Print Page | Contact Us | Sign In | Register
LOMAP Tech Tips
Blog Home All Blogs

Five Benefits of Using Cloud Computing for Law Firms

Posted By Sara E. Rust-Martin, Friday, March 23, 2018

Today's blog was contributed by Tim Atmar of CyberlinkASP:

Five benefits of using Cloud Computing for Law Firms

Cloud computing or Desktop as a Service (DaaS), has been growing in interest and used by law firms of all sizes, largely in part to the continued development of the Cloud and better security features. Our Legal DaaS is available in a variety of different configurations based on a firm’s needs and requirements, and each of your hosted virtual desktops can be customized to individual users.

Five benefits your Firm can gain with Legal DaaS:

  1. Cost Savings– Instead of budgeting for hardware upgrades, server patches or replacements, your firm only needs to budget for DaaS subscriptions which include all your applications (including your document management and time & billing software), your data, Microsoft office suite, Outlook exchange and a host of security and compliance features.
  2.  Managed IT– With our US based support, your firm will have 24x7 access to our award-winning service team to ensure your network, applications, printers, etc. are operating at peak performance.
  3.  Mobile Access– Your employees can access their virtual desktops from anywhere over the Internet. In addition, virtual desktops can be accessed from a variety of devices, including smartphones and tablets.
  4. Data Saved in a Central Location– All files and data are stored in a central location rather than on multiple local workstations, and it is backed up on a regular basis, further reducing the risks of data loss from hardware failure.
  5. Cybersecurity and Compliance– Our Legal DaaS gives your firm the ultimate in security and compliance. Your data is protected by a Fortigate network with a complete team of security professionals monitoring links and intrusions. The Legal Cloud is HIPPA, SOX and SSAE16 compliant and audited annually for your firm’s protection.

To learn more about our Legal DaaS and application hosting solutions for your firm, call Tim Atmar at CyberlinkASP at (512) 574-1594 or go to More Information.

Tags:  Cloud Computing for Law Firms  CyberlinkASP  cybersecurity 

Share |
PermalinkComments (0)
 

5 Cybersecurity Steps You Should Already Be Taking

Posted By Sara E. Rust-Martin, Tuesday, January 16, 2018

5 cybersecurity steps you should already be taking

 
cybersecurity
If you have not noticed yet, the ABA Journal is undertaking a yearlong cybersecurity series

Our intent is to explore this complex and tangled issue piece-by-piece to make sense of the current thinking around data protection, legal ethics and regulation.

Admittedly, these articles are often a bird’s eye view of an issue that affects every person and business a little bit differently. Additionally, targets (that’s you) experience online threats differently based on who they are and what data they have. This makes it hard to promote one-size-fits-all recommendations.

To overcome some of the amorphousness that surrounds this topic, we wanted to provide a more concrete checkup that anyone, attorneys to zookeepers, could benefit from.

This checklist comes with the usual disclaimer that you should engage in a threat assessment of your own situation to know what is the best way to protect your data. Further, these are not foolproof recommendations. Nevertheless, if you are not doing the things below, you are likely less safe for it.

    1. Have you been pwned? It is pretty safe to say we have all been hacked or compromised at this point. Between the breaches of Equifax, LinkedIn and Yahoo, information from billions of accounts have spilled out into the world. But were you one of them? While it is impossible to be 100 percent certain, there is one way to see if your account information has fallen prey to a hack. By going to haveibeenpwned.com, you can type in your email addresses or usernames to see if they come up in the sites database of publicly known hacks. If a hack has occurred but it has not been verified or made public, then the site will not have that information. However, it is a good first step to know if your passwords have been compromised. 

    2. Consider a password manager. If your email address came up on haveibeenpwned, your palms are probably sweaty and fear has overtaken you. This is normal, but not necessary. Let us channel that nervous energy towards getting serious about passwords. Even the grinning readers who did not see their email on the website should follow along. A password manager will help you store your bevy of passwords, which should all be as unique as a snowflake. No longer will you need gimmicks to remember which password had an exclamation point or the capital “T” in it. The manager will handle that for you. While not hocking particular software, the Electronic Frontier Foundation has some handy questions to vet a company promising you security: 

    • Is the company clear about the limitations of its product? Do not trust companies that promise the world or use buzzwords like “military grade.” That is gibberish and should be discounted.

    • Does the company share its threat model in case of a compromise? Mature companies who trust in their product will be transparent about the attacks they are prepared for and how they are prepared. Look for this documentation.

    • Does the company say it cannot or will not access your data? You might have to read the terms of service, but companies that cannot access your data by design are better. “Will not” leaves the backdoor ajar.

    • What do users say? Like everything else, you can find online reviews of password managers. Do people still trust the tool? Has the company made unfortunate headlines recently? These are all things to consider in your decision.

    When you are thinking about which manager to use, Princeton’s Center for Information Technology Policy foundthat the password managers that come default in many browsers are being used by ad trackers to scoop up your data. 

    Digital Dangers logo.

    ABA Journal series: Cybersecurity and the law

    3. Treat yourself to better passwords. It is 2018, and a password under seven characters that combines your dog’s name and your birth year are not sufficient. Nor is it cool that you have a dozen passwords that are permutations of each other. While a password manager (see above) will help keep your online life in order, you still need quality passwords to make the software worthwhile. The National Institute of Standards and Technology updated their password guidelines last year, and they recommend that you create a strong password, or longer passphrase where possible, that avoids the maddening nature of passwords with upper-case, special symbols and numbers. Think of a line from a book or song that is not that popular and easy for you to remember. This is especially important to master passwords to things like that new password manager you got after reading this article. Also, unless you are breached, NIST no longer recommends making periodic changes to your password. If it is not broke, do not fix it. Last, NIST recommends avoiding password hints or knowledge-based authentication, which brings us to… 

    4. Two-factor authentication! I hope that when you saw that header, you smugly thought to yourself, “I already do that.” If so, you’ve graduated to step five. However, if you do not know what two-factor authentication is, keep reading. Two-factor authentication is a two-step process to signing into an account. Instead of merely typing your password and logging in, two-factor will send you an email or text message with a unique passcode to enter before you can access your account. The hope here is that if your password is compromised, you have a second line of defense. All major companies have two-factor now, so take advantage of it. (For a list of sites with two-factor authentication check out twofactorauth.org.) 

    5. Encrypt your devices. While the word “encrypt” can sometimes make people feel uneasy, it has become a painless, low cost way to protect your information. Doing so can make you feel slightly more secure if you lose or misplace your device. Android, Apple and Microsoft now all have turnkey encryption for their devices. For Android Pixel, Samsung Galaxy S8 and later phones, they come encrypted. For iPhone users, it is as easy as turning on your passcode, which Apple says 89 percent of its customers already do. Windows, as well, makes it easy to turn on BitLocker, their encryption service. With this step, do not forget to also encrypt external storage devices you use for documents or pirated MP3s from college.

With all of this being said, stay vigilant. As a digital consumer, you are constantly playing defense against an ever-evolving offense. While these tips work for today, they may not in the future. To keep abreast of changing threats and best practices, keep track of the Journal’s ongoing series and other trustworthy news sources.

Tags:  cybersecurity  Legal Technology 

Share |
PermalinkComments (0)
 

Have You Considered Adding Video Conferencing to Your Practice?

Posted By Sara E. Rust-Martin, Thursday, November 9, 2017

Have You Considered Adding Video Conferencing to Your Practice?

According to a study conducted by the Legal Resource Technology Center of the American Bar Association, only about 20% of lawyers were using video conferencing in 2016. And, of those 20%, only about 4% were using video conferencing regularly. But, when compared to other businesses, that is far below average. Why? The study didn't reach that far, but there are several reasons why attorneys may not be using video conferencing. They may be skiddish about the technology, unsure about the security features, and unclear about how to make client confidentiality work in the context of both technology and security. But, other businesses are using these tools regularly because video conferencing can reduce travel and other related costs by as much as 30%.

Video conferencing comes with many benefits, particularly in a rural state such as Kansas where traveling to meet with clients can be costly and transportation can be an issue for many clients. Setting up video conferencing in one’s office can allow an attorney to meet with more clients in one day than would be possible by travel alone. And, it can allow the attorney to cover a wider catchment area as well, thereby potentially meeting needs in underserved areas.

The most important question to ask when considering video conferencing is what am I wanting this service to do for me? This question will allow you to sort through potential products and services out there in the realm of video conferencing to find the one that works best for you.

·         Do you want to collaborate on documents with clients, share screens, and chat with clients and participants while on the conference?

·         Will you use one room in the office for video conferencing that will remain set up with all of the necessary tools or will you be carrying your laptop around to do video conferencing on-the-go?

·         Are you looking for a cloud-based service and, if so, what questions do you need to ask to know what happens after the call(s) – where is the data stored and what type of security is used?[i]

Additionally, the attorney will want to consider the cost of the product. There are some free products out there, but not many. A few, such as Zoom, will allow you to use the product for free up to 40 minutes and up to 50 participants, but if you want to add the additional features, support, and functionality, then you must pay for the service. And, this is true across the board. In order to have access to increased functionality and features, the attorney will need to pay for the service and the product.[ii]

When selecting a product, be sure to pick a tool that is easy to use. You will need to be competent on this tool so by picking one that is easy to master you will better ensure your ability to reach the level of competence. Also, your clients will need to use this product and if there is an excessive amount of downloading and technological sophistication needed to use it then you may have upset clients and decreased satisfaction with your services.

Support is an important feature to think about when considering video conferencing. Paying for a product will increase the accessibility to support and this will allow the attorney to focus on being the attorney on the call and not the tech expert. Thus, if the client has trouble logging in, or there is a problem with the platform, then there is someone else to call other than the attorney having to try to troubleshoot all of the tech issues along with the legal ones.[iii]

Some accessories may be necessary to make your video conferencing services flow. You will need a computer, security software, and the video-conferencing service. Zoom, Google Hangout, Skype for Business, WebX, and Go-to-Meeting are just a few of the services on the market today. You will want to explore the products available to find the right fit for your practice. Additionally, when setting up video conferencing in your practice you will want to make sure you have a high-quality webcam and headphones. Even if you are the only one in the room, or in the building, you may want to use headphones. Oftentimes, when speaking directly toward the computer it can leave a muffled echo that does not sound professional. You will want to test your sound quality prior to the first video conference with a client.[iv]

When considering any type of technology every attorney must consider the implications to client confidentiality. Given the range of ethical issues raised by using technology in a law practice, we must always try to identify appropriate security measures to keep client information safe and protected. Here are a few questions to ask regarding technology and data security at your firm:

·         Are your physical, organizational and technological security measures adequate?

·         Are you using firewalls and intrusion detection software appropriately?

·         Are you using anti-malware software appropriately?

·         Are there firm policies in place regarding technology use?

·         Are firm lawyers and staff given adequate technology training?

·         Do you have measures in place to ensure data integrity?

·         Is your data backed-up?

·         Are your passwords, other access restrictions and authentication protocols sufficient?

·         Do you use encryption, where appropriate?

·         When discarding equipment, do you take appropriate measures to guard against unauthorized disclosure of client information?

·         Is there an incident response plan in place at your firm?[v]

Once a choice is made regarding a type of security, a video-conferencing product, and the place and type of storage for client information, all of this information should be listed in the client engagement letter providing notice to clients about how and where their information will be kept and secured by the firm.

Video conferencing can open your practice to new areas, new clients, and new possibilities. While there are many things to consider before jumping in to video conferencing, it can be an exciting opportunity to grow your practice. Before starting, you will want to remember to arrive at your conference early, every time, because software glitches happen, and you want to be prepared. If you are early to the conference, then you have a chance to troubleshoot problems and glitches. And, remember if you are on the screen, or in the room, then people can see you. You are always visible during a video conference, so be prepared to watch your mannerisms and facial expressions and be “on” for the entire call. [vi]

If you have any questions related to video conferencing, contact Sara Rust-Martin, KBA Law Practice Management Attorney, 785-861-8821, or srustmartin@ksbar.org



[i] Why Video Conferencing Belongs in the Law Firm. Law Technology Today. (May 12, 2017).

[ii] Why Video Conferencing Belongs in the Law Firm. Law Technology Today. (May 12, 2017).

[iii] Why Video Conferencing Belongs in the Law Firm. Law Technology Today. (May 12, 2017).

[iv] Why Video Conferencing Belongs in the Law Firm. Law Technology Today. (May 12, 2017).

[v] Legal Ethics in a Digital World, The Canadian Bar Ass’n (2014).

[vi] Why Video Conferencing Belongs in the Law Firm. Law Technology Today. (May 12, 2017).

Tags:  cybersecurity  data protection  legal technology  Video Conferencing 

Share |
PermalinkComments (0)
 

Cybersecurity Alert: All 3 Billion Yahoo! Accounts Breached

Posted By Sara E. Rust-Martin, Thursday, October 5, 2017

Cybersecurity Alert: All 3 Billion Yahoo! Accounts Breached

If you have email affiliated with a Yahoo! Account, be sure to check it if you haven’t already.

Yahoo started sending out notifications on Tuesday that a September 2016 breach was greater than originally thought.
Today, Yahoo account holders should follow these steps from PC World and CNet. Users should also evaluate their options and consider migrating to a different email platform. CNet shows users how to import  data from Yahoo to a Gmail account or users can follow these tips from UpTime JurisPage to set up a custom email address.

Tags:  cybersecurity 

Share |
PermalinkComments (0)
 

Safeguard Your Data

Posted By Sara E. Rust-Martin, Tuesday, August 22, 2017

Safeguard Your Data

Posted: 18 Aug 2017 05:23 AM PDT

Safeguarding your business and personal data has never been more difficult or more important. How do you safeguard sensitive/confidential data? The manner of protection often depends on what kind of data you are safeguarding and how important or sensitive it is to you, your organization, or your customers.

Here are some tips on how to protect your data at work and at home.

Password-Protect Your Access
Always use a strong password or pass-phrase to protect access to your data.

Identify Where the Data Is Stored
Have specific places within your network or computer where you store sensitive/confidential data. Those network shares, hard drives, servers, or system folders can then have specific protection methods used to keep them more secure.

Encrypt Stored Sensitive/Confidential Data
Whenever possible, encrypt stored sensitive/confidential data, whether it is being permanently or temporarily stored. This can help prevent unintended disclosure even if your system has been compromised.

 

Thank you to Florida Bar Association’s PRI for today’s Security Awareness Tip!

Tags:  cybersecurity  data protection 

Share |
PermalinkComments (0)
 

No More Ransomware: How One Website is Stopping the Crypto-Locking Crooks in Their Tracks

Posted By Sara E. Rust-Martin, Monday, July 31, 2017

 

No More Ransomware: How One Website is Stopping the Crypto-Locking Crooks in Their Tracks

It is about time the good guys caught up to the bad ones - or they are working on it. The site described in this article collects ransomware decryption tools and then allows the user to upload an encrypted file which it will then diagnose. Yes, that is correct, it offers the appropriate diagnosis as to which ransonware encrypted it and offers a tool to decrypt it, if one exists and/or is available.  This site could be extremely helpful to someone caught in in a ransomware attack or for someone who wants to become more savvy and educated about cybersecurity.

Really, that should be all of us because if it hasn't affected us yet, it likely will.

To read the full article, cut and paste the below link into your browser:

http://www.zdnet.com/article/no-more-ransomware-how-one-website-is-stopping-the-crypto-locking-crooks-in-their-tracks/

 

 

Tags:  cybersecurity 

Share |
PermalinkComments (0)
 

Security Awareness Tip: Multi-Factor and Two-Step Authentication

Posted By Sara E. Rust-Martin, Thursday, July 20, 2017

Security Awareness Tip: Multi-Factor and Two-Step Authentication

Want to better protect your information? Below are two types of authentication that can help safeguard your data and identity.

Multi-factor authentication is an approach to authentication which requires the presentation of two or more forms or “factors”: a knowledge factor (something you know), a possession factor (something you have), an inherence factor (something you are) and a geo-location factor (someplace you are).

Using your PIN (“something you know”) while making a purchase with your debit card (“something you “have”) is an example of multi-factor authentication.

Two-step verification, another useful authentication method, sends a verification code to a user’s phone after the user enters his or her username and password; this code must be entered to gain access to the account. Several websites, web applications and e-mail service providers offer this option. If offered as an optional feature, it is worth it to enable it for better security.

Tags:  cybersecurity 

Share |
PermalinkComments (0)
 

Navigating a Ransomware Attack

Posted By Sara E. Rust-Martin, Monday, May 22, 2017

 

NAVIGATING A RANSOMWARE ATTACK

 

Last week, the ransomware infection “WannaCry” invaded hospitals, universities, and many other institutions and organizations here in the United States and abroad. Ransomware is a unique form of malware. Once it invades a network, it can prevent users from opening their files because the files have been encrypted. The files are held hostage, and the users must pay a fee to be provided the decryption key. 

There is a good chance that ransomware could affect you at some point during your career. So, if you find yourself in the middle of this difficult situation, take a deep breath and know that there are steps you can take to minimize the damage. Here are some questions to ask to help you through this process:

1. Where did the ransomware start?

Which user opened the infected email or file? The person who brought the problem to your attention may not be the person who opened the infection. You may need to examine the properties of one of the infected files to determine the file owner. Ask questions of your staff and partners. 

Ask users to retrace their steps. Did they:

Open any new documents?
Click on any attachments or links in an email?
Visit any websites they don’t normally visit?

2. How far has the ransomware spread?
Once a user has opened the infection, usually through an email or attached file, then that person’s computer is infected. But, the ransomware can spread beyond that machine throughout the network and the first step is to determine how many machines are affected and then isolate those machines and disconnect them from the network to prevent the further spread. Most ransomware strains will make changes to encrypted file names:  ex. .Dharma or .CrySis. Looking for these extensions can help you determine how far the infection has spread.

3. How can I determine the type of ransomware with which I’ve been infected?
Determining the type of ransomware with which you’ve been infected is a key step because it may help you decide whether to pay for the decryption key. Not all ransomware attacks are effective and they all do not encrypt the data. Other ransomware types are able to be decrypted without paying for a key and still others are notorious for not delivering effective decryption keys. These examples offer illustrations of why you would not want to pay the ransom. But, there are other more sophisticated ransomware tools that will make your decision more difficult. 

It is always important to fully understand what you are working with before deciding what to do. As of Wednesday, May 15, only $55,000 in bitcoins were paid for the massive ransomware attack, “WannaCry.” While this is a lot of amount of money, it is not as significant given the number of “Wannacry” ransomware infections across the globe. But, this amount is expected to grow, although no one knows by how much.

WannaCry is different from other ransomware attacks, like the ransomware attack “Locky” which required user interaction in the form of opening a link, “WannaCry” spread automatically if the user had not installed the latest Microsoft update. And, once it was inside a network it spread like wildfire. 

For those of you who have not updated your computers, Microsoft offers guidance for protecting your computer here:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


The information provided by the ransomware, in the URL and in the ransom screen, can     give us some insight as to the type that has infected your computer. If you can’t gather the type of ransomware from the URL or ransom screen, then try the .exe file name. Remember, ransomware comes in the form of an .exe file. Try typing that .exe file name into your browser to see what types come up for you. If nothing comes up, try google. Search for the ransom screen message, the .exe file name that has been applied to all of your files, and even for some of the random things that are happening to your office computers. There are probably others out there who have similar experiences and might be able to offer you some advice.

4. Can I get my files back? 
Your files are encrypted and unless you have the decryption key you are not going to be able to access them. As discussed earlier, there are flawed ransomware infections used that computer experts have been able to decrypt without a key. However, most of the time it will take a decryption key. The best options available to you is to have a back-up file system either on disc, off-site, the cloud, wherever you choose to keep your files. But, best practice suggests that you have 2 back-up locations for your files and data so you are able to keep working should your on-site data be attacked. Another question to consider here if you do not have a back-up for your files is:  do I pay the ransom? It really depends on your particular situation. The authorities will discourage you from paying the ransom because you will be making yourself a target for future attacks. But, if your data is irreplaceable then you may have no choice. You will need to consider all of the options and consequences.

5. How do I make sure my computers are safe again?
I suggest wiping the hard drive and restoring it to the factory settings. You would then add your data from your back-up. If you don’t have a back-up then you will need to use the process below so that you can keep the data on the computer.  

Step 1: Enter Safe Mode. Before you do anything, you need to disconnect your PC from the internet, and don't use it until you're ready to clean your PC. 
Step 2: Delete temporary files. 
Step 3: Download malware scanners. 
Step 4: Run a scan with Malwarebytes.

6. How to keep your data safe in the future:

Run all system updates on your Windows machine immediately.
Update your virus protection software. 
Run a backup to ensure you have a protected copy of your files.
Avoid web pages that aren’t regularly updated, or that you don’t already trust. 
Don’t click links to documents or web pages from someone if you are not expecting them.
Don’t open files in Facebook Messenger, or other apps where videos automatically play unless you were expecting them. 
If you have questions about a file, call the sender before you open it.

The chances are that we will all have to deal with ransomware at some point. I hope this information helps you think through the situation and come to a helpful resolution. 

If you would like more information about malware, ransomware, or computer security, please contact Sara Rust-Martin, KBA Law Practice Management Attorney, at 785-234-5696, or by email at srustmartin@ksbar.org.

The contents of this blog are informational only and should not be construed as providing legal advice. 

Tags:  computer security  cybersecurity  Malware  Ransomware 

Share |
PermalinkComments (0)
 

Enhancing Computer Security

Posted By Sara E. Rust-Martin, Monday, May 15, 2017

 

Enhancing Computer Security

Did you hear about the ransomware attack this morning? It seems as though cybersecurity is a growing concern for all of us.

Hackers and identity thieves are constantly looking for personal information to steal – and yours and your clients could be next. But there are protections you can put in place to safeguard your information, such as keeping your software up-to-date, only providing your personal information on secure, encrypted websites, and protecting your passwords.

Select Security Software that Updates Automatically

Hackers and identity thieves are continuously developing and evolving in the ways they can attack your computer and mobile devices, making your security software essential at every step. While most security software products have the capability to update automatically, they must be set to do so; make sure your security software is set to update automatically on all of your devices. In addition to your security software, set your operating system and web browser to update automatically so they are better able to support the updates to your security software, making it more difficult for a bad guy to sneak in malware or spyware on your computer.

When searching for security software to purchase, only purchase from a reputable company. You never want to purchase security software from a company you’ve never before heard of saying they’ve scanned your computer and found viruses, and, as a result, offering a “deal” because these are usually either worthless or, worse, imposter scamming programs aimed at installing the very programs they purport to prevent: malware.

Provide Personal Information Over Secure, Encrypted Websites

Your mind may immediately go to shopping and banking sites when told to protect your personal information online. But, there are many other sites where we share our information online and using informed, safe practices across the board can be the difference between hackers and thieves tracking your information and not. First, stick to sites that use encryption. Using encryption protects your information as it travels from your computer to the host site’s server. You will want to inspect each site before entering personal information. You will know the website is secure and encrypted if the beginning of the web address is https (the “s” is for "secure").

Next, you will want to inspect each page you visit on the website. Some sites only encrypt the first page, or the sign-on page, of the website. This means that the rest of your visit to the site could be vulnerable. Be sure that every page you visit has the “https” website address.

Protect Your Passwords

The best advice for protecting your password is to create strong passwords and keep them in a safe location. But, it is, of course, more complicated than just these simple principles, so here are a few additional guidelines:

·         When creating a password, it is important to remember that the longer the password, the harder it is for the hackers and thieves to break through. As for an ideal length, twelve is the magic number with ten characters being the minimum recommended.

·         When creating a password, don’t use predictable information like your birthdate, name, or other information that would be easy for a hacker or thief to easily break through. Instead, mix letters, numbers, and special characters.

·         For many of us, it is easy to use the same password for multiple accounts. But, this is not recommended. If that password is stolen from your computer, or from an app where you have it stored, or even from a company with which you do business, then that thief or hacker now has access to all of your accounts.

·         When storing your passwords, keep them in a secure place out of plain sight. Be very cautious about sharing them with anyone and never share passwords over the phone, in texts, or by email.     Legitimate companies will not send you messages asking for a password. If you receive such a message, it is probably a scam.

In addition to your computer software, encrypted websites, and password protection, you will also want to back-up important files onto a removable disc or an external hard drive, and store it in a safe place. The cloud is also an option for backing up files and can be accessed remotely. By backing up your files, you are ensuring that if your computer is compromised you will still have access to your client files. While no system can be completely secure, the guidelines and tips above will provide you with a more secure overall computer system. Scammers, hackers, and identity thieves are on the prowl and it is up to us as lawyers to secure not only our personal information but also that of our clients.

For more information about cybersecurity software or secure cyber practices, contact Sara Rust-Martin, KBA Law Practice Management Attorney, 785.234.5696 or email at srustmartin@ksbar.org.

Tags:  computer security  cybersecurity 

Share |
PermalinkComments (0)
 

New ABA checklist: Ensuring your cybersecurity when using outside vendors

Posted By Sara E. Rust-Martin, Tuesday, April 11, 2017

These days you’d be hard-pressed to find a company that does not conduct business electronically or use outside vendors. Using outside vendors, third-party businesses and vendors, and electronic business makes all of us more vulnerable to cyber-security breaches.

According to one recent study on Third Party Risk Management, more than 60 percent of all data breaches can be attributed to a third-party vendor.

Two recent examples of such breaches were at Equifax in 2016 and Target in 2013. At Equifax, tax and salary data from the company’s clients, such as Kroger and Stanford University, were stolen last May through vulnerabilities in Equifax’s security access. The hack of Target’s database exposed the personal data of more than 70 million customers. In that incident, the hacker gained access through attacking one of the retailer’s vendors, an HVAC company.

To help avoid and minimize the impact of breaches like these, the ABA Cybersecurity Legal Task Force has released its Vendor Contracting Project: Cybersecurity Checklist.

The checklist is designed to manage cybersecurity risk when working with third-party vendors – from vendor selection, to contracting and vendor management.

The checklist provides guidance on:

  • Conducting a risk management assessment of the proposed vendors, to identify relevant threats to security, vulnerabilities and the potential for exploiting those vulnerabilities, including the likelihood that harm could occur.
  • Reviewing vendor security practices and the ability to follow them.
    • Does the vendor have an incident management plan that complies with relevant laws? Is it regularly tested and updated?
  • The contracting process, including setting expectations, mitigating risk and allocating liability.
    • How will the contracting parties interact, share and manage information? What is the vendor’s commitment to an appropriate security program? How will the vendor’s compliance to that program be assessed, and if necessary, remediated?

The document also includes information in its full appendices.

The task force advises that each of us modify and add to the checklist reflecting the particular regulatory requirements and needs of our clients.

Access to the full checklist is available through this link:

Cybersecurity Task Force Vendor Contracting Checklist

Tags:  ABA  cybersecurity  risk management assessment 

Share |
PermalinkComments (0)