Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Could Your Business Repel a Sophisticated Cyber Attack?

Written by: Cameron G. Shilling

Published in MA Society of CPAs' SumNews (November 2020)

(updated 1/25/2021)

Professional service businesses like lawyers, accountants, financial services, health care, etc. are prime targets of cyber crime. We are enticing targets because we possess large quantities of sensitive personal, financial, and health information that is highly valuable for identity and financial theft. Moreover, we are vulnerable targets because, unlike larger institutions, we have less time and money to invest to ensure that our security controls are strong enough to repel sophisticated cyber attacks, particularly ransomware attacks.

Additionally, we face increasing regulatory pressure to adopt best-in-class protections for our clients’ information. Such pressures emanate from federal laws (like HIPAA), state laws that reach across state borders (like the strict and progressive laws in Massachusetts, New York, and California), industry regulations (like legal ethics rules, I.R.S. Publication 4557, and SEC Regulation S-P), and foreign laws that apply to U.S. businesses (like the European Union, United Kingdom, and Canada). Fines and penalties for failing to comply with these laws and regulations are substantial, and typically follow a breach that was already painful enough.

It is imperative that professional service businesses stay ahead of the cyber security curve. Ransomware, phishing, and malware exploit the tiniest of gaps, resulting in the exposure of sensitive information or crippling your business operations for many days or even weeks. To reduce these risks, we must operationalize cyber security by: (a) conducting annual risk assessments with outside cyber security professionals, (b) identifying and mitigating all existing and potential vulnerabilities and threats, (c) implementing appropriate written policies and procedures, and (d) providing topical training to our workforces several times per year.

In addition to those routine processes, professional service businesses also need to ensure that we have implemented advanced safeguards that can repel sophisticated cyber attacks. Simply put, our risk exposure means that we need to up our game. The following are a few examples of advanced controls that we all should be implementing.

1.  Advanced Threat Detection: Anti-virus/anti-malware is old news, and largely ineffective against modern ransomware and malware. The current standard is to implement an application that detects anomalous activity, prevents the activity from occurring further, and quarantines infected data and systems. In fact, having multiple such applications may be necessary to ensure protection again sophisticated attacks.

2.  Multi-Factor Authentication: Passwords alone are not a particularly effective safeguard, because people too often use weak passwords that can be readily cracked, and use the same password on multiple accounts, enabling hackers to steal credentials for multiple systems by attacking one weak account. Multi-factor authentication requires both a password and another means of authentication, such as a device registered with the account, a code sent to a device registered with the account, or a biometric unique to the person permitted to access the account. Multi-factor authentication is not cutting-edge. However, we often do not have it implemented on all network and cloud applications that contain sensitive information, such as email, cloud storage accounts, and data transmission applications.

3.  Encyrption: Encrypting data transfers and electronic devices is not optional. Professional service businesses must transmit sensitive information only via secure file transfer protocol (SFTP) links or portals or encrypted email. Similarly, we must ensure that data is encrypted on all laptops, tablets, smartphones, USB/external drives, and other devices that are mobile. For example, employees should use only company owned and managed laptops with encrypted hard drives, the business should deploy a mobile device management (MDM) application that manages information on tablets and smartphones, and company computers should scan and encrypt all USB/external drives connected to them.

4.  Vendor Management: Our sensitive information is only as secure as our weakest vendor. Professional services businesses rely on vendors to provide critical services. We need to conduct appropriate due diligence to ensure that every vendor that receives sensitive information has adopted cyber security safeguards at least as protective as the controls we are required to implement. We also need to enter into a data security agreement with each such vendor to contractually solidify those safeguards as well as impose appropriate obligations and liability in the event of a breach.

Implementing the controls necessary to repel sophisticated cyber attacks can seem like a daunting task, particularly for individuals who are not trained in this area. However, ignoring the problem will not make it go away, and only invites a disaster. Effective cyber security can be accomplished by partnering with outside experts, and then committing to assessing our risk and implementing advanced safeguards to protect ourselves and our information.

Cam Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group. Other members of the team include attorneys John Weaver, Annie Cho, and Katelyn Burgess and technology paralegal Dawn Poulson. Founded in 2009, the group assists businesses and private clients to improve upon their information privacy and security compliance, and address any security breach or incident that may arise.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.