Risk Assessment When Working From Home

It seems like we are getting back to some kind of normalcy with more and more people going back to the office. However, there are still many people working from home.

If you’re in this situation and you have an employee working from home, don’t let your guard down. From a risk management perspective, that person still needs to be supervised, have adequate protection on the computer, printer and scanner that they are using from home.

If they’re remotely accessing your system, make sure their passwords are strong and are changed on a routine basis.

Regular meetings should be conducted by telephone and or zoom type calls. This helps keep everyone connected and on the same page when it comes to the firm’s workflow and processes.

These meetings don’t have to be hours long, nor do they have to be every day, but they should be completed on a consistent and routine basis. So no one gets left behind in the workflow.

Hopefully, this soon will all be a distant memory and we will be back in that office routine. But until then, again, don’t let your guard down when it comes to your offices and your clients’ protection.

How Can Ransomware Affect My Law Firm?

What is ransomware?

With the multitude of ransomware attacks that have been in the news recently, we’ve been receiving various questions surrounding this topic.  So, we wanted to clear up any confusion on this topic.

First of all, what is ransomware?

As the name suggests, it is software that can hold your individual computer or your business’ entire system for ransom.  A cyber thief will take control of your network and not relinquish control until you have paid the requested amount.

According to Chainanalysis, which is a blockchain research firm, ransomware attacks are up over 340% in the past year.  Over $400 million dollars have been paid in ransoms.

The average ransom amount has been on the rise over the past few years.  In 2021, the average ransom requested is over $50,000.

Naturally, this leads us to the question of “How does ransomware get on your computer or in your network?”

The most typical way hackers accomplish this is via phishing emails.  These emails will pretend to be from an authoritative entity, like your bank or PayPal.  In reality, they are just posing as them and hoping to get you to enter your username and password into an online form that they created.

Now, according to security company SecureAuth, more than 50% of people use the same password for multiple accounts.  Thus, if a hacker can get one username and password combination from you, there’s a 50% chance that it can be used for all accounts that are associated with you.

Another common way that a ransomware attack occurs is through tricking you or your employees into downloading a piece of malicious software.  The download could appear to be a pdf or some other innocuous file type.  Once it’s in your system, it works like a virus.  It will lock everyone out and demand a payment.

What happens if you refuse to pay?

If you choose not to pay the ransom, there are a few different scenarios that could happen.

Scenario 1 – They move onto the next victim.  This is the best-case scenario and leaves you in a position of having to restore your system.

Scenario 2 – They discover that you won’t pay, so they leak private information about you or your clients online.  Depending upon what type of data you store, this could prove to be a huge blow to your reputation.

Scenario 3 – They discover that you won’t pay, so they decide to make their money a different way.  They sell the private data of you and your clients on the dark web.  Again, depending upon what type of data you have, they could make more money this way than if you decided to pay.

So, how can you protect yourself and your business from this type of attack?

There are 5 very clear steps for you to take to accomplish this goal.

Step 1 – Make sure that your entire system is backed up nightly offsite and off-network.  You should retain at least 2 weeks of full backups (or a month if you have the digital space).  This way, if the code doesn’t attack right away, you have the option of multiple data sets.

Step 2 – Have a plan in place for restoring from a backup in 24 hours or less if possible.

Step 3 – Train your employees to recognize cyber threats in all forms.  There are many cyber training programs available that will send tips, tricks and quizzes on a monthly basis.

Step 4 – Keep your antivirus and firewall software up to date.  You will see some added protection if you get your employees to use a VPN as well.

Step 5 –No system is impenetrable and many times, human error is the cause.  Purchase a standalone cyber insurance policy to guard against this.  Most cyber insurance policies cover this type of attack and provide the support to get you back up and running smoothly.

Have questions about any of these steps or how to purchase a cyber policy?  Contact INF at 412.563.2106.  We can get you a policy in less than a week!

Having Trouble Getting Gas?

protectin your law firm from cyber attacks

Having trouble getting gas recently? I think we’ve been pretty fortunate in Pennsylvania in that the pipeline shutdown did not hit us too badly.

It does, however, drive home the point that if you haven’t purchased a standalone cyber policy, or at least considered it, you should. Cyber attacks have been on the rise in all sizes and types of industries and professions.

Some of the legal malpractice policies, perhaps even yours may include cyber coverage. Although it is a nice feature and benefit to have in the policy, it usually is nowhere near enough coverage. The limits are usually sub limits lower than your aggregate policy limit. The coverage is limited in scope, and it can dilute the insuring agreement.

Don’t get me wrong. Any added benefits in your insurance policy is usually a good thing. But don’t depend on ancillary coverage to protect your firm and your clients data. You should look into obtaining a standalone cyber policy.

How To Identify Malicious Email Attachments

Malicious email alert

Do you know that more than 50% of cyber attacks are due to employee error and negligence, and part of that negligence and errors are due to the opening of malicious attachments, and the employee’s inability to identify a malicious attachment? Well, I’m here today to give you a few tips on how you and your employees can identify those malicious attachments. 

One, always listen to your malware alert. If your email service or your antivirus software tells you not to open the attachment, don’t open the attachment, listen to it! 

Two, check out the message. Do you know who actually sent you the attachment? If you don’t know who sent you the attachment, maybe it’s best not to open the attachment. Does the email content actually look normal? Or look like most of the emails that you get? Is it jumbled? Are there misspellings? Is your name misspelled in it? Those are pretty good signs that the attachment is in fact malware. 

Check out the attachment file extension. If it is a .exe, don’t open it. That’s an executable file and you do not want to open it in your email. Other attachment file extensions that are most likely malware are the .docm extension, the .xlsm extension and the .pptm extension. If you see those, I wouldn’t open the attachment. Just be careful and think twice before you open any attachment. 

And lastly, always, always make sure that your antivirus software is up to date and current.

What Factors Influence the Price of Life Insurance?

The first few things that are taken into consideration are your age and your gender. 

Beyond that, the big factor is whether or not you use tobacco. Someone who uses tobacco in any capacity is likely going to pay a higher premium than someone who doesn’t. 

Beyond tobacco use and your age and gender, your health history does play a role. 

If you suffer from any sort of a terminal illness, you likely will not qualify for life insurance. On the other end of the spectrum, if you’re very healthy, you should qualify for a better rate.

What is Privacy Regulatory Claims Coverage and Why is it Important?

What is privacy regulatory claims coverage in a cyber liability policy?

Wow. That’s a mouthful.

The regulatory coverage in a cyber liability policy actually pays for and protects you against the fines and sanctions that may be levied against you from state, local and federal governments for not properly ensuring the data that you’re responsible for.

Don’t get caught, make sure this coverage is in your cyber liability policy.

Does Your Insurance Policy Cover RON services?

Does your business include providing notary services for your clients?

If it does, you may have a potential coverage gap in your errors and omissions insurance policy.

In the times that we live in today with the COVID virus in the state mandated social distancing rules and regulations, the notary industry has come up with what they call RON services, remote online notary services. This basically allows the notary to perform notary reacts without the signer of the documents physically appearing in front of the notary. And while this may be a great thing to do now, during these times, it does pose insurance concerns and coverage issues.

Most errors and omissions policies which cover notary acts contain an exclusion or exclusionary wording that prohibits a notary act without the signer of the documents physically appearing in front of the notary.

Well, if you are notarizing a document online, obviously the signer of the document is not physically in front of you. What do you do?

I suggest that you call your insurance broker that sold you your errors and omissions policy and have him or her confirm with the insurance carrier, that the RON services will in fact be covered under your policy.

We at Integrity First Corporation have called all the carriers that we deal with for the errors and omissions coverage and they all have answered positively with regards to the remote online notary services. They have confirmed that the policies will respond to the RON services provided that those services have been done in accordance with the state approved guidelines and regulations.

So again, you need to do the same. Call your broker and confirm that coverage does exist for these types of services in your policy.

3 Tips on Keeping Your Business Data Safe While Working from Home

Hey, in these crazy times, as employers, we all have employees working from home…and although I’m not going to be able to give you advice on where to go for a good haircut, I am in a position to be able to give you three pretty good tips on how to keep your business information safe when your employees are working from home.

Do They Have a SECURE Internet Connection? TIP 1

First thing you need to do is make sure that your employees actually are working from a secure internet connection from their house. They really should be working with a WPA2 connection. And I think most people have that nowadays at their houses.

But there are some older systems that are still out there being used and they’re using a WEP key, which is not very secure. So, you want to make sure that that they’re not using that.

Do They LOCK Their Computer When They Leave It Unattended? TIP 2

Second thing – Make sure that when your employees are working from home, that they still actually lock their computer when they are done for the day (or even leave the room)…so your business data is safe. The mere fact that they’re working from home and not in your office doesn’t mean that the information that they’re working with can’t be stolen or mistakenly sent to somebody.

I mean, a lot of us have little kids running around and who’s to say you get up and leave, little Johnny comes and starts tapping on the computer keys, and says “Can I get on Facebook?”

Next thing you know all of your business information is sent to little Johnny’s 150 closest friends. You don’t want to get into that situation.

Do They Have a Separate Work Computer? TIP 3

Lastly, make sure that you give your employees their own computer to work from home.  Don’t expect or ask your employees to use their personal computer to do your work. You want to keep church and state separated, so to speak. When they’re working on your business, you want to make sure that they’re using your computer. You don’t want them paying their personal bills on your computer or your business bills on their personal computer…it just doesn’t mix. Not a good thing. We at INF hope these tips help you out.

‘Tis the Season for Cyber Security

02J68283

As the holiday season draws near, so do cyber criminals.  With more and more people shopping online, the number of potential cyber breach victims increases every day.  In fact, Adobe is predicting that Black Friday 2017 will see the highest sales ever on record.

So, without completely withdrawing from the online world, how can you protect yourself and your business online?  Try applying the following tips:

Make sure that you are on the website that you think that you are on

One of the most common ways to scam your username and password or credit card information from you is to send you to a fake website that looks very similar to the website that you are expecting.  An example of this is paypal.com versus paypa1.com.  Note that the only difference is the “L” at the end of the first one and there is a “1” at the end of the second one.

To get you to these fake sites, scammers will send you an email that directs you with a bogus link.  One way to see where the link is taking you is to hover over it with your mouse.  The website address will popup.  If the link is bad, block the email sender and move the email to your “SPAM” folder to prevent receiving emails from that person in the future.

One way to confirm that you are visiting the website that you want is for you to type the website into the address bar.  This way, you know that you are not following any false links and you arrive at the correct website.

Don’t fall for holiday phishing schemes

On Black Friday 2017, retailers sent over 3 BILLION emails to consumers, advertising their best deals and sales.  This day was also filled with scammers sending out tons of emails, pretending to be a retailer.  They were taking advantage of the fact that consumers were expecting to receive these emails and may not have questioned them as much.  This is known as phishing and its main purpose is to collect as much personal information about you as possible.

Commonly, phishing emails will try to direct you to a login page or a payment page.  They want to get your information as quickly as possible without you questioning the validity of the site.

A few ways to identify phishing schemes:

  • The “From” field display name is a store or bank.  However, when you click into it to reveal the full email address, it’s an address not related to that entity.
  • The email has graphics that look “off” or “fuzzy”.  Sometimes, to make the fake email look more legitimate, a scammer will copy the graphics from a store or bank from their website, which are not a high resolution.  As a result, when they are placed into an email, they look wrong.
  • When you hover over the link that the email wants you to visit, it is not pointing to the website that it claims to be sending you to.
  • Check for spelling mistakes and bad grammar.  Legitimate companies are sticklers when it comes to spelling and grammar.  If the email sounds poorly written, there is a good chance that the email is not legitimate

Check for an SSL certificate upon checkout

When you check out online, you want to make sure that there is an SSL certificate in the address bar.  You should see that the web address starts with “https://”.  Normally, there will be a lock image next to the address or the whole bar will turn green.

An SSL is important any time that you are entering financial information or passwords.  This encrypts that information and keeps it private from anyone that may be watching your transaction.

Create a strong password (and don’t use the same one) for your customer (and business) accounts

Your customer accounts for stores and banks should be protected by a strong password.  The company can have the best security measures and encryption in place, but if your account has an easily guessed password, none of that matters.

A strong password is 12 characters or more and contains at least one of each of the following:

  • Uppercase letter
  • Lowercase letter
  • Number
  • Symbol

You also do not want to use the same password for all of your accounts.  This is because if one of the accounts is hacked, the hacker now has the login information for all of your other accounts and they WILL check this immediately.

The average American has over 60 online accounts that they have to remember, so look into a good password manager to help you maintain the information.  Not only will the password manager help you remember all of your login information, but it will help you create secure passwords.

Some highly rated password managers include KeePass, Dashlane and LastPass.  Check out this article from PC mag for more information on the top password managers of 2017: https://www.pcmag.com/article2/0,2817,2407168,00.asp

BONUS: Turn on two factor authentication where possible

Two factor authentication (TFA) is becoming more prevalent as hackers become more savvy and have access to greater computing power.  TFA uses not only your username/password, but one other means of verification before you have access to your account.

This is now commonly available with banking and credit card websites.  When you turn this on, after you sign in with your username and password, they will ask if you want to receive a text or email for secondary verification of the account.  Once you make your selection, they will send a one-time only code to the phone number or email associated with that account, which you then have to enter to gain access.

This is helpful because even if someone had your password, they would still need access to your email or phone to be able to access your account.  If TFA is available to you, INF recommends turning it on to better protect yourself.

Have a safe and secure holiday season from INF!

Smart Risk Management for Law Firms: Be Prepared – not just for boy scouts anymore

Businessman using mobile phone outside courthouseI don’t know any attorneys that want to get sued by their client.  However, not all law firms are taking the proper steps to prevent this situation from happening.  In order to protect both your firm AND your client, you should employ multiple risk management techniques.

What is risk management?

Risk management is a set of policies and procedures that a law firm should have in place to reduce or eliminate risk issues.  Not only will you be protecting yourself and your clients, but you should receive a credit from your lawyers professional liability insurance carrier for employing these techniques.

How should risk management be taught?

Frequently, firms hold seminars for their employees to review office procedures and information specific to the firm.  Outside training can also be implemented in the form of webinars or guest speakers.

Your staff may interact with your clients as much or more than you do.  Don’t forget to train everyone!  According to the latest Verizon security report, 51% of data breaches are caused by the people within a company.  Make sure that they are familiar with your policies and procedures that you have in place.

Business team in the office

Important risk management policies for law firms #1 – Take the right cases

A common cause of malpractice is taking a case that your law firm is not qualified for or does not have the resources to handle.  You have to look past the dollar signs of a case and ask yourself, “Is this the best case for me and the firm?”  Create a policy that helps you walk through the details of a case to ensure that you are well-versed in the area of law it concerns as well as having the resources that it may require.

Important risk management policies for law firms #2 –Dealing with Departing Attorneys

Redundant Businesswoman Leaving Office With Box

If an attorney is departing your firm, make sure that an exit interview is conducted and that the proper steps are taken to remove them from your firm.  Make sure that you are aware of all cases that he/she was working on and any open issues.  Create a policy that outlines the following:

  • What are the important questions to ask in the exit interview for my firm?
  • Who should be assigned any work that is not completed?
  • What materials can the departing attorney take if they are allowed to take clients with them?
  • How can they be removed from your letterhead?
  • How can their access to your computer system be eliminated?
  • How does your firm contact your professional liability insurance carrier to let them know the date of attorney departure?

 

Important risk management policies for law firms #3 – Hiring a New Attorney

When you hire a new attorney, make sure that they go through your complete hiring process.  Make sure that they are everything that they claim to be.  Create a policy that outlines the following:

  • Ensure the new attorney is proficient in your firm’s areas of practice.
  • Why are they leaving their current firm? Was there a performance issue, were they a product of downsizing or are they looking for more opportunity?
  • Complete a conflict of interest check with the new attorney and all of the firm’s existing clients. The last thing that you want to do is to bring on a new lawyer and find out a few months later that they have a conflict with one of your biggest clients!
  • Make sure that they are comfortable with your firm’s risk management procedures.

 

Important risk management policies for law firms #4 – Dealing with Unhappy Clients

Clients are the lifeblood of any business.  An unhappy client can lead to bad reviews online, refuse to pay their bill, sue you for malpractice and many other things that can negatively impact your business.

One telltale sign that a client is unhappy is if they ask for a complete copy of their file after services have been rendered.  Another is if they tell you that they are unhappy with you or with the result of their case.

If you notice signs that your client seems to be dissatisfied, sit down and have a conversation with them to try to resolve the issue.  Sometimes, it is just a matter of explaining a legal process that they may not be familiar with.  Once they know why you chose to handle a situation in a certain way, it tends to alleviate their fears.

A common source of client dissatisfaction is lack of communication from the attorney to the client.  This can be solved by the attorney and the client setting up a communication timetable and sticking with it.  If you, as the attorney cannot meet the timetable during the representation, have your assistant or paralegal contact the client with an update.

Confused businessman with a calculatorAnother source of client unhappiness may stem from billing issues.  You are much better off to bill frequently instead of sending one large bill at the end of a case.  Smaller bills with detail help explain to the client what you did and act as an update to the case.  If you wait and send one “final bill” a client may forget how much work you performed and feel the bill is unreasonable.  Additionally, sending incremental invoices will help you get paid quicker.

Important risk management policies for law firms #5 – Docket Systems are CRITICAL

Agenda

If you look at claims that arise against lawyers, one of the most common alleged mistakes is a blown statute.  This is a result from your calendaring system not being used on a regular basis or not being used correctly.  Generally, LPL insurance carriers require that a firm have at least two docket systems with one of them being computerized.  Back up of this system should be on a daily basis.  Create a policy for your firm that details what type of docket systems your firm will use, how often they should be updated, how often they should be backed up, and who in the firm is responsible for maintaining the systems.

For more information on risk management or help creating/implementing these policies and procedures in your law firm, contact Donald Ivol at INtegrity First Corporation today!