What & Why

Multifactor authentication (MFA) is protection that requires you to type in a code from your phone or another device you have in addition to your username and password. It helps ensure that the person attempting to use an account's login is who they say they are by asking for something you know (your login information) and something you have (your multifactor code). MFA codes change often, so they're not possible to guess easily using brute force techniques.

Using MFA makes it much more difficult for someone to gain access to your account even if they succeed in discovering your login information through something like a phishing attack or another company's data breach.

Recommendations

1. Enable MFA for ALL services that support it, but especially if you are using Windows Remote Desktop. This includes your email account, bank, Dropbox, Slack, Payroll provider, etc. If you go to google and search ""Enable MFA for [service name]"" and replace [service name] with, say, ""GMail"", you'll very quickly find instructions on setting this up across your services.
2. Some MFA methods are better than others. It's easy to choose the ""text message"" or ""SMS"" option, but apps you install on your smartphone like Authy or physical security keys that plug into your computer like Yubico are much stronger. This is because phone companies can, and often are, tricked into switching your cell phone number without proper authorization to a device the attacker controls. Choose one of the stronger methods whenever possible!
3. If you are using something like GoToMyPc or RemotePC for remotely accessing your computers, make sure to use their MFA feature as well to protect your computer.

Enabling multifactor authentication everywhere possible protects your accounts even if your login information gets out.

What & Why

Software and hardware providers regularly find security flaws in their products that need to be updated. Ideally, updates would be installed automatically on the same day and many do, but that's not always the case. Outdated software or firmware containing security flaws can be easily exploited by attackers with devastating consequences.

Malicious actors will often build scanning software that look for unpatched software to take advantage of, and which can be deployed at scale and executed automatically, making your computers and networking hardware susceptible even if not specifically targeted. With the advent of increased work from home arrangements, patching both company-owned and personal devices has become even more important. In the office, you may have certain firewalls and security software running that is not available or diminished for remote workers.

Recommendations

1. If you either outsource your IT management to an outside firm, or have a dedicated IT professional on staff, they may have a “patching procedure”. Ask them about this procedure and ensure it's being followed. Minimally, you want to ensure all operating systems are updated at least monthly, and critical software like Microsoft Office, Adobe, and accounting software are on the list as well. Many of these will NOT automatically update themselves.
2. If you don't already have a patching procedure, committed to installing updates on a regular day every month, say the first Friday of each. Send yourself and others a calendar invite and list of software to update that repeats each month.
3. Check with your internet service provider to see what updates they provide on your modem and router. If you own those pieces of equipment, make sure to login to administrative interfaces on those devices and update them on the same cadence. This can be a more technically difficult task, so you may need to get help.

Havoc Shield's cybersecurity program includes a patching procedure and an automated patching ""agent"" that scans your computers and servers for out of date operating systems and software. The agent then updates software in the background as soon as reliable patches become available from the manufacturer. You simply receive a report at the end of each month showing you what was updated.

Keeping your operating system and critical software updated regularly helps defeat a huge category of attacks.

Why backups are important

In many cases of ransomware, even if the ransom is paid, an average 10% of data is not recoverable. This can add significant costs to an incident through both having to recreate data as well as the lost business and billable hours. Ransomware isn't the only threat that could result in data loss either. Attackers will often maliciously wipe data to cover their tracks, or software can be deleted by an unhappy exiting employee!

Backups and replication of all your data can significantly reduce your costs of an incident and the downtime from ransomware or other forms of data loss.

Recommendations

1. It is important to understand the limitations of "do it yourself" back up programs as well. First, these usually create what are called file backups. So all your Word and Excel documents will be backed up, but the database of your client case management system probably is not. Those programs should have their own back up system in place and you should understand how often they back up.
2. Sign up for a modern backup service that guides you through backing up both documents and critical application files like your client management system. We've included a few reputable ones below.
3. Sign up for the backup service with a work-owned central email address used for this purpose, like [email protected] We have often seen a receptionist or paralegal sign up for the service and leave the company. The notification of failed backups never went to remaining staff, and attorneys lost important files after finding backups had been failing for months, and notifications were going to a deleted email address.
4. While weekly backups are acceptable, we have discovered that most law firms backup daily because losing a week's worth of data can be devastating. You need to determine the optimum backup schedule for your law firm.

A few recommended backup service providers

• https://www.backblaze.com/business-backup.html
• https://www.idrive.com/online-backup-security
• https://www.carbonite.com/products/carbonite-safe-for-small-business

Havoc Shield includes automated business level encrypted and secure offsite backups as part of the service

Backing up your data, and doing so regularly, makes it possible for you to recover from ransomware and other forms of data loss.

The What & Why

Backups are useless if they reside on the same computer or network that gets locked or infected by malware or breached by an attacker. That is why it is important to store backups that are separate and distinct from the hardware that's at risk. Storing backups on the same device also increases the chances that, should that device be compromised, lost, or damaged, the data on it is permanently gone.

Many people think storing backups in services like Dropbox are adequate protection but Dropbox themselves will tell you that you should not store your backups there  because it's a syncing service, not a backup service. Those files are not safe from corruption and may even worsen the scope of data loss.

Recommendations

1. At the most basic level, you can set up an external hard drive to do your weekly backups. An external hard drive is what we called ""Air Gapped"" since the files are only accessible when the hard drive is plugged in. It can not be accessed via the internet unless it is plugged into an internet connected device.
2. The best set it and forget it solutions are backup services that store multiple incremental backup versions, but also encrypt those backups both making it easy to restore those files and to keep them out of nefarious hands. Below is a list of several backup services that may work for you.

• Havoc Shield's cybersecurity program includes a backup service built in at no extra cost for most users.
• https://www.backblaze.com/business-backup.html
• https://www.idrive.com/online-backup-security
• https://www.carbonite.com/products/carbonite-safe-for-small-business

All of these services backup and encrypt your files and have different levels of services depending on what you need. A small one person law office might just need personal backup while a law office with multiple employees might need additional resources. Either way, many of these services can be turned on quickly to start your backup process.

Keeping your backups separate and securely stored off of the computers being backed up makes sure they can't be corrupted or lost themselves.

Why is unsupported software a problem?

Many operating systems and applications will have specific “end of life” dates. What this means is that the company will no longer provide technical assistance, software updates or security patches. Unsupported software is extremely vulnerable and frequently targeted by bad actors.

Microsoft Windows 7 and Microsoft Windows Server 2008 ended support in January 2020 for example, and is no longer providing security updates. These two operating system versions are the most recent “End of Life” software from Microsoft but more “retire” each year, risking security vulnerabilities that are not discovered until later, and not patched thereafter.

• Microsoft’s product lifecycle page that shows all products that are no longer being supported. If your Operating System version is on it, You've got a bit problem!
• Apple's similar update availability page shows all Mac OS operating system versions that have updates available. Apple supports only the three most recent major versions of their operating system, so if you're on an older one, you're at risk!

Recommendations

1. If you use any unsupported operating systems or software, you'll need to upgrade or use a replacement service. For example, if you use Internet Explorer 10, you can either upgrade to Microsoft Edge, or download and install the latest version of Google Chrome or Mozilla Firefox.
2. It's not just operating systems! Check to make sure your versions of critical software such as Microsoft Office and Adobe Acrobat are recent, updated versions. If they're not, it's worth upgrading every year or so.
3. If you can not upgrade or replace specific systems (for example a single computer runs old software that can not be updated), make sure when you dill out the application you define what those systems are, how prevalent they are and what security precautions have been put in place to minimize the risk.

Hackers are always on the lookout for unpatched or unsupported services for them to exploit. In many cases (such as a browser), there is zero cost to use an updated browser.

Using the most up-to-date versions available ensures attackers can't take advantage of security holes in outdated software.

The What & Why

""Phishing"" refers to the practice of attackers sending emails pretending to be from reputable companies that try and get you to either reveal sensitive information, click a link or download a file.

Most malware finds its way into your business by email. Unfortunately it's often difficult to identify malicious emails, as attackers are growing more sophisticated with how they mask attempts to steal your information or get you to install nefarious programs.

Recommendations

You can reduce the risk of falling victim to phishing or other malicious attacks over email by taking a few actions:

1. Use a modern cloud-hosted email service such as Microsoft Office 365 or Google Workspace. These services include several protections such as automatic attachment scanning and phishing protection. On premise or other lesser-known email hosting services often don't include these benefits. Check with your IT team or provider of your service includes attachment scanning and phishing email identification.
2. Train your staff! Attackers depend on your staff not being able to identify the signs of a phishing email such as a suspicious looking link, grammatical mistakes, or the actual email address behind a message appearing to be from someone you know. Havoc Shield provides engaging virtual courses that train your staff on identifying malicious emails. You can also procure or provide your own training.
3. Use antivirus and antimalware protection. Ensure your computer is running a reputable antivirus and antimalware program. Programs included on your operating system are okay for consumers, but we recommend purchasing a business-grade solution like Webroot SMB or Bitdefender. Havoc Shield includes Webroot SMB should you choose to use them.

When you sign up for Havoc Shield, many of these services and products are included in your monthly fee including Business Grade Antivirus with Webroot SMB, virtual courses and even phishing testing to see if your employees get caught.

Having a system in place to protect your email from nefarious senders and malicious attachments is a fantastic first step toward protecting your business and customers.

What & Why

One way malicious actors can trick you is by pretending to be a legitimate company’s email, a practice called “spoofing”. DKIM, SPF and DMARC are technical mechanisms the person or company that hosts your website’s DNS service (usually your host) can use to help stop spoofing. Simply speaking, these records are used to “authenticate” that an email is real, and other email providers check them to ensure as much. If they can’t verify authenticity, then the email is thrown away, protecting both you and the sender being impersonated.

Recommendations

1. Check if you already have email authentication enabled. Send an email from your work account to [email protected]. You’ll get a separate email in return after 30-60 seconds. If it says “pass” next to SPF and DKIM at the top, you’re good to go here. If both don’t say pass, continue reading.
2. Enable SPF & DKIM! It’s a little technical but we’ve put links below to guide you through. When you sign up with Havoc SHield we have tools that walk you through setting these up as well as helps with the in tasks if you need help.
3. DMARC is a bit more advanced but offers a lot of additional spoofing protection by instructing email providers what you’d like them to do with emails that impersonate you. Check if it’s enabled here - https://mxtoolbox.com/DMARC.aspx - and if it isn’t, sign up for Havoc Shield for help.

Microsoft 365

• Enabling SPF
• Enabling DKIM

Google Workspace

• Enabling SPF
• Enabling DKIM

Authenticating your email helps reduce spoofing attempts and protects your brand and customers.

Why is RDP such a risk?

Windows Remote Desktop was one of the leading causes of Cyber Incidents in 2020. RDP, when improperly configured, allows the outside world to access your systems and can result in a breach should attackers successfully guess your login. Many tools exist to automatically ""brute force"" guess logins over RDP, and to target networks that have RDP ports open, exposing you to significant risk.

In particular, many times Windows remote desktop is set up with just a simple user name and password. If you access your computers in the office by just “clicking a link”, then you are probably exposing that device to the outside world and are at higher risk.

Recommendations

There are a variety of tools to help with securely providing remote access to computers and servers. Fr smaller organizations without significant IT resources, we recommend using one of the services below. These services allow you to disable the RDP ports and service, while still providing remote access, and are cost effective solutions to help minimize this significant risk.

https://get.gotomypc.com

https://www.remotepc.com

If your company uses the remote desktop feature in Windows, find out if it is protected using a VPN and multifactor authentication. Understand without these security mechanisms in place and the feature active, most cyber insurance companies will deny coverage.

Don't know if the remote desktop feature is active? How do I disable it?

First, follow these steps on your work computer. Next, you'll want to ensure the RDP port on your network is not open and attracting attackers. Signing up for a Havoc Shield trial at the end of this fitness check will get you a network scan that will reveal any open ports, including those used by RDP.

Disabling remote desktop and using a more secure service helps ensure your data and systems can't be easily accessed from the outside.

What & Why

Encryption is a great way to protect sensitive client data, especially data that resides under attorney client privilege. Given the sensitive nature of an attorneys role, encryption is one way to reduce the risk of data exposure and your liability. If encrypted files end up in a bad actor's hands ...and that can happen in a lot of unfortunate ways... then it'll make it much harder for them to extract any value out of the data.

Recommendations

1. Enable disk-level encryption on your computers. This will make it hard to extract useful information if a PC is lost or stolen. For Windows 10, enable BitLocker encryption. For Mac, enable FileVault. Either you or your IT administrator can turn these protections on.
2. To send encrypted email, if this is something you would like, you could procure a service such as Paubox. This service makes it possible to ensure sensitive information sent via email can't be easily accessed if the email is intercepted by a malicious actor without requiring advanced configuration or out-of-email actions by your recipients.

Sign up for Havoc Shield, and get disk encryption as well as email encryption done for you through one Platform.

Using encryption features on your computers and email keeps your private information safe from prying eyes.

What & Why

Your computers have various user permission levels. As you can imagine, an Administrator can install software and make settings changes, while normal users may not be able to install software or make sensitive configuration changes. This protection mechanism means only a small group of people in your firm can undertake sensitive actions such as installing a new program or removing an existing one.

If a normal (non-administrator) user cannot install software on your computer, that means a hacker will also have a harder time installing software or not be able to as well. That's why it is important to restrict those privileges to specific trusted users, usually the IT providers, either internally or external.

Recommendations

1. If you handle everything yourself, you might want to set up a non-administrator account for everyday use. That way, your administrator account is only used for patching and adding software. Use a different password for that account and keep it safe. You can find out how to add an administrator account and change your current user to a normal account here for Windows and here for Mac.
2. If your computers belong to a directory, such as Active Directory or LDAP, make sure group policy settings disallow installing software or making most configuration changes to all but a small set of sensitive users. Make sure those users also follow the policy of setting up a separate administrator account as well!

Using a non-administrator account as your daily login makes sure it's harder for attackers to use your account if it's compromised to cause further damage.