How Law Firms Can Benefit from a Cyber Risk Assessment
by David Lee, Director, Aon Attorneys Advantage
With the entire world going digital, it’s no wonder the World Economic Forum (WEF) claims cyberattacks are the single biggest threat to business owners.
1
The biggest single obstacle to reducing cybercrime costs is our own complacency. “It’s not going to happen to me.” Contrary to daily news reports about cyberattacks against organizations large and small, business owners like to believe cyber intrusions only happen to other people.
Nothing can be farther from the truth. Everyone, including law firms, are at risk. FBI Director Christopher Wray wrote:
“The days of wondering if you’re going to be the next victim are gone. Now it’s a matter of how often you’ll get hit, and how bad it’ll be. Every company is a target. Every single bit of information, every system, and every network is a target. Every link in the chain is a potential vulnerability.”
2
What can law firms do to help protect themselves? Cyber experts claim that taking basic actions like getting a Cyber Risk Assessment can help reduce your exposures by as much as 80%.
3
What is a Cyber Risk Assessment?4
Imagine a hacker scanning your law firm’s digital presence. What are your weaknesses? Where are you exposed? Does your cybersecurity have any flaws? Have any of your login credentials been compromised? Is any of your firm’s data for sale on the dark web?
The Cyber Risk Assessment provided by the Aon CyberBusinessPro
SM insurance carrier, Coalition, uses publicly available information to:
- Scan infrastructure of publicly accessible servers, services, & technology
- Discover exploitable vulnerabilities & misconfigurations in the scanned infrastructure
- Find exposed available user/employee information
- Uncover existing threats hidden on the dark web
- Note proactive measures already taken by the company
You receive a detailed report containing an analysis of your current cyber risks and recommendations you can use to:
- See how your firm’s defensive security posture compares to similar sized law firms
- Assess potentially weak security areas, and learn the steps necessary to fix them
- Further secure your infrastructure based on actual losses experienced by Coalition policyholders
Potential Vulnerabilities Addressed in Assessment
Remote Access
Attacks against remote access points are a leading cause of data breaches. Criminals routinely scan the Internet for such access points and use brute force password attempts or compromised credentials as a means to gain unauthorized access to a company's network.
Multi-Factor Authentication
Approximately 80% of email intrusion incidents happen because of weak or stolen passwords. One of the most effective methods to mitigate risk of an email-based cybersecurity incident is to enable Multi-Factor (or 2-Factor) Authentication. Policyholders that implement Multi-Factor Authentication on business email receive a cyber insurance premium reduction.
The assessment provides a snapshot of your firm’s vulnerabilities
and recommendations on how to resolve each.
ACTIVELY Exploitable Vulnerability
Common Vulnerability and Exposures are known vulnerabilities in a piece of software. Part of the carrier Coalition’s underwriting process is to look for the presence of exploitable vulnerabilities on firms’ systems to help assess how vulnerable a system is to certain kinds of cyberattacks. In most cases, these vulnerabilities can be eliminated by simply updating computers and servers.
Enable Domain-based Message Authentication, Reporting & Conformance (DMARC) E-mail Protection
Firms can configure DMARC in minutes to help prevent phishing attempts and spam. Properly configured DMARC/DKIM records can help ensure that only authorized systems can send email on the behalf of a firm.
Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Encryption
A firm will receive information about whether it should consider implementing SSL/TLS encryption on its websites, thereby forcing all traffic over HTTPS to protect information transmitted through the company's web application.
Exposed Usernames & Passwords
Coalition's intelligence platform collects information from past data breaches, hacker forums, and other dark web sources to determine whether an organization's data, including employee login credentials and other sensitive information, have been compromised in third party data breaches.
Exposed Personally Identifiable Information
Personally Identifiable Information (PII) is any kind of data that can be used to recognize someone's unique identity. This sensitive information can be used by would-be hackers to impersonate employees to create more believable messages for phishing attempts. PII may include:
- Names, addresses and dates of birth
- Email addresses and passwords
- Phone numbers
- Education levels, occupations
- Employers, job titles
- Ethnicities, family structure
- Financial investments, net worth
- Credit card data
- Genders
- Home ownership status
- IP addresses
- Income levels
- Marital statuses
- Personal interests
- Religion
- Social media profiles
- Spoken languages and more
Coalition’s Recommendations May Include:
- Enabling Distributed Denial-of-Service (DDoS) Mitigation
- Enrolling in Security Awareness Training
- Implementing a Password Manager
- Implementing Service-Based Anti-Phishing Software
- Enabling Registry Lock
- Enabling Domain Name System Security Extensions (DNSSEC)
- Creating a security vulnerability disclosure program
Discovered vulnerabilities will not increase
your premium, but resolving them mayhelp reduce it
Noted Proactive Measures
In addition to assessing a firm’s cyber risk, Coalition also collects and analyzes protective actions and controls implemented to mitigate such risk. This information is used for the purposes of assessing a firm’s ability to detect and mitigate risks, as well as for the purposes of applying insurance discounts.
How do I Receive a Free Cyber Risk Assessment?
You automatically receive Coalition’s Cyber Risk Assessment when you request a quote for Aon CyberBusinessPro. To receive the assessment, your firm must have a website.
When you initiate a policy, Coalition, continuously monitors your firm for potential threats. You’ll receive access to an online dashboard that allows you to monitor your firm’s current threat level, and you’ll have the tools at your fingertips to repair potential vulnerabilities.
When you initiate coverage, you’ll have 24/7 access to Coalition’s cyber experts. They’re available 365 days a year to answer questions, assist with remediation efforts, and help with claims. To receive your free Cyber Risk Assessment and Aon CyberBusinessPro quote, please call
800.695.2970 or visit
www.aoncyberAA.com.
1Marc Wilczek, “Why Cyberattacks are the No. 1 Risk,” InformationWeek IT Network, January 15, 2019.
2Christopher Wray, “The FBI and Corporate Directors: Working Together to Keep Companies Safe from Cyber Crime,” Federal Bureau of Investigation, October 1, 2018.
3“29 Must-know Cybersecurity Statistics for 2020, Cyber Observer, 2020.
4To receive a Cyber Risk Assessment from Coalition your law firm must have an external website.
Aon CyberBusinessProSM is a service mark of Aon Corporation. Coalition, Inc. is the exclusive administrator.
This document provides summary information only. Insurance coverage is subject to specific terms, limitations and exclusions, and may not be available in all states.
Aon Affinity is a licensed insurance producer in all states (TX 13695), (AR 100106022); operating in CA & MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services Inc.; in CA, Aon Affinity Insurance Services, Inc. (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency; and in NY, AIS Affinity Insurance Agency.