The majority of data breaches happen to businesses with less than 100 employees. Cybercriminals often target small and midsize businesses, because they tend to spend less on cybersecurity than larger organizations, which makes them an easier target. Your firm likely collects valuable data such as client, employee and vendor names, addresses, social security numbers, dates of birth, driver’s licenses and insurance information. This information is everything a criminal needs to commit identity theft and other cybercrimes.
Ransomware is a real threat to all businesses.
Ransomware is a method of holding data hostage until a ransom or payment has been made to release the data. Ransomware is usually associated with fake emails called phishing emails that may contain dangerous links or malicious attachments. The email is “phishing” for a click so that it can silently launch a program to lock all the data the clicker has access to by encrypting it. Once the program encrypts everything it can, it will display a message extorting money for the promise of a key.
Criminals are targeting law firms and other businesses that have valuable data they cannot afford to lose. The risk of being caught spreading ransomware is much lower than traditional hacking or cybercrime. There are firms that have been shut down for weeks as a result of successful ransomware attacks that have encrypted the entire network and made access to company data and systems impossible. Paying the ransom may not work and you don’t want to be in that position in the first place.
Employ the following best practices to minimize the chance of data breaches.
- Secure passwords. Passwords are the key to networks, client information, online banking and social media. Password best practices include:
- Use strong passwords. The longer the better. Longer passwords are harder for thieves to crack. Include numbers, capital letters and symbols. Require strong passwords via system settings.
- Consider using passphrases. When possible, use a phrase such as “I went to Lincoln Middle School in 2004” and use the initial of each word like this: “Iw2LMSi#2004”.
- Don’t use dictionary words. If it is in the dictionary, there is a chance someone will guess it. There is even software that criminals use that can guess words used in dictionaries.
- Don’t post it in plain sight. This might seem obvious, but studies have found that a lot of people post their password on their monitor with a sticky note.
- Use multi-factor authentication. Set up multi-factor authentication that requires you to have your phone or another physical device (at a minimum, when logging into your account from a new device).
- Don’t reuse passwords; consider using a password manager. Creating very strong random passwords that are encrypted and saved with one master password (and second factor) can significantly minimize your risk.
- Encrypt data. The best way to protect sensitive information is to use encryption. Under many federal and state regulations, encryption is a “safe harbor”. This means if a mobile device is lost or stolen and the data is encrypted, then the incident would not result in a reportable breach.
Consider encrypting mobile devices, laptops, USB drives, workstations and email. Without encryption, a stolen device may result in a data breach. Emails could contain sensitive information and should be encrypted. Secure email will protect the data that is sent.
- Provide Employee Security Training. Employees are your weakest security link. An IBM study found that 95 percent of data breaches are caused by employee mistakes. These mistakes include falling victim to a phishing or ransomware attack, losing a laptop or smartphone, or sending sensitive information to the wrong recipient.
Employees need security training to help prevent mistakes that can lead to data breaches. Employees should know how to spot phishing emails, phishing websites and the dangers of email attachments. Cybercriminals are developing new scams and attacks every day, so employees should be reminded with fresh content frequently through a security awareness program.
- Have a professional data backup and disaster recovery system. Backing up data will protect your business from data loss due to damaged servers or malicious code from ransomware. Business-grade data backups ensure that data is recoverable. Employ automated backups that securely copy data offsite, and test your data backups periodically to ensure the data is recoverable.
- Perform a security risk assessment. A security risk assessment (SRA) is a critical step to understanding the risk to your firm. An SRA will inventory client, employee, vendor and sensitive data, and help you to understand where sensitive information is stored or accessed. An SRA will identify how you are currently protecting the data and make recommendations on what additional security measures can be implemented to lower your firm’s risk. Without a thorough understanding of risk, it is difficult to implement the safeguards needed to protect your business. Consider performing an assessment annually, and continually chip away at your action plan.