be confusing to consumers and signed a seizure order allowing the companies lawyers and along with United States Marshall’s and Digital4nx Group to enter the locations operated by the discounter and a distributor.

It was suspected that the counterfeit merchandise was being warehoused and distributed from these locations.  The locations also included offices where it was suspected that paper and electronic records regarding the counterfeit merchandise were kept.  

On a warm Friday morning in July, Digital4nx Group’s forensic collection team along with the attorneys, private investigators, and the United States Marshall’s convened at locations in New York City, Long Island, and New Jersey.  At approximately 8am EST , we entered the locations simultaneously surprising the workers who arrived just minutes earlier.

Once the Marshall’s served the search and seizure order, they additionally secured the premises and once secured, allowed us to begin imaging disk drives, while the attorneys and PI’s searched for counterfeit products. By the end of the weekend, we were able to image 35 computers in 3 locations as well mobile phones, VoIP voicemail system, and 3 servers.

During the following week, Digital4nx Group forensic investigators identified 2 other locations, including a storage facility blocks away which contained the mother load of counterfeit merchandise. Additionally, we located various e-mail communications between the owner of the distributor and the sources for where and when the counterfeit merchandise were coming from, along with the shipping dates and quantities of past and future orders.  Lastly, We were able to reconstruct and generate reports of total sales of all counterfeit and suspect merchandise as well as identifying other suspect counterfeit merchandise by the company. We provided to the forensic accountants as well as the USAG’s office the reconstructed financials, past shipping manifests, inventory of counterfeit merchandise in various retail outlets as well as determine all the suppliers of the counterfeit merchandise.

Thankfully, no consumers were harmed and the parties were retained early enough to prevent further distribution in the supply chain. 

In the end, the manufacturing company was able to quickly stop the sale of the counterfeit merchandise, avoid consumer harm, and settle the case and recoup the various expenses. I hope this is another example of how using a quality and experienced digital forensic investigation services team to gather the digital evidence, along with proper forensic analysis allowed the attorneys to build a solid case, provided gathering relevant financial information, and locating the foreign sources of the counterfeit goods to prevent further harm to consumers.  The bonus was the client and the attorneys realized a significant reduction in billable time because most of the relevant information was in electronic format and could be easily accessed and used in support of building their case and reducing the overall costs.

Please feel free to contact me for a confidential conversation if I can be of any assistance to you.

Digital4nx Group, Ltd. offers regional digital forensics services for plaintiffs and defendants in civil and criminal legal matters. 
LinkedIn | Twitter | Email | Speaking Events

It’s not your firewall or anti-virus, it’s your business practice that puts you at risk…Are People the weakest link?

The daily news headlines reveal the escalating, and costly, problem of data breaches for companies. Today, we are in the midst of never ending articles, blogs and news reports regarding the latest cyber security breach.  The days of casual hackers going about their efforts for little more than bragging rights have now morphed into big business where the financial rewards can be substantial. This summer, the FBI has received reports of more than $18m in losses in the past year stemming from the spread of the bitcoin ransomware Cryptowall and its related variants. When you consider all the viruses on the Internet, the amount of revenue generated by these wicked hackers are collecting is astonishing.

All companies store assets digitally — from consumer personal data, to B2B customer data, to trade secrets, to confidential information relating to mergers and acquisitions. When it comes to Law Firms, they often handle sensitive data (i.e. intellectual property, corporate transactions, mergers and acquisitions, bank account #’s, social security #’s, client addresses, credit card information, health care information, personally identifiable information (PII) or personal data.)  

Additionally, law firms utilize many individuals who may have access to sensitive data beyond partners and associates, such as contract attorneys, paralegals, secretaries, and others. An incident could occur even when an employee of the firm accesses data improperly or when an employee mentions something to friends or family or on social media sites.

Law firms don’t have secrets, it’s the client information that hackers want. The reality is they have a digital treasure trove of data...which is a primary reason that law firms are and have been targets for numerous years.  

A major harm is reputation – no firm wants to go to a huge client and inform the client that it has lost the client’s sensitive data.

All businesses depend upon the integrity and their computer networks to operate efficiently, effectively, and securely.  Corporate directors and officers have fiduciary obligations to safeguard these assets, and lawyers additionally have an ethical obligation to their clients.

When a breach happens, reputational, regulatory, financial and legal risks proliferate.

Unfortunately, the key question that never seems to get answered is: What exactly are we at risk from and what are we supposed to do about it?

With over a decade of experience in handling hundreds of matters, here is the hint: It’s not your firewall or anti-virus, it’s your business practice that puts you at risk…People are the weakest link.

After doing research by asking people about their definition of data security, I found many varied definitions.  I’ve defined it in simple terms, “Data security is simply keeping sensitive information from falling into the wrong person’s hands.”  

Consider this hypothetical:

You are on your way into work and you spot a USB thumb drive on the ground. It has your company’s logo on it, so decided to pick it up and see what's on it so you can figure out who it belongs to and return it to them. You plug it into your office computer and there are no files or anything else that you can find that identifies the owner. Hmm. Since you did find that it’s a 128 Gigabyte USB stick, you keep the USB drive for your own use.  A few days later, you end up plugging it into your laptop and home computer to transfer sold old pictures and music from computers.

What you don’t know is that the USB drive contained malware that infected your computer once you inserted it and the auto-run feature ran. The malware connects outwardly to the hacker’s computer, giving them full access to your computer and your network.  The files are on a hidden partition that you were unable to delete and they have also now infected your home computer and laptop.  Rather than the hacker needing to gain access to your facility or hack into your network, he simply threw the pen drive into your parking lot from the street and voila!  They are in.

This all happens without anyone ever realizing it. This hacker now has access into your company and all of its data and quietly uses it for monetary gain.

Again, we find that the employee’s devices are the weakest link in most firms.  These devices are typically protected only by antivirus software and most hackers attack that point rather than working through a server or other external facing protections.

Don’t even get me started about Bring Your Own Disaster policies.  If your business has adopted bring your own device (BYOD) policy however, all that preparation for avoiding outside risks may have been for naught.  BYOD introduces some notable security threats firms didn’t have to worry about previously. Employees are unknowingly your greatest threat. Sources show that over 80% of security threat to mobile devices were careless employees.  They don’t mean to, it’s just that the nature of their job gives them direct access to highly sensitive data.   (https://www.checkpoint.com/press/2014/check-points-third-annual-mobile-security-survey-highlights-careless-employees-greatest-mobile-security-threat/ )

Part time employees come with all the same problems as full times employees only they know they are temporary. The risk is greater when there is no fostered loyalty. Sure you might have them sign the non-disclosure agreements, but if you are not keeping logs of everything going on, even the most trusted part-time employees might be very costly. They often have all the same access as full time employees without the responsibility. These resources are often easy phishing targets.  Former employees sometimes get hostile after downsizing occurs. They might feel wronged and feel entitled to compensation. Employees who know they are leaving are also a substantial risk. What information did they take before they gave notice? Also, what about the access that former employees often retain even after they’ve left the firm? Firms without quick and decisive employee exit strategies or clear restrictions for remote access can find that the path to data loss is much shorter than expected.

If a hacker has penetrated the network of a law firm’s client and or vice versa, the email of in-house counsel, for example, it’s then easy to identify the email address of outside attorneys and fabricate messages to deceive them.  Once access is gained to a computer system, they typically have the ability and desire to stay for a while and hide.  Their goal is not too snatch information and leave…but to remain secretly entrenched, monitoring the flow of information and harvesting more valuable information.  Hackers generally maintain a presence in corporate systems for months without detection, unless proactive measures are taken.

But two deeply researched reports being released this week underscore the less-heralded truth: The vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

In the best-known annual study of data breaches, the Verizon 2015 Data Breach Investigations Report, it found that more than 23% of recipients opened emails which involved phishing (the security industry's term for trick emails).  Nearly 50% of users opened emails and clicked on malicious links within the first hour received.  Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90% of the time, Verizon found.

Most organizations are spending a large amount of money protecting their perimeter from the hacker hooligans, however while that is necessary, it’s something that is often unstoppable.  Meaning, if your firm is targeted by a hacker, or a hacking organization...no matter how secure your perimeter is, most security experts will confirm that there is nothing you can do to prevent it from happening.  Regardless of size, financial resources, security, technology... People are the weakest link when it comes to data breaches.

So why are firms not spending more time focusing on understanding what and where the sensitive data is?  Once you’ve understood what and where the data is, you put controls in place and maintain logs and information for a later investigation.

By following the below tips, we think that it will have a tremendous impact to avoiding a reportable data breach:

  • Passwords should be complex - use of upper- and lower-case letters, numbers, symbols, and random phrases in your passwords.
  • Encrypt information as much as possible, whether produced to others or stored on your computers.
  • Have a proper file and data destruction policy.
  • Ask clients if any of their data warrants special protection and discuss how that data should be protected.
  • Turn on two-factor authentication to add another layer of security to your login process
  • Educate often and routinely.  When it comes to protecting a company from its own employees, there needs to be a balance between reasonable access and security.
  •  Enact/Revise/Update Internal Policies and Processes
    • Understand security issues that can arise in any cloud computing services and mobile devices.
  •  Conduct Risk Assessments, including “ethical hacking” assessments
    • Analyze internal security strength, audit, and policies
    • Assess strength of vendors, suppliers and partners and evaluate contracts
  • Formulate a Data Breach Response Plan
    • Crisis Response Team (internal and external)
    • Conduct breach response drills annually
    • Media/PR Strategy
  • Insure
    • Consider cyber risk policy to augment existing coverages

CYBER UPDATE : Registered Investment Advisers and Broker-Dealers SEC says It’s Your Turn to Pay Attention to Cyber Security

The Division of Investment Management (IM) of the Securities & Exchange Commission (SEC) has weighed in on cyber security of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients. 

The IM recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place; and
- the impact should the information or technology systems become compromised; and the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:

- controlling access to:
    § various systems and data via management of user credentials;
    § authentication and authorization methods;
    § firewalls and/or perimeter defenses;
     § sensitive information and network resources;
    § network segregation;
    § system hardening; and
    § data encryption.
- protecting against the loss or exfiltration of sensitive data by:
- restricting the use of removable storage media; and
- deploying software that monitors technology systems for:
    § unauthorized intrusions;
    § loss or exfiltration of sensitive data; or
    § other unusual events.
- data backup and retrieval; and
- the development of an incident response plan
- routine testing of strategies could also enhance the effectiveness of any strategy.
    · Implement the strategy through:
- written policies and procedures; and
- training that:
    § provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
    § monitors compliance with cybersecurity policies and procedures.

What exactly is Spoliation?

What is Spoliation? Spoliation is simply the Destruction Of Evidence. In its simplest form, spoliation is the destruction or failure to preserve evidence that is necessary for use in contemplated or pending litigation. It may be willful, negligent or, in some situations, accidental, and has even been used in situations of destroyed evidence that would have been helpful in litigation that is not yet contemplated.

ANNOUNCEMENT: A refreshing look in the new year

We are pleased to announce the release of our new website.  This new feel was the result of much hard work, dedication, and feedback from clients, prospects, partners, and trusted professionals.  

Our goal is to provide our prospects, clients, and partners valuable information about our services and staying current on the rapidly changing landscape in the legal and technical world. 

Another year and another round of whole new changes will come up but what you need not have to change is the formula of hard work for getting good results. We always work hard and keep perseverance to achieve desired success.

Let's raise a toast to yesterday’s achievements and tomorrow’s brighter future. 

I wish your tomorrow is more prosperous, happy and successful than yesterday and today.

Have a safe, healthy, and successful 2015.  

Real Time Analytics