How to Get Your Law Firm’s Cybersecurity House in Order

 

This is the 2nd in a 3-part series about IT Services and Security for Law Firms. Please click here for the 1st article.

As the legal services field continues to embrace technology at an unprecedented pace, law firms worldwide are also facing increasing pressure from cyber threats.

According to Checkpoint Research, global cybercrime saw an 8% year-on-year increase in Q1 2023, with insurance and legal services experiencing the second highest year-on-year change.

On average, 1 out of 31 legal services firms faced an attack in the first quarter of this year.

From confidential client documents to legal strategies, law firms possess massive amounts of sensitive data, which makes them ideal targets for criminals. The ability to safely handle and protect sensitive client information needs to be a top concern for any law firm.

With financial stability, reputation, client trust, and the threat of severe legal consequences all hanging in the balance, it’s time for law firms to ask themselves if they are doing enough to keep hackers and cyber threats at bay.

Here are 8 important steps law firms should take to ensure their cybersecurity protections are up to standard.

Is someone currently logged into your cloud services?

Law firms have been slow but steady adopters of cloud platforms. When deployed correctly, cloud applications can help improve collaboration, streamline efficiency, and reduce network complexity.

However, the cloud can also make it hard to know who has access to your network and who doesn’t. Ensuring the security of your cloud systems requires vigilant monitoring and response mechanisms.

• Continuous Monitoring:
  To view all the activity across your organization’s cloud environments in real-time, you can use services like AWS CloudTrail, Azure Activity Log, or Google Cloud Audit Logs. These tools provide deep visibility into your cloud environments, helping your firm detect unauthorized or malicious activity across sensitive legal case files and confidential client data quickly.
• SIEM Integration
  The vast amounts of log data your cloud platforms generate are unactionable without context. By integrating those logs into a security information and event management (SIEM) system, you can monitor and analyze activity within legal software and document management systems. This allows for real-time analysis, correlation of events, and immediate alerts for suspicious activities.

Have you addressed old vendor usernames and passwords?

Old vendor usernames and ineffective password management practices can make it easy for attackers to infiltrate a law firm. Here are some of the steps you can take to ensure that account management processes aren’t creating new cybersecurity vulnerabilities.

1. Identify and Deactivate Inactive Credentials
   It’s important to regularly scan active directories and identity management systems to identify old or inactive vendor accounts and credentials across your organization. These accounts must then be disabled to prevent threat actors from misusing abandoned accounts.
2. Ensure User Management Best Practices
   After ensuring that outdated credentials can no longer be misused as an attack vector, talk with your technology vendors to ensure that new credentials meet security best practices. This may include enforcing complex, unique passwords and encouraging the use of passphrase-based authentication or multi-factor authentication. Additionally, good password policy includes alerting mechanisms, so your administrators know when hackers have launched a password-based attack.

Have you fixed old email accounts that are still active?

Inactive emails are a security concern for law firms, as they may still contain residual customer data and other sensitive information that don’t fall under the category of classic personally identifiable information (PII). They can be used by attackers to leak data, harvest credentials, or take over accounts.

• Email Account Audits
  Law firms need to implement email account auditing processes to ensure that old or inactive accounts do not become security liabilities. This process may involve regular automated scans, identifying inactive accounts, disabling login access, revoking permissions, and managing the residual data. In some cases, inactive email accounts might still contain sensitive information, confidential correspondence, or access to critical systems.
• Data Management
  Residual data can be archived or deleted, depending on your data retention policies and compliance requirements. Often, legal services firms need to retain historical email data for compliance, which might require implementing archiving solutions that allow you to preserve emails while deactivating accounts. Maintaining a log of these activities can serve as a helpful audit trail.

Have you overlooked office devices logged into admin accounts, including copiers, scanners, and other operational technology?

Administrative accounts on copiers, scanners, and other office equipment connected to your law firm’s corporate network must be secured, but many law firms simply overlook these “dumb” devices, assuming they pose no serious threat.

In fact, they can serve as an entry point for attackers.

• Secure Device Access
  Law firms should ensure that they change the default device credentials and that they update the firmware or software on these devices regularly to close vulnerabilities. Only authorized personnel should be allowed to access administrative accounts. Additionally, you should use authentication measures, including biometric access systems or smart cards, to decisively close this back door into your network.
• Network Segmentation
  You can isolate the network that these devices are connected to minimize their exposure to more critical internal networks. Implementing robust firewalls and monitoring inbound and outbound traffic may further bolster security.

Have you implemented multi-factor authentication with conditional access?

Multi-factor authentication (MFA) enhances security by requiring multiple forms of verification, and when combined with conditional access policies, it provides dynamic and context-based security.

• MFA Implementation
  Implementing multi-factor authentication is crucial for legal firms as it provides an additional layer of security. This additional layer of authentication can include OTPs (one-time passwords), biometrics (fingerprint, facial recognition), smart cards, push notifications, or even hardware tokens.
• Conditional Access Policies
  Leveraging conditional access policies allows firms to dynamically adjust security requirements based on user attributes, device health, location, and other risk factors. This minimizes friction and allows you to deploy security measures based on dynamic, real-time intelligence, for example, requiring remote access, but not for in-office access.

Have you restricted access to high-risk countries and zones?

Limiting access to specific geographic regions can significantly reduce the attack surface of your law firm’s network.

• Restricting High-risk Zones
  Assessing the risk-reward ratio is essential when considering access restrictions to high-risk countries or other cybersecurity threat hotspots. For most legal firms, configuring your firewall and content delivery networks (CDNs) to limit access from Russia, Iran, or other high-risk zones is an effective way to mitigate the unknown threat.

Has your firm already been compromised?

With hackers moving quietly through your network, many law firms don’t even know that they’ve been infiltrated. Proactively monitoring the dark web can help you detect compromised credentials and information quickly, take corrective action, and prevent unauthorized access.

• Dark Web Monitoring Services
  It’s worthwhile to invest in dark web monitoring services that search for compromised credentials or leaked data associated with your organization. These services continuously scan underground forums and marketplaces for stolen data and alert you promptly. This can greatly reduce the impact of cyberattacks.
• Documented Response Procedures
  Upon discovering a compromised credential and alert, do you know how to swiftly respond, change the affected passwords, and notify the affected users. If you discover that sensitive or confidential information has been leaked, how will you learn about the exfiltrated data? It pays enormous dividends to have a plan.

Are your employees pasting sensitive information into ChatGPT?

The use of AI-driven chatbots introduces unique security and ethical considerations, especially in the legal context. As more law firms turn to templatized documents created by ChatGPT and other large language models, now is the time to get proactive about ensuring that those applications are always deployed with security as a priority.

• Data Loss Prevention (DLP)
  DLP software helps intercept and prevent data leaks in real time by preventing the pasting of sensitive information into chatbots and other AI software. As a legal firm bound by professional attorney–client privilege and client confidentiality, implementing DLP helps prevent sensitive information from being leaked into ChatGPT and other AI chatbots.
• Chatbot Security Measures
  If your firm does decide to utilize chatbots to improve efficiency and streamline workloads. It’s necessary to analyze potential chatbot solutions in terms of the data encryption, secure storage, and access controls they offer. Inform your staff on the ethical implications of AI chatbots, emphasizing the importance of safeguarding client confidentiality and adhering to professional codes of conduct.

A Cybersecurity Partner with Deep Commitment to the Legal Service Community

Cybersecurity can’t be disregarded as an afterthought anymore. LNS Solution has been helping Tampa’s legal services community with cybersecurity consulting and services for decades. If your firm wants a guide to bring clarity and focus to your cybersecurity efforts, contact us any time at (813) 393-1626 or info@lnssolutions.com.

Law Firm Cybersecurity: Insurance Questionnaires

 

This is the 1st in a 3-part series about IT Services and Security for Law Firms. Please click here for the next article.

Law firms are struggling with next-generation malware threats, social engineering attacks, and other forms of cybercrime that disproportionately target the legal services industry. To protect themselves against potentially catastrophic data loss or major downtime, many firms in the Tampa area have turned to cybersecurity insurance.

However, picking the right insurance plan and navigating the application process are often stressful for law firms, especially when it comes time to self-report on your cybersecurity defenses with the questionnaire they provide.

Those forms are filled with technical terms, such as multi-factor authentication (MFA), end-point detection and response (EDR), and “ransomware control.” Is your firm struggling to understand the boxes that your insurance questionnaire is asking you to check? Let’s take a deeper look.

Question 1: Can your users access e-mail through a web application or a non-corporate device? If “Yes,” do you enforce MFA?

All users accessing email should be required to use what’s known as multi-factor authentication (MFA).

MFA is a multistep account login process that requires users to enter more information than just a password. After entering a password, users might be asked to enter a temporary code, answer a secret question, or scan a fingerprint. A second form of authentication is one of the most effective ways to prevent email breaches, with Microsoft finding that it can help reduce password-based attacks by up to 99%.

Question 2: Do you allow remote access to your network? If “Yes,” do you use MFA to secure all remote access to your network?

MFA is extremely effective in preventing ransomware attacks, as well as traditional hacks. A ransomware attack begins when an attacker acquires account credentials. However, with MFA, the attackers lack the additional information required to gain access to the target account. This prevents the attack and keeps it from entering the system.

It’s worth noting that not all MFA systems are built the same in terms of the practical level of protection that they offer.

In recent years, there’s been a spate of attacks specifically targeting MFA solutions, including a very high-profile breach at hardware company Cisco. In that attack, criminals flooded users with requests to verify their identities on a mobile security application (in this case, Duo) until the overwhelmed party verifies the access out of sheer frustration. In other cases, hackers can use fraudulent landing pages or social engineering attacks to undermine an MFA system.

This makes it important to understand that MFA should be complemented by a robust cybersecurity awareness training program, but more on that topic later.

Question 3: Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activities across your enterprise?

Endpoint detection and response (EDR) is an integrated security solution that combines real-time continuous monitoring and collection of data from your endpoints (PCs, laptops, and tablets) with rules-based automation to respond and analyze threats.

There are 4 primary functions of an EDR security system:

1. Continuously monitor and collect data from your network endpoints
2. Analyze data to identify anomalies or threat patterns, not just known malware or attacks
3. Automatically respond to or remove those threats, then notify your security team
4. Perform forensics analysis to research threats and understand their impact and reach

Having an EDR system is something we strongly recommend for our clients in the legal services field, though it’s worth noting that there are new concepts in detection and response technology that complicate answering this question.

If you have a managed detection and response (MDR) solution—like the kind we offer here at LNS Solutions—then you have greater protection than a standard EDR, which means you can confidently answer yes to the question above. MDR solutions add the vigilant support of human personnel to weave the EDR system into a larger security plan and analyze the data.

Question 4: Do you prescreen emails for potentially malicious attachments and links?

If “Yes" to the above question, do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end user?

Another security tool that we strongly recommend law firms adopt is advanced email scanning, which offers protection against malicious URLs and weaponized attachments. The latest generation of email security tools are tuned to help mitigate not just phishing, but also account-based takeover (ATO), impersonation, and business email compromise attacks.

The second part of that statement, “malicious links,” is equally important. In recent years, hackers have started to get creative about the ways in which they leverage fake domains to trick people into clicking on malicious links. Lookalike domain names are one such strategy that is designed to look like legitimate domains, but in fact provide a way for hackers to enter your systems.

Examples

• bannkofamerica.com vs. bankofamerica.com
• amazoon.com vs. amazon.com
• Gooogle.com vs. Google.com

Are you confident that your staff is going to notice the differences above while they’re busy working?

Cybercriminals are banking on the idea that they won’t, and statistics show that they’re often right. To mitigate this problem, there are tools you can employ, but your security team should also be vigilant about identifying high-risk domains, scanning for lookalikes during regular security maintenance, and training your staff on how to watch out for this form of attack as they work.

Cybersecurity Insurance Questions You Might See

The above are the questions that our legal services clients ask us about most often, but there are several other confusing questions that you may encounter during the cybersecurity insurance process. Here are some of the other common questions that give our legal services clients trouble:

• How many personally identifiable information (PII) records is your business storing?
  Many firms are confused about what constitutes PII, or don’t have an inventory of exactly how much PII they’re storing.
• Do you provide anti-fraud training to employees?
  Is fraud training the same as cybersecurity training? It can be. To check this off with confidence, you’ll want to ensure that cyber awareness training includes all the necessary modules.
• How long does it take you to install critical network patches and updates?
  Without closely tracking the efficiency of your network management efforts, many law firms don’t’ have a clear answer to this question.

When in doubt, the best way to shop for and purchase cyber insurance is with the help of a trusted cybersecurity partner, who can help you navigate all the ambiguity.

LNS Solutions – 30 Years of Legal IT and Cybersecurity Expertise

For decades, we’ve helped Tampa’s legal services firms take control of their IT and face cybercriminals with confidence. If you’re struggling with security concerns or the questions around your cyber insurance, contact us any time at (813) 393-1626 or info@LNSSolutions.com. We look forward to speaking with you!

 

Small Business Cybersecurity: The 5 Most Common Mistakes

There was a period long ago when small businesses could (partly) rely on their size to hide them from hackers. But the time for “security through obscurity” has long passed, and cyber criminals are now targeting small-and midsize businesses at almost the same rate as enterprises.

According to statistics from penetration testing company Astra Security, approximately 43% of cyberattacks target small businesses annually, with an alarming 46% of these attacks being directed at companies with 1,000, or fewer employees. The average attack costs $25,000 per incident.

While designing and building a comprehensive cybersecurity strategy takes high level expertise, there are some relatively simple cybersecurity issues that we find routinely contribute to a high number of hacks here in Tampa.

 

Here’s what businesses can look out for, and some tips for keeping yourself safe.

1 - Weak Passwords and Poor Password Management

Here’s a terrifying security factoid: the password “123456” has been consistently at the top of the list of commonly used passwords for several years in a row. Even in 2023, after decades of articles, training sessions, and face-to-face advice, poor password practices continue to cause massive trouble for many small and medium businesses.

Why? Weak passwords contribute to a host of serious security issues, such as increased vulnerability to “brute-force” attacks in which hackers simply try to guess your password to gain system access, phishing attacks, internal unauthorized access to sensitive data, and compliance problems.

One way to overcome this problem is multifactor authentication (MFA) and password managers.

MFA adds an extra protection layer beyond the password by requiring users to provide two or more forms of identification other than a password before being able to access an account. This may include biometric data (facial recognition, fingerprints, etc.) or a one-time password (OTP) on a trusted mobile device.

MFA is the single most effective cybersecurity step you can take, as it solves over 99.9% of authentication-based attacks, according to Microsoft.

It is also never advisable to use the same password for multiple accounts, a fact that you should make clear to your staff on a regular basis. Password managers help create and manage multiple passwords for different accounts helping automatically enforce password best practices.

2 - Not Preparing your Staff for Cybersecurity Success

Employees are considered the weakest link in an organization and the number one cause of infiltration and data loss.

In light of this statistical fact, it becomes critical that you have a cybersecurity training program in place that makes them aware of potential threats and prepares them to counter those dangers.

This is especially true as ChatGPT and other AI models enable attackers to gather and analyze vast amounts of data about potential targets from various sources, such as social media, public databases, or previous breaches. This information is then used to craft highly personalized and convincing phishing messages.

By allowing criminals to tailor the content of their attacks at scale, hackers increase their chances of success and dramatically raise the bar for security training programs. Businesses must implement regular cyber awareness training, which includes testing their employees’ abilities, tracking progress, and making targeted improvements to proactively stay ahead of those threats.

3 - Poor Patching and Updating Procedure

Unpatched software and hardware are a common source of cybersecurity attacks, although most businesses without internal security staff don’t fully realize what that means or how vital this security measure is.

The SolarWinds attack in December 2020 that made national headlines was the result of unpatched software, which allowed hackers to insert malicious code into unpatched software. That infected software was then distributed onto SolarWinds customers.

In this case, hackers used that access to gain unauthorized access to both private and government organizations, resulting in several massive data breaches that did millions in damage.

Another high-profile, infamous attack that resulted from unpatched software was the WannaCry Ransomware Attack in May 2017. This highly successful ransomware exploited a vulnerability in Microsoft’s Windows operating system, which the company had already released a patch a few months before the attack.

Because organizations had not installed the security updates, they left their systems vulnerable, and the ransomware spread across the globe with amazing speed, causing up to $4 billion in damages.

4 - Neglecting Disaster Recovery Maintenance

Your business needs to have a plan for responding to disasters of all kinds, including natural disasters such as an earthquake or a flood (which are happening with greater frequency), or a man-made disaster such as a cyber-attack.

According to Accenture’s Cost of Cybercrime Study, small businesses are targets of 43% of cyberattacks, yet only 14% are prepared to protect themselves and recover.

Having a disaster recovery plan (DRP) is more than just backup. It’s being able to use well-maintained backups to restore services after an attack to minimize disruption and contain financial damage. It’s a combination of IT systems, people, processes, and careful planning.

Testing is an area of particular weakness for many organizations.

To properly test your DRP, you must define a clear set of objectives and create a comprehensive test plan that outlines the scope, methods, roles, and timelines for the test. Then isolate the test environment to avoid impact on live systems and simulate all the disaster scenarios that you’re trying to prepare for.

Monitoring and documenting the recovery process, then evaluating the results against predefined objectives, will give you a clear picture if you’re as ready for cyberattack as you feel you are.

5 - Not having an Incident Response Plan

A cybersecurity incident response plan is a documented set of procedures and guidelines that enable you to efficiently handle and mitigate cybersecurity incidents within your organization.

What happens if your network gets infected with malware? Or, if an employee steals a password as they leave your company? What if someone loses a cell phone? These are just some of the scenarios that a properly designed incident response plan (ICP) will prepare you for.

Building an incident response plan can be a complex process, but here are the steps you can build a viable ICP:

• Start by auditing and documenting your network. Understanding your entire IT infrastructure and potential threats allows you to define the objectives and scope of the plan.
• Assemble a response team with predefined responsibilities to ease communication and decision-making.
• Identify which incidents you want to be able to respond to and classify them based on the likelihood of them happening and the severity of their impact.
• Develop and document response procedures for detecting, assessing, containing, eradicating, and recovering from each of the incidents you’ve just identified.
• Regularly test the incident response plan with the help of simulations and tabletop exercises, ensuring that the measures you’ve chosen function as you hoped.
• When an incident occurs, analyze both the incident itself and your response to understand what happened, how it was handled, and what can be improved.
• Regularly review and update the incident response plan to adapt to new threats, address changes in your IT infrastructure, or lessons learned from past incidents.

 If that process feels overwhelming to you, we encourage you to reach out to the friendly LNS Solutions team for help. In our 20 years of cybersecurity service to Tampa businesses, we’ve developed a streamlined process for incident response planning that takes all the guesswork and uncertainty out of the process.

Tampa’s Trusted Cybersecurity Expert

For 30 years, the LNS Solutions team has been helping businesses in Tampa defend themselves against cyber criminals, malware, ransomware attacks, and more. If your business is struggling to achieve the resiliency and confidence you need, contact our helpful team any time at (813) 393-1626 or info@LNSSolutions.com. We look forward to speaking with you!

 

Why is Cybersecurity Awareness Training So Important?

All it takes for a hacker to breach your company’s network is one of your employees opening a phishing email and clicking a link.

This means that before your IT team focuses on advanced measures like vulnerability testing and encryption, they need to strengthen their first line of defense by training your employees to identify, prevent, and combat cyberattacks.

This is why cybersecurity awareness training is so important. Security awareness training helps to educate employees in your organization on the different types of attacks, how hackers launch them, and what they can do to detect a threat. Making all your employees aware of cyberattacks significantly reduces the chances of hackers taking advantage of human errors.

Let’s explore the importance of cybersecurity training for employees, the direct benefits it provides, and the topics you should make sure to cover in your training program.

Benefits of Cybersecurity Awareness Training

Conducting comprehensive cyber security awareness training for employees will significantly reinforce your organization’s cybersecurity posture. Here are some of its key benefits:

• Prevent Data Breaches
  In regular, online training cybersecurity awareness training from a reputable provider, your team will learn about the latest techniques that hackers are using to attack businesses, including infiltration techniques attackers use, such as phishing and social engineering, and even more complex attacks like brute force attacks and business email compromise. The goal isn’t to make everyone an expert on complex cyber threats; it’s to arm them with the skills to detect the telltale signs of infiltration like suspicious email addresses and awkward phraseology, while also teaching them how to prevent disclosing confidential info to outsiders. By arming them with that knowledge, you enable them to play a major frontline role in preventing data breaches, 85% of which have a human element.
• Minimize Damage from Attacks
  If an outsider breaches the company’s system, the top priority is to contain the breach swiftly and minimize its impact. Cybersecurity awareness training teaches employees what they can do to contain the damage of an attack. By allowing them to practice how to communicate with senior leaders, how to report unauthorized personnel or access within the organization, how to log out of their systems, and following advanced instructions from your security provider, you empower them to be more than just defensive actors but play a proactive role in your security.
• Build a Culture of Security
  A quality cybersecurity awareness training program will go beyond imparting knowledge, it instills a culture of security preparedness in the organization. Regular education and discussion among employees about the importance of cybersecurity and their role in safeguarding sensitive data helps them stay an alert and ingrain a more conscious mindset about company security. Over time, your staff gradually develop a collective sense of responsibility toward keeping their workplace safe, which helps keep morale and teamwork high.
• Meet Cyber Insurance Requirements
  Organizations now rely on cyber insurance policies to them protect themselves against the direct financial losses from cyberattacks and recover from data loss events without huge expense. To mitigate the rising payout of insurance claims, most cyber insurance providers now require your businesses to demonstrate a commitment to cybersecurity best practices, which includes cybersecurity awareness training. Conducting training regularly not only assures your insurers that you’re doing everything to minimize risk, it may also reduce the insurance premium and ensure your claim is paid out as expected when an attack occurs.

What Topics Should Cybersecurity Awareness Training Cover?

A security awareness training program must be specialized and even a bit enjoyable to be effective. Thankfully, that no longer means dry, day-long training seminars that ask your teams to memorize and retain dense information all year.

Instead, businesses should be looking for regular, engaging online sessions that explain advanced technical topics in simple terms that everyone can understand, regardless of their technical expertise.

The focus should be on practical, specific measures for employees to put into action and periodic testing to test their real-world ability to manage various threats. Here are the essential topics that must be covered in a security awareness program:

Phishing Training

Because phishing attacks are so commonplace, this is one of the most important aspects of any training program. Employees must be trained to identify phishing emails and spoofed domains in the training. Misspellings and poor grammar used to be dead giveaways for phishing emails, but with ChatGPT, hackers can easily create grammar-proof emails.

Still, there are other ways that employees can be taught to detect signs of phishing, such as generic greetings, fake sense of urgency, analyzing the overall tone of the email, and avoiding clicking any links from unknown senders. As mentioned, it’s not just education but practical phishing simulation with company-wide reporting that will move your needle here.

Social Media Hygiene

Despite the fact that nearly half of U.S. employers block access to social media sites, most people still use social media while at work, either on company-owned or personal devices. This has major implications for your business’s security.

You must not only set clear guidelines for employees on what they should publicly on social media, then train them on how to use social media responsibly. Even if no one shares confidential information or user credentials on social media, seemingly harmless information can become useful for hackers.

Hackers can easily use the name of new software your company is using, or casual mention about their company’s technology, into leverage to gain access to your network.

Data Handling

Most industries are now struggling with compliance standards on data handling, which makes it a must-have feature of your cybersecurity awareness training. Staff must be informed of the rules and practices laid down by the regulatory bodies governing your industry and thoroughly trained on the best and safest practices for handling, storing, and sharing data within your organization.

Malware and Attack Response

All cybersecurity awareness training must instruct your team on what to do when malware strikes. There are crucial moments right after an attack that can make the difference between a few PCs being affected and a company-wide infection.

Training in this area teaches them specific actions to take an attack, such as how to properly disconnect a device from a network, safely shut down an affected computer, and how to preserve all the evidence of an attack, such as phishing emails, for future forensic work.

Mobile Device Security

Mobile devices have become a major part of many businesses, but they are are also a common target for attackers. All employees (especially those working from home) should be trained on proper mobile device usage, including safeguarding devices with strong passwords, utilizing encryption and two-factor authentication, and being cautious of public Wi-Fi networks.

This includes familiarizing your staff with which mobile device management (MDM) you’ve deployed in your network, so they know what data is safe to store on their mobile devices and how.

Remote Work Security

More and more companies are adopting the remote work culture and its many benefits without having fully accounted for the unique security risks it poses. Businesses with remote workers must provide cybersecurity awareness training that touches on these topics.

This includes how to avoid connecting to public Wi-Fi, how to properly use virtual private network (VPNs), ensuring that security software antivirus is up to date, working with multi-factor authentication systems (MFA), and a wide range of other critical security topics.

How Often Should I Conduct Cybersecurity Training?

In the past, cybersecurity training programs were infrequent and in-person, conducted a few times each year for days at a time. That approach simply doesn’t meet the needs of businesses now, who face attacks that change and evolve on a daily basis.

The most effective approach to security awareness training is to conduct regular online training all year round in short and targeted modules. Not only does this approach give your employees information on the latest cyber threats, conducting sessions online also gives your leadership access to metrics and dashboards that quantify your cyber readiness into improvable metrics.

Florida’s Cybersecurity Team

For over 30 years, the LNS Solutions team has been helping companies in Tampa defend themselves against cyber criminals and malware. If your business is struggling to achieve the resiliency and confidence you need, contact our helpful team any time at 813 393 1626 or info@LNSSolutions.com. We look forward to speaking with you!

 

How ChatGPT and AI are Changing Cybersecurity

Heated discussion about artificial intelligence (AI) has been a feature of the business media since ChatGPT was first released in late 2022.

While most of the media discussion revolves around which jobs ChatGPT is going to eliminate, there’s been a quieter but equally important discussion in the cybersecurity community about how AI is going to affect business security.

We’ve written this article to provide businesses in Tampa with everything they need to know about the coming generation of AI, how it’s going to make achieving lasting cybersecurity harder, and what you can do about it.

Hackers Leverage AI to Generate a New Breed of Malware Attack

One of the most discussed use cases for ChatGPT is in computer programming. Even in this relatively immature state, ChatGPT is already pretty good at generating simple code snippets for simple functions, allowing programmers to focus on more complex aspects of software development.

This means a more efficient development process and lower costs for companies. However, there are also nefarious uses for automatically generated code that business owners must familiarize themselves with.

Bypassing the Security Features of AI Models
In its current state, ChatGPT (and specialist AI models like AlphaCode) are designed not to generate code that could be used for malicious purposes. However, in just the few months since the software was released to the public, hackers have devised multiple ways to bypass those protections.

One hacking group has used ChatGPT’s application programming interface (API), in particular one called davinci-003, which’s specifically designed for chatbot applications. It turns out that the API doesn’t enforce the same restrictions on malicious content as the web version, meaning that hackers can bypass ChatGPT’s protections and generate any code.

The price of this service? A mere $5.50 for every malicious 100 queries on ChatGPT.

AI models that can generate malware code at basically no cost will likely lead to a rapid expansion in the number of threats, just as the commodification of Ransomware on the dark web did in 2019 and 2020.

“Polymorphic” Malware Threats
Hackers have already started to use the power of AI to create new and intelligent forms of malware as well, by embedding specialized forms of “polymorphic,” or mutating, code into their viruses. By changing its composition or “signature,” smart malware avoids endpoint detection and response (EDR) systems and is thus much harder for businesses to detect and isolate.

Polymorphic malware has existed for decades, but the new strains powered by ChatGPT are more dangerous and harder to detect.

In addition to a model that uses the API listed above, another recent proof of concept from Jeff Sims, principal security engineer at threat detection company HYAS InfoSec, demonstrates another possible approach. His software, called BlackMambo, logs keyboard strokes on a host computer, changing its shape every time it runs to avoid detection. According to the HYAS blog:

“BlackMamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes… Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry leading EDR which will remain nameless, many times, resulting in zero alerts or detections.”

Criminals Upgrade Phishing Attacks with the Power of AI

According to the  FBI’s 2022 Internet Crime Report, email attacks are the most common IT threat in America.

People are already falling for today’s email phishing scams, which are notorious for poor grammar and misspellings. As hackers adopt ChatGPT and other large language models (LLMs), criminals in Russia, India, and other countries will be able to create error-free emails on demand, making them harder to detect and more impactful.

As phishing emails become more impactful, and that impact is extrapolated out over millions of attacks that take place each day, we can expect to see a significant impact on the number and efficiency of phishing attacks.

But AI doesn’t just help with email writing; hackers have also started ChatGPT and other AI models to develop new phishing strategies, scan attack surfaces, and alter their cybersecurity attacks to respond to your phishing defenses in real time.

Businesses in Tampa must be ready to adjust their security to compensate.

What Can Tampa Businesses Do About It?

The good news is that generative AI has as many applications for cyber defenders as it does for attackers.

Arm Yourself with the Right Tools
IT services firms like LNS Solutions are using tools with built-in machine learning and artificial intelligence to find network vulnerabilities and proactively address the threat of malicious AI.

To reap the benefits of those tools, it’s important to work with an IT services firm with a track record of cybersecurity success. If you’re not partnered with a cybersecurity firm, then it’s critical that you keep your security software up to date. The cybersecurity arms race is always intensifying, and we’re facing a situation in which ChatGPT and other AI models will create malware that only other AI systems can detect.

Use AI to Extend Your Cybersecurity Team
There’s a well-documented lack of cybersecurity talent in the U.S. The country is estimated to lack about 1 million people in the cybersecurity field, putting countless companies in the U.S. at risk. By arming themselves with AI tools, businesses can extend the capabilities of human cybersecurity staff and enhance the efficiency and sophistication of their defenses.

For example, the cybersecurity company Sophos found that spam filters using ChatGPT, compared with other machine learning models, were more accurate, enabling them to catch far more threats than without. Integrating next-generation spam filters with other “ChatGPT” detection capabilities could help your business not just mitigate the rise in AI-powered attacks but also to win a competitive edge and reduce overall attacks.

Similarly, AI is now being used by a variety of LNS Solutions’ cybersecurity vendors to reduce false notifications and detections, speed up the security forensics process, and eliminate labor intensive security tasks.

Improve Your Cybersecurity Awareness Training
The largest source of cybersecurity vulnerability is an unprepared staff. Now is the time to double down on your cybersecurity awareness training and bring your entire team—from cleaning people and front desk staff to executives and boards of directors—up to task on the changing AI landscape.

Proactively facing the threat of AI head-on is the best way to establish a confident foundation for what’s sure to be a turbulent future full of dynamic AI-powered attacks.

Florida’s Cybersecurity Team

For over 30 years, the LNS Solutions team has been helping companies in Tampa defend themselves against cyber criminals and malware. If your business is struggling to achieve the resiliency and confidence you need, contact our helpful team any time at (813) 393-1626 or info@LNSSolutions.com. We look forward to speaking with you!

 

What is the Difference Between Disaster Recovery and Business Continuity?

This is the third installment in a 3-part series on hurricane preparedness and business continuity. 

Business leaders in Tampa that are preparing for hurricane season will likely encounter two terms, disaster recovery and business continuity, in their search for stability.  Though the two concepts are related in that they help you respond to the threat of natural or man-made disasters, they also differ in important and sometimes confusing ways.

Here’s what businesses in Florida should know about both approaches and how to combine them to minimize the chance that a hurricane will cause lasting damage.

This blog is part of a series on storm season preparedness, read the first part here.

Disaster Recovery is Focused on Business Technology

Disaster recovery is a plan that enables your business to anticipate catastrophic downtime and regain access to and functionality of your technology as fast as possible. Unlike business continuity—which helps your entire organization plan redundant human resources, workspaces, vendors, and technology—disaster recovery is tightly focused on IT systems.

Important metrics that you can use to measure the effectiveness of your disaster recovery plan include the following:

Recovery time objective (RTO)
How long can a system stay down before it starts to impact your business negatively. This metric gives you a limit to how much downtime you can tolerate, which you can use to guide the DR planning process.

Recovery point objective (RPO)
How much data loss is acceptable to your organization? Is a backup that’s 24 hours old enough to get your business back on track, if a tropical storm should strike? 12 hours? This metric helps you understand how frequently your backup systems should be creating redundant copies of your data.

Read more about RPO and RTO on TechTarget.

Why Disaster Recovery is Important

There are multiple beneficial outcomes of having disaster recovery plan, including the following:

Ensure data security
Disaster recovery isn’t just about hurricane protection. Integrating data protection and backup into your disaster recovery plans can provide your organization with a valuable backstop against ransomware and other forms of malware so that if your systems do ever get deleted, you’ll have recent production data to restore operations.

Reduce recovery costs
By being proactive about disaster and having a clear, organization-wide plan for responding to it, you can dramatically lower the cost of responding to downtime.

Responding to those events reactively means hiring hourly IT consultants to perform forensics on your damaged systems, building a plan for saving your network, then marshalling the resources to do that time-consuming work. Each of those steps comes with the potential for costly overtime charges.

Being proactive eliminates much of that reactive work, enabling you to budget for storm preparation with greater confidence.

Business Continuity Keeps Your Organization Productive

As mentioned above, business continuity planning (BCP) is larger in scope than disaster recovery. It’s designed to give you a clear plan for not just responding to a disaster but weathering that disaster and staying productive, no matter how big a storm hits our state.

To build a business continuity plan, you’ll need to coordinate people and resources from across your organization. Here are the most important steps that go into developing a business continuity plan:

Perform a business impact analysis
Start by analyzing your organization to identify critical business activities and their associated dependencies. This helps you understand which systems you need to protect to keep the business operating and where to target your work.

Develop plan and controls
Depending on your tolerance for business downtime, the next step is to develop a clear system for maintaining the health of the critical business operations.

For some small businesses, this could be as simple as sharing access to cloud-based systems. Large, more complex organizations will want to explore alternative office locations, backup telecom infrastructure, and define redundant lines of communication and chain of command to ensure smooth operations when a hurricane or other disaster strikes.

Monitor and test the BCP
The BCP isn’t a static document that you can create and then leave unattended. Your organization changes every day as personnel come and go, business functions change over time, and priorities shift. You should revisit your BCP at least once a year to keep it aligned with your goals and to make sure it still functions properly.

We’ve recently written an in-depth piece about the business continuity planning process, which explains in detail what you can do to make each step of the BCP process efficient and successful.

Business Continuity Outcomes

Important outcomes of a business continuity plan include the following:

Regulatory compliance
The benefits of business continuity extend far beyond hurricane preparation. Businesses in regulated industries like financial services and healthcare are often subject to regulatory compliance standards, like FINRA, HIPAA, and HITECH, which require business continuity in place.

Stronger customer retention
If your business takes weeks to return to normal operations, customers may go looking for other suppliers to help them, compounding the hurricane’s impact on your business. In today’s business climate where between 70% to 80% of a business’s value comes from hard-to-assess assets like brand equity and reputation, being a beacon of stability can have serious returns.

Lower insurance premiums
Businesses in Florida rely on their insurers to protect them from natural disaster and cyber threats. Many forms of insurance require businesses to demonstrate a business continuity plan to purchase insurance or to get the lowest possible premium possible.

Creating Business Continuity and Disaster Recovery Synergy

To clarify, the most important difference between the two concepts is when they’re triggered.

A business continuity plan is triggered at the outset of a hurricane or tropical storm so that your team can work through the disaster with as little interruption as possible, while a disaster recovery plan is typically triggered after a disaster has taken place, allowing your team to begin the process of restoring your technology systems as quickly as possible.

But the reality is that the two concepts play an important, synergistic role in helping to keep your business safe from natural disasters. Here’s some of the benefits of combining the two strategies:

• Expose potential gaps
  Creating a holistic plan for overall resiliency—both operational and technological—makes it more likely to find weak points in each plan, leading to a more resilient overall process and a stronger business.
• Reduce recovery time
  With IT now playing a central role in most Florida businesses, business continuity means fully functional IT systems. The sooner you get your technology back up and running at maximum capacity, the sooner you’ll be profitable again.

74% of surveyed organizations have faced a disruptive event with third parties in the past few years.

You can find the first installment here in our 3-part series on hurricane preparedness and business continuity.

Tampa’s Business Continuity and Disaster Recovery Partner

For 30 years, the LNS Solutions team has been helping businesses in Tampa defend against hurricanes and other natural disasters. If your business is struggling to discover the resiliency it wants, contact our helpful team any time at (813) 393 1626 or info@LNSSolutions.com. We look forward to speaking with you!

Contact Us!

The Complete Guide to Business Continuity Planning

This is the second in a 3-part series on hurricane preparedness and business continuity. 

Serious interruptions to productivity can be a catastrophe for unprepared businesses. Even a single day of downtime can cause a small or midsized business tens of thousands of dollars in lost opportunity, revenue, and reputation.

For larger businesses, IDC estimates that operational downtime can cost up to $100,000 per hour on average.

The most effective tool that businesses have to maintain their operations when a hurricane or other disaster strikes is a business continuity plan (BCP). We wrote this article to help Florida get started with the planning process, understand how it benefits them, and answer any questions they might have.

What is Business Continuity Planning?

Business continuity (BC) planning is a tested plan that outlines everything a business must do when it faces abnormal business interruptions, such as hurricanes and natural disasters, ransomware attacks, or human error.

It is a holistic process that covers every aspect of your business, including your network technology, communications, human resources, physical workspaces, and each of their dependencies.

Triggered before disaster even strikes, think of a BCP as your first-line defense against downtime. As opposed to reactive planning, such as disaster recovery, your BCP helps you proactively maintain normal business operations with as little operational downtime as possible.

The Elements of Comprehensive Business Continuity Plan

A business continuity plan varies from company to company. But here are the components that a successful BCP will contain:

Risk Scope Analysis
Developing a business continuity plan starts with understanding the risk’s scope. This means identifying which critical business functions you are trying to protect, and what dependencies each of those functions have that might be affected by a disaster.

Keep an open mind when thinking of “unprecedented events.” While natural calamities like floods and tropical storms are top of mind in Florida, you should also consider all other risks, such as technological outage, regulatory changes, cybersecurity, and human error as well.

The scope of your plan will be the foundation for all subsequent components of the BCP.

Business Impact Analysis (BIA)
Another major component of the BCP is a detailed analysis of how every identifiable risk will impacts the core business functions from the scope analysis. Running a BIA will help you understand in detail what must be done by whom to sustain those functions when a disaster strikes.

Unlike a risk assessment, which identifies threats and the likelihood of them harming your business, the BIA goes further to define the severity of each threat and how they affect your business operations and finances.

A BIA should analyze each threat in 5 dimensions:

• Human resources
  People are central to your operations, so that your BIA must identify which workers and hierarchies are responsible for each core function and how those responsibility will be delegated when an unwanted event strikes.
• Workspace analysis
  If you’re a multi-location business, how you leverage your reach is vital. Perhaps you may have to shift swiftly from one location to another. If you’re a single-location business, then planning redundant office or meeting spaces can facilitate the continuity process.
• Business technology
  What technology will you use after disaster has struck? Will employees switch to their own personal devices, or will you distribute computers for them to use? What cybersecurity or compliance ramifications does this have? These are just a few of the many concerns that a BIA must address.
• Service delivery
  Professional services firms can switch to online-only service delivery and shut down their physical location easily, like they did during COVDI-19 pandemic. However, many businesses, such as manufacturing firms, healthcare providers, and retail businesses, don’t’ have this luxury. Knowing exactly how service delivery will be impacted by a hurricane or natural threat will help you plan failover systems.
• Health and safety
  The physical safety of your employees, partners, contractors, and customers is paramount during a crisis. You should dedicate a portion of your BIA to how you’ll ensure the health and safety of all stakeholders who are helping you stay operational during a crisis.

Communication Strategy
Communication is paramount when mitigating an unforeseen event. Your BCP should outline how employees should communicate with one another, their superiors, their subordinates, and third-party stakeholders.

In most cases, you can’t have to rely on the hierarchy you have during normal workdays, which means you may need to grant provisional autonomy to certain team members or restrict access to certain systems until your systems have been restored.

You may also choose to implement external communications and public relations as a part of your continuity plan so you can proactively manage your customer expectations and any reputational damage.

Controls and Mitigation
Disaster mitigation, among other things, requires quick decision-making. After analyzing the risks, affected personnel, location, and service delivery requirements, you can now create an action plan.

You need clear instructions on what must be done at the minimum level by every person involved in the mitigation process. The controls are also likely to vary for each disruption scenario.

Leave some room for improvisation. Since you can’t plan for everything well in advance, you should grant limited authority to your “boots on the ground” to work off the prescriptions as they see fit to meet the challenges they face.

Test and Refine Business Continuity Plan

After the continuity plan is in place, it’s time to test it. Run the teams through each disaster scenario as if your business was experiencing a real-life crisis. Repeated testing allows you to measure the plan’s effectiveness and iron out any weak points.

Testing isn’t a one-off event. Regular testing and refinement of the plan will help you achieve a more efficient and consistent result. Communicate the plan and its results throughout your organization so employees can get acquainted with each scenario and what you have in terms of expectations.

The Benefits of Having a Tested Business Continuity Plan

Business continuity planning may seem like a lot of work. But it’s well worth it, given the potentially ruinous costs of facing disaster unprepared. Here are some of the key outcomes that you can expect to reap from a well-tested BCP:

• Minimize downtime
  Most businesses are either not prepared or underprepared to deal with unknown events. 54% of businesses said they’ve experienced at least 8 hours of downtime in the last 8 years. A BCP could have helped those firms pivot more effectively and saved countless hours in lost productivity.
• Customer retention
  If you stay open during critical periods, there’s a good chance that retain or gain more customers than the competition that closes.
• Increase brand trust
  When you can serve customers even in calamities, you enhance your value in the eyes of customers and investors. You become a trusted partner, not just another vendor, which directly increases your brand’s value.
• Protect your bottom line
  All of the above factors trickle down to the bottom line. BCPs help generate more revenue, improve productivity, and cut losses.

Read the third blog of our 3-part series on hurricane preparedness and business continuity.

Florida’s Trusted Business Continuity Consultant

For 30 years, the LNS Solutions team has been helping businesses in Tampa defend against hurricanes and other natural disasters. If your business is struggling to discover the resiliency it wants, contact our helpful team any time at (813) 393 1626 or info@LNSSolutions.com. We look forward to speaking with you!

Contact Us!

Protecting Your Business Technology in Hurricane Season

This is the first in a 3-part series on hurricane preparedness and business continuity. 

Every year, the Florida business community must gird itself for hurricane season, a significant trade-off for living in a uniquely beautiful state.

Since 1980, the total cost of damage done to coastal Florida by storms has totaled $450 billion in total, with Hurricane Ian alone doing over $100 billion, the costliest disaster in the history of Florida’s history.

As we approach storm season, the team at LNS Solutions thought businesses in our area would benefit from a checklist that helps them take stock for the best practices around disaster preparation and review what they should be doing to protect to minimize downtime that storms cause this year.

Becoming Proactive About Hurricane Protection

The single best thing a business can do to protect itself is take the threat seriously and start the planning process now, before hurricane season starts.

1 - Inventory Your Network
Start by creating a detailed list of all the devices connected to your network. The inventory serves the dual purpose of helping you understand your areas of greatest vulnerability while also helping you successfully file any insurance claim for damaged hardware, if the worst were to occur.

2 – Devise an Escape Plan for Portable Equipment
It’s relatively easy to secure personal computers, workstations, and company mobile devices during a hurricane. The forewarning should give you enough time to power those devices down and move them out of your premises to a safe location.

Deal with any technical hurdles you might face during that process now, which include who’s going to disconnect and move their devices and which safe, inland space they can bring them to wait out the storm.

3- Secure Servers and Immovable IT Infrastructure
For systems that cannot be moved, you can improve their chance of weathering a major storm with the following guidelines:

• Wind can cause huge damage in the opening hours of a storm, but most of the damage that a hurricane causes is in the flooding that lingers in the hours and days after the storm passes. This map from FEMA will help you analyze your company’s flood zone risk.
• When possible, place critical systems in the middle of a room or floor away from windows.
• If that’s not possible, place ground floor systems elevated at least 18 inches off the ground to help mitigate the risk of flooding. Disconnect the uninterruptible power supply (UPS) or batteries as the storm draws near. The lithium in batteries is flammable and could become dangerous if exposed to water.
• Cover your computers and devices with plastic sheeting, and document everything with photographs.
• This is a good time to ensure that the building’s safety systems are functioning properly.

Beware of what’s known as “optimism bias” in the behavioral sciences field. “I’ve been lucky so far” and “It won’t happen here” are all versions of this bias, which can be enormously costly if a disaster does strike. Assuming that your business is vulnerable saves your stress and expense.

According to the Uptime Institutes 2021 Annual Outage Analysis, 40% of business interruptions or outages cost between $100,000, and $1 million.

Disaster Recovery Systems

Strong backup and disaster recovery (BDR) planning is crucial for businesses under any circumstance. For businesses in Florida, it’s even more important that you have a functioning, tested system in place to help you recover sensitive data after a disaster.

4 - Start with the 3-2-1 Backup Strategy
The 3-2-1 backup strategy says that you should have 3 copies of your data (production and two backups) on two different forms of media, with one copy stored offsite.

When working with your cloud backup, pay attention to the vendor and ensure that the data centers that your backups are being stored in a stable location outside Florida so that your data is safe there no matter what happens.

Some businesses may want to move beyond just a single backup in the cloud, so speak to your vendor and make they provide an acceptable level of redundancy on their systems. Security-minded businesses will build even further protection into their strategy by replicating their backups to two providers.

5 - Test Your BDR System
The ability to backup data isn’t what’s going to save you from the next Hurricane Ian, it’s the ability to restore that data quickly and use those backups to restore operations at your business. We’ve seen too many businesses neglect their BDR plans, only to find that when they need them most, they’re not working as well as they need.

When testing your BDR solution, here are some things to look out for?

Build and Test Your Business Continuity Plan

How long can you go without serving your customers before the damage this downtime causes becomes permanent?

Answering this question will help you guide your business continuity strategy and set appropriate goals. For example, small professional services firms may be able to tolerate a day or two of downtime as they get their technology back to operational, while midsized financial service firms and healthcare providers often have only minutes or seconds to spare before they fall afoul of regulators or experience a significant loss of reputation and money.

To help mitigate this, you’ll need not just a plan for recovering your technology after a hurricane strikes but for keeping your team productive through a hurricane. This is known as a business continuity plan, or “BCP.” There are several steps in the continuity planning process, including the following:

1. Identify critical systems
2. Business impact analysis
3. Develop continuity procedures
4. Communicate
5. Test & Train

There are important differences between business continuity and disaster recovery, though they’re often confused. For more information about what each of the steps in the BC process means, we encourage you to read this in-depth guide, which will help you understand the entire process.

Read the second of our 3-part series on hurricane preparedness and business continuity.

Weather Hurricane Season with a Veteran Technology Partner

For 30 years, the LNS Solutions team has been helping businesses through Florida achieve maximum stability in hurricane season and beyond. If your business could use a partner to help build disaster-proof IT, contact our team any time at (813) 393 1626 or info@LNSSolutions.com. We look forward to speaking with you!

 Contact Us!

Multifactor Authentication is Critical to Network Security

Password-based attacks are one of the most common tools in the hackers’ toolkit, with about 81% of company data breaches directly attributable to an exploited password or network credential.

The reason these attacks are so popular is because they’re simple and effective. Instead of advanced strategies, such as SQL injection or cross-site scripting (XSS), hackers who want to access your data with phishing can simply send some emails and hope your staff hand over their network credentials.

That’s why the LNS solutions team secures all its clients’ devices with what’s known as multi-factor authentication (MFA). This article is designed to help businesses in the Tampa area understand why we’re so insistent on using MFA and how it helps stop a wide variety of common attacks.  

What Is Multi-Factor Authentication?

MFA is a way of controlling access to your network that goes beyond just requiring a simple password to log into your network. By requiring another type of proof (or “factor”) to gain access to your systems and data, MFA provides a dramatically higher level of endpoint security than passwords alone.

There are several types of multi-factor authentication, including the following:

1. Knowledge Factor – This is personal information that only the user knows, like your mother’s maiden name or the name of your first dog.
2. Possession factor – This is usually a cell phone, tablet, or hardware device that’s been authorized by the system.
3. Inherence factor – This group indicates something that you are, often a retinal scan, voice ID, or fingerprint.

How Does MFA Help Businesses Stay Safe?

MFA helps businesses stay safe by blunting the impact of the most common forms of cyberattack, including two of the most prevalent cyber threats, phishing and ransomware.

Phishing Attacks
Half of all cybersecurity leaders feel that phishing is a serious threat, with network credentials being the goal of most such attacks. In the simplest form, phishing tricks employees into clicking on a link that gives hackers access to their computer, which they can then use to infiltrate connected systems.

MFA helps prevent phishing by forcing hackers who have stolen a password (or purchased one on the dark web) to jump through yet another security door. In fact, according to Microsoft, MFA could prevent over 999% of account-based cyberattacks.

Ransomware Attacks
MFA cannot stop ransomware entirely, but it’s a powerful tool that can make a critical difference in many scenarios. Besides the direct benefit of scaring hackers from your network with MFA, alerts from an MFA authentication app can also give a hacked end user critical warning they’ve been compromised, allowing your cybersecurity team (or partner) to take mitigating steps before things spin out of control.

Small Businesses Remains Wary of MFA Adoption
According to one recent study, over two-thirds of smaller organizations have not implemented MFA yet. Why are businesses, who are relatively undefended, so resistant to a simple, cost-effective security approach that’s so effective?

We’ve found that resistance to MFA breaks down into a few different camps.

• Fears of Company Data
  Once personal devices are being used for multi-factor authentication, does that mean that employees have free reign to put company data onto those devices as well? Businesses that worry about MFA blurring the lines between corporate and privately owned assets can make MFA part of a larger mobile device management solution, clarifying that distinction.
• Cost of Mobile Devices
  Business leaders may worry that once employees are using personal devices for work, they’ll expect compensation for those devices. There’s no hard and fast answer here. The vast majority of companies do reimburse employees who use their own devices for work-related tasks, but simply using a device for MFA verification doesn’t have to meet that standard. Just communicate your decision clearly to your staff and be open to engaging in dialog around MFA configuration.

MFA Isn’t a Cybersecurity Silver Bullet

Unfortunately, MFA alone isn’t enough to guarantee strong network security. Hackers are highly adaptable and have found ways to bypass some of the protections that MFA provides, though the methods for doing so require a lot more skill and insight than it takes to launch a standard phishing attack.

For example, “Man in the Middle” attacks work by temporarily assigning the cell phone number of an employee to another cell phone. This is called “spoofing.” Spoofing allows hackers to intercept the SMS messages that verify a user, disrupting the second MFA factor and gaining access to your systems.

Another thing to watch out for is simple “MFA fatigue” or “MFA spamming.” By overloading a user with MFA prompts and notifications, hackers hope that they will eventually, out of frustration, force the user to accept the login attempt to stop the notifications from coming.

That’s exactly what happened at a recent hack at Cisco. If a major technology company is vulnerable to such an attack, it makes sense that small-and midsized businesses in Tampa should be vigilant as well.

Here’s what you can do to ensure your MFA provides a consistent, strong defense.

Focus on Your Overall Cybersecurity Posture
Perhaps the most critical thing you can do to ensure your MFA deployment is a success is to ensure that you’re applying cybersecurity best practices to the other aspects of your network. If there are other weak spots in your defenses, such as poor password management or data hygiene, then hacking MFA becomes much easier.

The Rise of Phishing Resistant MFA

There’s a new generation of “phishing resistant MFA” that goes beyond the SMS message, other one-time passwords (OTP), and app-based push notifications. Based on new authentication technologies, like FIDO or the Federal Government’s Personal Identity Verification (PIV), this type of MFA uses strong cryptography, device registration, and advanced biometric to eliminate the eliminate the weak links in standard MFA process.

Phishing-resistant MFA is a newer technology that large tech companies like Google and Microsoft have adopted, but you can be sure that as it matures, it’ll find its way into small business networks.

Tampa’s Trusted Cybersecurity Team

For over two decades, the LNS Solutions team has helped companies in the Tampa area stabilize their networks and protect their sensitive data and assets. If you have cybersecurity questions, we encourage you to reach out to our team any time at (813) 393-1626 or info@LNSSolutions.com.

 

How to Identify and Manage Your Cybersecurity Risks

It’s not news that cybersecurity is the leading source of risk for small and midsized businesses in the Tampa area.

According to a 2022 report, nearly 4 in 5 small and midsized businesses say that the number of cyberattacks targeting their organization grew over the last year. At the same time, limited resources, a lack of internal security expertise, and an urgent time constraint make finding security confidence difficult.

There is a way to navigate the complexity of security without guesswork or wasting budget.

By using a resource like the National Institute for Standards and Technology (NIST) Cybersecurity Framework, small businesses can adopt what’s known as a “risk-based” approach to cybersecurity, which focuses their efforts on areas of greatest concern while saving huge amounts of effort and money.

What is a Cybersecurity Framework?

Cybersecurity frameworks are essentially a set of guidelines, standards, and best practices that help you secure your business technology systems. They are based on techniques and leading practices that have been proven to work for multiple industries and organizations.

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is one of the most popular cybersecurity frameworks in use across both public and private sector organizations today. It was originally created to secure Federal Infrastructure to help organizations effectively secure their systems against cyber risks.

One of the main reasons behind its popularity is its flexibility. NIST can be used at SMBs and large enterprises alike—no matter what industries they operate in. It contains instructions for conducting regular risk assessments and guidance across five key action areas.

1.      Identify

The first step is to identify actions that will help you understand your sources of risk. Some of the key recommendations include:

• Locate the hardware and software that you’ll need to protect
• Analyze the vulnerabilities and threats to the your those resources
• Having a user account per employee, and outlining cybersecurity policies in a handbook.

The identify phase is characterized by what’s known as a cybersecurity risk assessment, a deep analysis of your network through the lens of the NIST CSF. These assessments aren’t one-off events; you should run one whenever there’s a major change in your network.

2.      Protect

This category contains recommendations to safeguard your systems and limit the impact of cyberattacks. It entails giving employees access only to what they need, regularly patching your operating system and applications, installing firewalls, encrypting sensitive data, and implementing network security tools.

3.      Detect

If a cyberattack does occur, it’s critical that your organization detect it as quickly as possible. To help organizations achieve this, the framework suggests the installation and updating of antivirus and anti-malware, and monitoring and logging digital activity. These can help you investigate and identify sources of compromise quickly.

4.      Respond

What do you do when intrusion or compromise is detected? You must take appropriate activities to contain and analyze the event to realize its impact. This portion of CSF helps you define roles and responsibilities, manage communications with internal stakeholders, external stakeholders, and law enforcement, and ensure that mitigation activities are performed according to plan.

5.      Recover

The goal of any cybersecurity program is for you to return to business-as-usual as soon as possible after an attack takes place. The last part of the NIST framework helps you restore timely operations to reduce the impact of cybersecurity incidents big or small.

• How to coordinate internal and external communications
• Internalize lessons learned after an attack
• Adjust your cybersecurity strategy based on your team’s experiences

While the NIST framework recommends actions across these five categories, you don’t need to implement all 900 security controls in NIST, only the ones that apply to your business.

Why Risk-based Cybersecurity is Important for Small Businesses

In the past, businesses acquired their cybersecurity skills in an incremental way. This approach—known as the maturity model—has businesses slowly build out their roadmap for developing security practices, guidelines, and controls as their business grows.

Risk-based cybersecurity turns the focus to risk reduction. It means identifying the sources of risk, and prioritizing the risks that are most important from a business continuity perspective. There are many benefits of this model for small and midsized businesses.

Proactive Cybersecurity
Risk-based cybersecurity optimizes your cybersecurity capabilities based on what they protect. The more critical an asset, the higher its priority; therefore, your defenses and efforts are focused on protecting what matters the most for your business.

Instead of aiming at 100% security, it focuses on a meaningful risk reduction. This strategy is more proactive in that it aims to reduce risk exposure and prevent cyberattacks instead of building capabilities to fend them off.

Lower Security Costs
Risk-based strategies are significantly more cost-effective than the traditional maturity model. According to a McKinsey study, an organization improved risk reduction by 7.5x with a risk-based approach at no additional cost. For SMBs, risk-based approaches can significantly reduce their cybersecurity spending or help them achieve a much higher level of security at their existing budgets.

Respond to New Threats Faster
A risk-based approach does not treat cyber risk as a static factor. It takes the evolution of the business and threat landscape over time into account and advocates a dynamic approach to security, meaning you’ll be able to easily adjust your protections as new threats emerge.

The NIST CSF is important because it helps all businesses, including SMBs, adopt a risk-based cybersecurity model. So, how can SMBs adopt NIST? See below.

How to Implement the NIST Cybersecurity Framework

As we mentioned above, the first and most important step to implementing the NIST framework is to gain a deep understanding of your “big picture,” meaning which systems are well-protected already, and which need stronger support.

This starts with a cybersecurity risk assessment.

With the intelligence you’ve gathered, you can then start to prioritize the most important risks that you want to mitigate. Supplementary resources, such as the Factor Analysis of Information Risk (FAIR), can help you quantify your cyber risk and determine which controls to prioritize.

It’s important that your effort has the full support of leaders as you work through the NIST controls. Risk-based approaches are not just about implementing technical protections, it also means managing the human aspects of cyber risk, which requires buy-in from across your organization.

You may also want to consider enlisting the help of an IT security partner who can help you manage the many complexities of streamlining your security efforts with NIST.

LNS Solutions: 20 Years of Cybersecurity Expertise

Implementing NIST or other popular security frameworks like ISO 2700 requires expertise in risk assessment, building risk models, and identifying a roadmap to secure a network. If you find any of those things challenging, then call the LNS Solutions team for help.

Out team of friendly team of cybersecurity experts is available any time at (813) 393-1626 or info@LNSSolutions.com. We’re here to help!