Do Process! March 2021

CYBER THREATS IN THE LEGAL SPACE?

More than 70 percent of cyberattacks target businesses with less than 100 employees, and a recent report said that 60 percent of small businesses affected by ransomware went bankrupt within six months.  Couple this information with information from Cybersecurity Ventures stating that, heading in to 2021, businesses will suffer a ransomware attack every 11 seconds and cyberattacks will cost $6 trillion annually, and the FBI reports that digital crime increased 75% between March and June of 2020.  These numbers are quite staggering, especially as many small businesses have undergone sudden transformations into remote work environments necessitated by COVID-19, however, most are not equipped to manage the security, risk, and technology demands that arise with work-from-home employees.

So, the question begs to be answered: how can SMB’s be better prepared to protect their business from the unique risk factors of cybercrime and be strategically positioned with a disaster recovery plan to rebound from what is ultimately going to be an inevitable occurrence?  One of the most-often overlooked solutions, cyber insurance.

Many small and medium businesses, which often lack dedicated insurance or cybersecurity expertise, do not understand which coverages they might need, what cybersecurity standards must be in place to ensure valid claims are paid, or what to do in the event of a breach.  Since business interruption makes up 36% of the cost of a cyberbreach according to the FBI’s Cost of a Data Breach Report, 2019 and lost business has been “one of the largest expenses of a cyberbreach” for the past four years, getting claims paid and systems back online can greatly reduce a company’s overall loss.

To the misfortune of small and medium-sized businesses, most do make adequate investments in their IT budgets and cybersecurity programs.  As a result, SMBs often run outdated or unpatched software, lack proper password hygiene, transmit unencrypted data, or fail to properly secure endpoint devices – making them ideal targets for attackers.  And last year alone, new small business cyber breaches increased 424 percent further solidifying this point.  With such high levels of exposure and risk for SMB’s and an average small business spend of $955,429 to restore operations after a successful attack, it is shocking that 91 percent of small businesses do not have cyber insurance (and most traditional property & casualty policies do not cover cyber risk).

Simply purchasing a cyber insurance policy is only one part of the equation as most policies require protection systems in place along with regular compliance audits.  Small and medium-sized businesses will be in a far better position by making a proper investment in partnering with a well-established Managed Service Provider (MSP) to not only evaluate and manage cyber risk to be policy-compliant, but also to ensure that their technology environment is in alignment with desired business outcomes.  And, of course, one of the first questions to ask is if the MSP carries cyber insurance because there is a good chance that they are part of the 91% of SMB’s without it; if they don’t maintain at least $5 million in cyber insurance, take them off the consideration list!

Social engineering is an often-overlooked method bad actors take in executing cybercrime.  And while one may think Facebook is the go-to social platform for criminals to target individuals, LinkedIn is a far richer treasure trove of data and mostly unsuspecting contacts.  With a respectable 720+ million monthly users, LinkedIn is recognized as the professional social media site; providing tools for businesses or people to develop and share industry thought leadership as well as attract employees. As a business platform, there is a strong desire for users to interact with the goal of generating B2B leads or finding jobs/job candidates.  Furthermore, it is reported that LinkedIn is where most Fortune 500 decision-makers and executives spend a fair amount of time with about 45% of LinkedIn article readers in upper-level, decision-making positions.  Now that it is established that LinkedIn is the leading online B2B platform, how does this tie to cybersecurity?

It links back to social engineering in the context of information security. Cyber criminals are known to find readily available sources or to use deception in order to manipulate people into sharing confidential or personal information. With professionals all too eager to interact in the B2B environment or seek career opportunities, LinkedIn is an effective tool of choice for threat actors since the platform highly encourages making new connections.  For career-focused users, the ‘old’ tactics of tricking someone into clicking malicious links or downloading compromised files works well for those individuals desperate for next steps in job hunting and therefore highly likely to let their guard down and overlook signs of fraud.  Finally, LinkedIn is designed around users sharing their employment and education background, notable work or volunteer achievements, and business-related accomplishments (in addition to a myriad of contact details so that no lead gets away). The platform regularly reminds users to ‘complete your profile,’ ‘add new sections’, and ‘tell your network everything’. This generates a near-perfect reference repository for cybercriminals to gather very detailed information about organizations and senior executives for use in nefarious activities such as spear phishing, angler phishing, and whaling.

LinkedIn users can protect themselves and still benefit from using the platform by adhering to some simple best-practices and security tips.   For starters, change your password regularly and do not reuse a password from another site. This is not specific to LinkedIn, but good password hygiene can never be stressed enough.  Also, make sure you turn on two-step verification within the account access section of account preferences.  Next, determine the minimum amount of personal contact information you can have in your profile – particularly your address should not be publicly viewable.  There are many profile visibility options found within account preferences. Some of these to consider having more limited settings include ‘profile viewing mode’, ‘who can see your connections’, ‘manage active status’, ‘share profile updates’, ‘and notify connections when you’re in the news’. These selections all have implications for finding information about you that can be used in making unsuspecting targets.  Finally, under the data privacy tab, explore ‘how LinkedIn uses your data.’  Look specifically under ‘manage your data and activity.’ Here one will find all the times you provided and shared your LinkedIn data (generally your profile) with a company, marketer, or permitted application.  Additionally, consider deleting salary data if it was previously shared and choose whether third-party partners can use data about you for research.

LinkedIn is a fantastic networking tool and business resource that, with a little bit of vigilance, can be safely exploited for its dominance as professional social media while also ensuring online protection as a user.