Episode 26 of Legal Marketing Radio, “Keeping Your Clients’ Data Secure, with Scott Dresen” is available now! You can use the player below to listen here, or you can visit our SoundCloud page or the iTunes store to download and subscribe to the podcast.
Legal Marketing Radio is a podcast that covers legal marketing tips and strategies (courtesy of the team at LaFleur and special guests) as well as news, trends, and cutting-edge innovations in the overlapping worlds of legal, digital, and content marketing.
Our guest for this month’s episode is Scott Dresen, the chief technology officer and chief information security officer for the West Michigan-based managed healthcare organization Spectrum Health. As Spectrum Health’s CTO and CISO, it’s Scott’s job to stay on top of common and emerging cyber-threats and manage information security risk for one of the largest healthcare organizations in Michigan. Scott joined us to discuss what he’s learned and provide practical tips that law firms of all sizes can apply to keep their data secure.
What Cyber-Threats Do Law Firms and Other Small Businesses Face?
Although cybercriminals are creating new ways of launching cyber-attacks, Scott says most of the more common methods for breaching small companies’ data have been around for quite a while. These include:
Phishing scams are also known as business email compromise (BEC) scams. In a phishing attack, a cybercriminal uses email to try and trick the recipient into opening a malicious attachment or navigating to a website that’s full of malware or ransomware. One of the reasons phishing remains popular among cybercriminals is that it exploits one of the weakest points in most organizations’ security: the email users themselves. Phishing attacks cause major losses for U.S. business; in fact, cybercriminals have stolen more than U.S. $5 billion over the past three years through phishing attacks. About 7,700 organizations fall victim to phishing scams every month.
- Watering holes
A watering hole occurs when a hacker takes over a legitimate website and turns it into a malicious one. Often, the website owners who own the watering hole have no idea their site has been compromised. Usually, the goal of the now-malicious site is to install malware on visitors’ devices. Typically, this will only happen when a user clicks on a link, downloads a file, provides information, or interacts with the website in some other way.
- Drive-by downloads
A drive-by download happens when a malicious website tries to install software on your computer. Often, you won’t receive any prompt for permission and you won’t know the download has even occurred. Drive-by downloads usually happen because of inadequate security systems or outdated operating systems, which is why it’s important for all your firm’s employees to keep their operating systems and other software up-to-date.
Cybersecurity Best Practices for Law Firms: A Checklist
- Use secure passwords
- Complexity: A strong password should contain at least 10 characters and include a combination of uppercase and lowercase letters, numbers, and symbols
- Uniqueness: Don’t duplicate passwords; only use passwords with one account
- Use password management software: Examples include 1Password and LastPass (we use LastPass here at LaFleur)
- Use two-factor authentication wherever possible
- Two-factor authentication (2FA) adds an extra step to your login procedures, but it makes your accounts much more secure
- Know where your important data is located and back it up
- Be sure to test your restore process regularly
- Secure your networks
- Secure your workplace WiFi
- Keep employees separate from guests on your company network
- Use a virtual private network (VPN) for public networks
- Always keep your software, systems, and applications updated
- Use firewalls
- Firewalls can protect your company network, so enable them on all company computers and laptops
- Protect mobile devices
- Require the use of a device-specific PIN or password for all mobile devices that connect to company networks and resources
- Create a security policy and educate employees on risk
- Teach employees about phishing and the threat it poses
- Watch out for suspicious email communications
- Operate by the old Russian motto: “Trust but verify”
- Encrypt your data
- Require encryption on company workstations and laptops
- Only use encrypted USB drives
- Use secure websites and secure your firm’s website
- Check for and use the secure sockets layer (SSL) security protocol (at LaFleur, we provide this for all our clients at no additional charge)
Enjoy the show, and don’t forget to check back next month for another new episode!
Cybersecurity tips for small businesses. (n.d.). Symantec. Retrieved from https://us.norton.com/internetsecurity-online-scams-cybersecurity-tips-for-small-businesses.html