Published in MA Society of CPAs' SumNews (November 2020)
Professional service businesses like lawyers, accountants, financial services, health care, etc. are prime targets of cyber crime. We are enticing targets because we possess large quantities of sensitive personal, financial, and health information that is highly valuable for identity and financial theft. Moreover, we are vulnerable targets because, unlike larger institutions, we have less time and money to invest to ensure that our security controls are strong enough to repel sophisticated cyber attacks, particularly ransomware attacks.
Additionally, we face increasing regulatory pressure to adopt best-in-class protections for our clients’ information. Such pressures emanate from federal laws (like HIPAA), state laws that reach across state borders (like the strict and progressive laws in Massachusetts, New York, and California), industry regulations (like legal ethics rules, I.R.S. Publication 4557, and SEC Regulation S-P), and foreign laws that apply to U.S. businesses (like the European Union, United Kingdom, and Canada). Fines and penalties for failing to comply with these laws and regulations are substantial, and typically follow a breach that was already painful enough.
It is imperative that professional service businesses stay ahead of the cyber security curve. Ransomware, phishing, and malware exploit the tiniest of gaps, resulting in the exposure of sensitive information or crippling your business operations for many days or even weeks. To reduce these risks, we must operationalize cyber security by: (a) conducting annual risk assessments with outside cyber security professionals, (b) identifying and mitigating all existing and potential vulnerabilities and threats, (c) implementing appropriate written policies and procedures, and (d) providing topical training to our workforces several times per year.
In addition to those routine processes, professional service businesses also need to ensure that we have implemented advanced safeguards that can repel sophisticated cyber attacks. Simply put, our risk exposure means that we need to up our game. The following are a few examples of advanced controls that we all should be implementing.
1. Advanced Threat Detection: Anti-virus/anti-malware is old news, and largely ineffective against modern ransomware and malware. The current standard is to implement an application that detects anomalous activity, prevents the activity from occurring further, and quarantines infected data and systems. In fact, having multiple such applications may be necessary to ensure protection again sophisticated attacks.
2. Multi-Factor Authentication: Passwords alone are not a particularly effective safeguard, because people too often use weak passwords that can be readily cracked, and use the same password on multiple accounts, enabling hackers to steal credentials for multiple systems by attacking one weak account. Multi-factor authentication requires both a password and another means of authentication, such as a device registered with the account, a code sent to a device registered with the account, or a biometric unique to the person permitted to access the account. Multi-factor authentication is not cutting-edge. However, we often do not have it implemented on all network and cloud applications that contain sensitive information, such as email, cloud storage accounts, and data transmission applications.
3. Encyrption: Encrypting data transfers and electronic devices is not optional. Professional service businesses must transmit sensitive information only via secure file transfer protocol (SFTP) links or portals or encrypted email. Similarly, we must ensure that data is encrypted on all laptops, tablets, smartphones, USB/external drives, and other devices that are mobile. For example, employees should use only company owned and managed laptops with encrypted hard drives, the business should deploy a mobile device management (MDM) application that manages information on tablets and smartphones, and company computers should scan and encrypt all USB/external drives connected to them.
4. Vendor Management: Our sensitive information is only as secure as our weakest vendor. Professional services businesses rely on vendors to provide critical services. We need to conduct appropriate due diligence to ensure that every vendor that receives sensitive information has adopted cyber security safeguards at least as protective as the controls we are required to implement. We also need to enter into a data security agreement with each such vendor to contractually solidify those safeguards as well as impose appropriate obligations and liability in the event of a breach.
Implementing the controls necessary to repel sophisticated cyber attacks can seem like a daunting task, particularly for individuals who are not trained in this area. However, ignoring the problem will not make it go away, and only invites a disaster. Effective cyber security can be accomplished by partnering with outside experts, and then committing to assessing our risk and implementing advanced safeguards to protect ourselves and our information.
Cam Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group. Other members of the team include attorneys John Weaver, Annie Cho, and Katelyn Burgess and technology paralegal Dawn Poulson. Founded in 2009, the group assists businesses and private clients to improve upon their information privacy and security compliance, and address any security breach or incident that may arise.