If you don’t where it is, you can’t protect it.
Do you know where ALL your organisation’s data is – not physically, but on which web and cloud services?
Here’s the problem. If you don’t where it is, then you can’t protect it. The secondary problem is finding out, because not everyone in your organisation will be onboard. It is common for people to sign up to web services because they offer something useful that helps them do their job.
They sign up using their email address and creating a password. There is the first headache – how does anyone track what has been signed up to across your organisation, let alone who has access to it? If that person leaves, no one will change the account credentials if they don’t know about it, but your ex-colleague still has access.
Secondly, what data do they upload? Is that data that you have a legal or moral responsibility for?
There’s nothing noble about Nobelium.
This isn’t theory – it’s real. USAID is a pretty important US organisation – promoting democracy and human rights around the world. Turns out, someone there was using a well-known email database tool called Constant Contact. But their account wasn’t well protected. Worse still, their account had a huge mailing set up, and of course, it had all the official USAID templates.
So, these Nobelium people, allegedly a Russian state-sponsored hacker group, compromised the Constant Contact account and sent a bulletin out. The bulletin contained malware that allowed the hackers to take command and control over victims computers. Ironically the fake email alleged interference in the US federal elections.
So, what can you do?
The first step is knowing what SaaS tools your people are using. We call this SHADOW IT and it is inevitable. Rather than stopping it, the job IT has is to identify it and manage it. The second step is to secure those platforms. That’s why our KARE for Security S2 plan contains a useful tool to help you identify what services your people are using.
Refer : What We Know About The Apparent Russian Hack Exploiting USAID : NPR
Does your firm have the right relationship with your IT provider?
Regardless of whether your IT provider is your in-house IT team or a trusted business provider, do you have the right relationship with them? The right IT provider will ask "WHY" long before they ask "WHAT" and will be focused on proactively adding value to your...
Does your firm have an appropriate Data Privacy Policy?
Data Privacy is now a hot topic in NZ. As a law firm, you will be more aware of the legislation than us, but we have been astonished that not every firm seems to understand the ramifications for their own work product. You will know what is driving our concern:...
Who really controls your firm’s IT systems and your data?
You know who owns and leases your operational equipment, or your buildings, plant and other physical facilities. Can you say who controls your IT? How flexible is your IT supply chain to meet your partnership's ongoing needs? Given how vital IT is to your legal...
IT is more than silicon – have you ever stress tested the human side of your firm’s I.T?
Every chain relies on every link, and the stronger each link, then the stronger the chain - hence the saying about the weakest link. Your IT chain has people - we need to think about them - the IT staff, the users, and of course the management structure around them....
Are you maximising your firm’s technology investment?
When your firm last made a significant IT investment, you had a clear understanding of why you made it and the return you were seeking to achieve. You might even have had to justify it to a partners' committee and make various assurances that it was the best thing...
Are the appropriate IT Governance controls in place to protect your Firm’s Value?
In most organisations, and law firms are no exception,, IT has grown organically, meeting business needs as they arise. Those demands have come through thick and fast from almost all areas of the organisation's operations. IT has become integral to almost all...
Obligations to the firm’s Partners and Management
Are you meeting your obligations to your firm's stakeholders? Until relatively recently a law firm's management committee typically only got involved with IT when the management wanted to proceed with a major capital investment - a system refresh, new practice...
2021 Trend Reports confirms cyber-security advice
How many people DON’T report ransomware attacks? It’s too early to see the Q42021 results from CertNZ but their Q3 report tells there were 2,072 incidents that they responded to in Q3 and fraud/scam’s were up 25%. Their report confirms that the very risks we have been...
Hackers Caught! Millions Seized
Crime doesn’t always pay. The FSB reports (if you can read Russian) that they have taken down the “Revil” band of hackers. These are the people that have caused absolute havoc, from disrupting the US oil pipelines, to the Kaseya attack that took out businesses all...
Kinetics COVID Policy
Our Covid-19 approach. A number of clients and partners are asking us about our Covid-19 policy, so we thought we'd share it! Like many workplaces, we've extensively consulted our team and worked through their range of views. Our workplace requires all visitors...