Cyber Security Protocols for your Firm

If you have landed here, either we have directed you here or Google has done its job. Either way, you are probably wondering what this is all about.

For all our Legal Clients, Lexon Insurance requires that a Firm meet or exceed the following when referencing System Controls

1. Robust Password / Passphrase Policy
2. Multi-factor Authentication
3. Device-specific Authorisation (applies to firms with a base excess greater than $17,500.00)

So, in effect your Firm needs to be following all of the above in order to meet their requirements. Let’s take a look at them in a little more detail.

1. Robust Password / Passphrase Policy

This basically means that you should use good password Practices to improve the possibility of anybody guessing you password. Specifically the following needs to be adhered to

• Enforce a strong password / passphrase policy covering complexity, length and expiry.
• The password / passphrase must not be disclosed to anyone.
• Avoid passphrase reuse across different accounts, avoid use of a single dictionary word and avoid unencrypted storage of passwords / passphrases.

So, for most of you, the above will generally go without saying. We have created a post about password creation which we suggest you read (you can find it here) which explains how to create a lengthy, complex but memorable password for you. It goes without saying that you shouldn’t provide your password to anybody. Not only is it a risk, but if that person doesn’t take security as seriously as you do, then you could expect to have that account compromised. What if you used the same password for all your online activities? Well, then the person who has that one password can effectively steal data and information from all your online accounts. All the better reason to keep individual passwords for every single online account you have.

What if you have a bad memory, or you have too many passwords to store? Need to share passwords securely between staff even? Then a password manager is something you should consider using. We use and recommend Last Pass. We can offer the as part of our services to you, to help better secure your Firm.

2. Multi-factor Authentication

Multi-factor authentication is used to authenticate remote access for all users of all email, practice management, payment and settlement applications. An insured should use at least two of the following to authenticate.

• Passwords / Passphrases
• Universal 2nd Factor security keys
• Physical one-time password tokens
• Mobile application one-time password tokens
• Biometrics
• Smartcards

So, most applications which you use today should be capable of using one or more of the above multi-factor authentication methods.

We’ll start with one of the easier ones, and that is Microsoft 365. You should have multi-factor authentication enabled on ALL accounts. It only takes one account to cause trouble. Microsoft have made it very easy to enable and roll this out, and it honestly doesn’t make a huge impact on the day to day services. Most practice management systems should also have multi-factor authentication as would payment and settlement applications. If you are unsure if your applications support this, please call or email us.

3. Device-specific Authentication

At the moment this only applies to a Firm if they have a base excess of $17,500.00 or greater (it is also highly recommended for all other practices).

Specifically for the needs of the insurer, Device-specific authorisation means

• Only devices that are known, trusted and authorised by the practice’s information technology system can access practice accounts, systems and/or data.
• Access authorisation is rescinded when a specific device no longer needs access
• User access to these devices should be controlled by password / passphrases and/or PIN (at least 6 characters in length) and/or biometric authentication.

To meet the above, you really need to not only control the mobile devices connecting to the system, but also control the machines which attempt to connect. If you are using the Microsoft 365 suite of products, with the best option to achieve the above is by using their Microsoft 365 Business Premium product. It includes a couple of features which help you meet the requirements, namely

• Microsoft Defender for Business – an all-purpose security package equipped with tools that safeguard your organisation from cyber threats.
• Advanced Threat Protection – a program that monitors your network for suspicious activity and alerts you to any potential issues.
• Information Protection – a suite of tools that safeguards your internal data from theft, corruption, or unauthorised access.
• Microsoft Intune – leverages mobile device and mobile application management for improved device security.

For those of you who do not use the above and still have on premise solutions, we can still provide the same level of security for you. Please contact us to review your environment.

What else can we do?

Glad you asked. The above three items are the latest system control requirements by Lexon which will ensure you stay covered by their insurance. If you really want to take this a step further, which we advise you do, we would also recommend the following inclusions to your suite of protection.

• Backup of your Microsoft 365 environment
• Additional security suite of software
• Additional monitoring
• Password management tools
• Regular phishing tests for your staff

Microsoft 365 is not full proof. You might understand that yes, your emails are in in the cloud, but for the other apps, like One Drive, SharePoint and Teams would your firm cope with the loss of data from these platforms? M365 should retain backup information for a period of 14 to 30 days (the actual backup timing depends on the product). This doesn’t cover a situation of accidentally or maliciously purging recycled or deleted items, or a malicious person gaining access to an admin account or even an attack which encrypts all files stored in M365. Whilst you could be thinking its a slim change it could happen, it happens to people and firms ever single day of the year. It’s unfortunately often thought about after the fact.

Additional security software. We have recently made the change to using the Sophos brand of security product through-out all the firms we protect. We did this for the simple reason that it is the best at what it does. Not only will it protect from Virus’s and Malware, it provides a detailed overview of what is happening on your network and integrates with Mail Filtering and Firewall devices. All of their products are designed to work together to protect your firm.

Want to know what is happening in your M365 environment? We use a tool which continually monitors a M365 tenancy for issues. Issues like logins attempts from blocked countries, users without 2FA setup, inbox rules which are against policy. There is a wealth of information available from this platform which people rarely look at. We use this to benefit our clients.

Password management tools are also highly recommended. How many passwords do you have? Where do you save these passwords? Are you staff saving passwords to their person Gmail accounts, or on their Mobile phone? How well protected are those accounts and devices? Do you need to share credentials between team members? We use and recommend Last Pass.

Phishing tests should be included as part of your staff awareness training. Email accounts are being intercepted all over the place. You need to be sure you are dealing with the right person. Phishing tests simulate fake emails which are designed to trick staff and keep them on the look out for minor abnormalities in emails. A large portion of infections occur from a breach of information or downloading applications from fake emails.

Are your clients protected? Do you deal with clients using @outlook.com, @bigpond.com or @gmail.com email accounts? If you have answered yes, then it is very likely, almost guaranteed that at least one of your clients would have an email account which is being monitored by a 3rd party. How does this happen? Let’s say a client has had an email account, for a long time with an old fairly simple password. Chances are this password has been reused by the client, and even more so it could have been lost or stolen during a website breach of some sort. Now, imagine that mailbox is being monitored by a 3rd party. We have seen recent activity whereby those emails in the account are being intercepted and replaced. For the sole reason of stealing funds. It is hard to detect, because those emails are intercepted in transit having only financial data changed.

Additionally to keep the firm protected, we recommend to

• Install and maintain high-quality defences across all points in the organization’s environment. This includes Firewall and End Point Protection software. Review security controls on a regular basis and make sure they continue to meet the organisation’s needs.
• Proactively hunt for threats to identify and stop adversaries before they can execute their attack. This is where monitoring and having a good insight into the data makes a difference. Our decision to move to Sophos allows us to provide this service.
• Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Vulnerability scans can give you the overview of your devices on the network. They are expensive to run, but well worthwhile to do. We are working to make this more affordable for firms.
• Prepare for the worst. Know what to do if a cyber incident occurs and keep the plan updated.
• Make backups, and practice restoring from them so that the organization can get back up and running as soon as possible, with minimum disruption.

I hope the above provides you with some insight as to what we believe will keep your firm protected. We are more than happy to meet with you and advise what we would recommend for your firm.

A quick snapshot of what we would provide is the following

• M365 Business Std/Prem Licenses – We recommend using Business Premium licenses if you have BYO devices.
• M365 Management and Monitoring
• M365 + Server Backup Software
• Advanced Antivirus/Antimalware protection with EDR/XDR Capabilities
• Advanced Firewall/UTM Device
• Phishing Tests and Training for Staff
• Remote Server + Workstation Management and Monitoring
• Password Management Software

The above is a minimum of what we would ideally want to see a firm using. If you are using an on premise solution without M365, most of the above will still apply to your firm.