ISA’s President and CEO Kevin Dawson was featured in “Privacy Across Borders”, a webcast held by the Privacy and Access to Information Law Section of the Ontario Bar Association (OBA) on Thursday, September 17, 2020. Kevin was invited to participate in a panel that anchored a day of discussion about privacy and data protection across borders and here at home.
Kevin led off his segment with a summary of some of the most common threats that ISA sees affecting not just law firms, but all companies with digital assets at risk:
Ransomware: All of the panelists agreed that ransomware continues to be a significant threat to all businesses. Threat actors are increasingly well-organized, and are using increasingly complex methods of compromising systems and exfiltrating data from their victims.
Misconfiguration: Vulnerabilities created by poor configuration or “out-of-the-box” set-up pose a serious threat for companies and their customers, as sensitive data may be exposed to theft or compromise. Those exploring new or different cloud services are particularly at risk unless they have the expertise to protect themselves appropriately.
Insider Threats: Ransomware infections are most often delivered through social engineering attacks like phishing, SMShing (phishing via SMS/text), or vishing (phishing via voice call). However, ISA is seeing growing concern over compromised insiders intentionally providing access to criminals, eliminating the need to trick someone into clicking a link. Today, the stakes and ill-gotten rewards are so great that it’s worthwhile to pay or otherwise induce an employee into betraying their firm and paving the way for cyber attack.
Data Exfiltration: Often paired with a ransomware attack, hackers frequently steal data for the purpose of re-selling it on the dark web. Since many system breaches may last for weeks or months before they are discovered, patient hackers can siphon sensitive, proprietary, valuable data from a target over an extended period. That data is then made available for sale, or can be used as leverage for extortion.
The discussion then turned to emerging threats and trends in cybersecurity. Kevin reported that the biggest change that ISA has seen recently is the increased threat vector created by expanded work-from-home in the COVID-19 era. The old model of securing an office perimeter and corporate assets has crumbled for many companies in the rush to provide online services and support for remote access for workers. In many cases – literally overnight – users were compelled to use their own equipment, their own WiFi, and their own ISPs to access corporate networks. While some larger or digitally-oriented companies had a head start in supporting good security, others scrambling to set up VPNs or zero-trust networks (or not bothering with security at all) may have created holes allowing hackers to tunnel directly into otherwise secure systems.
Kevin also observed that the WFH era has created novel opportunities for phishing, smshing, and vishing to be successful. In a time of Zoom calls and management-by-email, well-crafted attacks can dupe unsuspecting users more easily. In the old days, a staffer might walk down the hall to ask a supervisor for clarification on a strange sounding email. Today, that same person might fall for a scam in the name of expedience, with less convenient or direct access for confirmation available. The number one defensive strategy against social engineering attack is staff education and cybersecurity awareness training.
Kevin concluded his remarks with a “top five” list of ways for law firms to help to prevent and protect against breaches:
Security Awareness – “The #1 firewall in your organization is your people”: Kevin stressed the importance of providing regular training and awareness training for all staff. Even today, after all the well-deserved hype about cybersecurity and the high-profile attacks in the news, the failure rates in clickthrough stats on phishing tests are disappointingly high. People are still falling for these attacks, so training and vigilance are still required to strengthen that last line of defense.
Multi-factor Authentication – “Something you know, something you have, something you are”: The second area for firms to concentrate on is multi-factor authentication (MFA). With so many products and services online, it’s too hard for people to remember sufficiently complex, single-use passwords. Augmenting any password system with additional authentication factors like tokens, confirmation texts, or biometrics makes it significantly harder for hackers to compromise a system. Kevin argues that some of the recent breaches involving Outlook Web Access (OWA) or O365 implementations likely could have been avoided by having even just two levels of authentication.
Security testing – “Planning and testing of your configuration and your defenses”: Once your security is in place, it’s essential to test and maintain it. Vulnerability assessments and penetration testing are excellent ways to validate your approaches. They can help you find areas that you may have overlooked, and help ensure that patch levels and controls are in place as required. Every successful ransomware attack has its roots in a security flaw, vulnerability, or oversight – testing helps you find the holes before the hackers can.
Incident response planning – “If something were to happen right now… what would you do?” It’s critical to have a well-defined process that includes roles and responsibilities, addresses legal matters, considers cyber insurance, and much more. The thinking and planning must happen before a crisis arises. And here too, it’s vital to test your incident response plan to develop the muscle memory that could save crucial minutes in the face of a real incident.
Identity governance – “Active directory or other identity solutions can be very messy”: Kevin underscored the importance of having clear procedures for granting, modifying, and removing system access. For companies with large spans of credentialed application software, this can be a headache – but much less of a headache than having the account of a departed employee hacked and used as a springboard for a ransomware attack. There is a clear tech and process piece here: onboarding, role changes, access review, and complete and prompt offboarding processes are absolutely essential in order to keep everything straight (and auditable!).
A final couple of tips:
Kevin recommended the use of password lockers – as long as you can remember a single extra complex master password, these tools free you from having to remember any other passwords. Websites and apps can be launched securely from within the password locker program. In Kevin’s case, he uses unique, 32-character randomized passwords for all of his digital services and applications… in additional to leveraging multi-factor authentication using tokens. Kevin “walks the walk” when it comes to secure authentication.
Kevin also recommends the site Have I Been Pwned? as a resource for people to check whether their email has appeared in any of the massive data breaches that happen with such regularity. If your email address appears in the system search, it’s time to change your password immediately, and make sure that you are not reusing that password elsewhere. Hackers love to use databases like these to pivot over onto other systems and attempt “credential stuffing” attacks that use a stolen password to try to access other sites. If you use the same password for your hacked Facebook account as you use for your corporate Office 365 login, you are asking for trouble.
Kevin Dawson is President and CEO of ISA Cybersecurity, Canada’s largest cybersecurity-focused solutions provider. ISA can assist with strengthening your law firm’s security posture and processes – contact ISA today to learn more.
The Ontario Bar Association promotes fair justice systems, law reform, and equity and diversity in the legal profession, and is one of the leading providers of professional development and resources for the Ontario bar. The OBA has a membership of nearly 16,000 lawyers, judges, notaries, law teachers and law students.