Category: Disaster Planning and Recovery

Disaster Planning, Prevention and Recovery — Free Seminar

I am pleased to let you know that the Greater Philadelphia Professional Counsel will be presenting a seminar on Disaster Planning on Wednesday, March 19, 2014.  Registration and free breakfast begins at 7:45 – 8:30 am.  The seminar will run from 8:30 am to 10:00 am.  There is no charge for the seminar, but pre-registration is required.

It will be held at the Hilton Garden Inn in Fort Washington, PA.  I will be one of the panel members.  Additional information and registration can be found at info@gppcouncil.org.

I hope to see you there!

Cyberattacks on U.S. Banks – Are You Safe?

McAfee warned of this months ago, and their predictions are coming true.  U.S. Banks are under attack.  As are some cloud providers, for that matter.  The attacks are more massive and organized than ever before.  An article in CNet News on December 13, 2012 revealed that a report released by McAfee Labs predicted an impending attack on U.S. financial institutions — dubbed Project Blitzkrieg — was a “credible threat.”

Project Blitzkrieg is believed to be headed by an individual known as vorVzakone, according to McAfee. In September, vorVzakone announced a massive fraud campaign to be launched against 30 U.S. banks in spring 2013. VorVzakone also put out a call to arms for fellow hackers to join his cause. The attacks are said to be done with a highly developed Trojan that could infect victims’ computers, plant software, and allow cybercriminals to steal information and money.

Rather than being a sweeping attack, McAfee said the campaign will selectively target accounts at investment banks, consumer banks, and credit unions. Going after selected groups makes it easier for vorVzakone to stay under the radar and not be detected by network defenses, according to McAfee.

The attack was to expected to hit hard in Spring, 2013.  But it looks like plans have moved up a bit.  And are not being executed as predicted.  A January 10, 2013 article in the Philadelphia Business Journal carried the title “PNC, Wells Fargo Cyberattacks Work of Iran, U.S. Believes. “  The real story is based on a January 8, 2013 article in the New York Times entitled “Bank Hacking Was the Work of Iranians, Officials Say“:

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks. . . . But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems.

Iranian officials emphatically deny any connection with the attacks.  However, the attackers allegedly stated last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”

I don’t know what I believe about who or what is behind these attacks.  I do believe that the threat, no matter the source, is very real.  Thus far there has been no theft; simply a consistent disabling of the bank’s abilities to service online customers.  However, I have no doubt that this is camouflage designed to distract security professionals from the eventual real consequences of these attacks, which has the potential to create havoc with assets of individuals and businesses. 

What do you need to do? 

  1. Be mindful of the insurance limits which apply to all of your combined accounts.  (Excluding IOLTA.  See “Unlimited FDIC Insurance on IOLTA Accounts Due to Expire” for further details about this issue.) 
  2. Make sure that you are not dependent on online banking for essential transactions.  Even if you do your deposits and bill paying remotely, have good old-fashioned deposit slips and checks handy. 
  3. Be sure you print out your monthly statements if you do electronic review.  You may need to access your information quickly at a time when your financial institution is trying to clean up a mess.  Those with an audit trail of their own will always fare better.
  4. Be careful about where you conduct your business.  Never log onto your secure encrypted accounts from a public computer, or over a public WiFi connection.
  5. If you don’t have a password on your smartphone, netbook and/or tablet, put one on immediately.  Yes, I know it’s a pain that after 3 – 10 minutes of idle time you have to put in a password to resume work.  On the other hand, no one can pick up your device when you’re not looking, and find your autologin information for your bank!
  6. Be especially wary of any so-called email communications from your banking institutions asking you to logon and reset your password, enter your SSN, or other sensitive information, and especially if they provide you with a link to do so.  Verify the legitimacy of the request by calling the institution on the phone before clicking on the link.  Nowadays sophisticated fraudsters create web sites that are so close to the real thing it can fool most people into entering sensitive information.

These are just a few quick thoughts to get this issue on your personal radar screen.  I encourage you to add your thoughts in terms of what we need to do to protect our firms, ourselves, and our clients.

Law Firms and Disaster Recovery

Following disasters such as Hurricane Sandy, community residents struggle to get back on their feet.  They are in need of all sorts of assistance, including legal services.  Will you be one of those who step up to the plate?  Sure, you probably already have a ton of your own issues to deal with.  But at times like this I am reminded of Bradford County lawyer James R. Carroll Jr., who received special recognition at the May, 2012 Pennsylvania Bar Association Annual Meeting.  The Special Achievement Award was an acknowledgement of the extensive legal assistance he provided pro bono at Red Cross shelters and at Federal Emergency Management Agency and Pennsylvania Emergency Management Agency relief sites to victims of Hurricane Irene and Tropical Storm Lee flooding the previous fall.

I had the pleasure of speaking with attorney Carroll after the award was bestowed.   He was so self-deprecating about the significance of his contribution to the community.  As he tells it, his office was destroyed by the flood.  He was “camping out” at FEMA and PEMA sites while he attempted to get his law practice back in operation.   It just so happened that he managed to take time to assist hundreds of individuals he encountered at those sites with urgent legal needs.   I’m sure that no one in the community who was assisted by him will ever forget him.  And I have no doubt he made an impact on their lives with his assistance. 

If you’re thinking of helping out, you will no doubt have questions.  So you may want to look at the Allegheny County Bar Association‘s Disaster Legal Assistance Manual for Volunteer Attorneys which is available here

One concept I have learned over several decades of providing law practice management assistance, is something called the window of opportunity.  That is the brief period of time when the lawyers in a firm are “open” to discussing whatever issue they have been avoiding for some time.  It doesn’t matter whether it is about new computers, lateral hires, or a disaster recovery plan initiative.  The simple fact is that lawyers will prioritize their management time and budget dollars based on their own priorities and desires, usually without regard to what “non-lawyers” think are more important.  So when the time finally arrives when they are actually open to hearing what you have to say — usually prompted by some outside influence — one has to be ready with all the facts and information, and leap through the window with it in hand, before it slams shut again.

I’m willing to bet that given the events of this past week, the window of opportunity is open to discussing creation of a disaster recovery plan for your firm.  Most PA firms have experienced sufficient “pain” to realize this should be on the priority list.  Hey, I’ve been on the soapbox about this for the almost 14 years I’ve been with the Bar Association.  And before that when I privately managed firms.  It took a 500 mile long storm with 80+ mph wind gusts, followed by days without electric power, to get your attention at long last.  Better late than never.

Let me make this really easy for you.  Probably 1 in 10 readers has attended my Disaster Prevention and Recovery seminar at their local county bar association.  So they know it’s not that hard to prepare. The rest of you have to take my word for it.  You just have to make up your mind to do it.  That’s all.  Start by taking a look at the 44-page ABA publication entitled “Surviving a Disaster: A Lawyer’s Guide to Disaster Planning” which is available online here.  PBA members can follow up by contacting me at the Bar Association for additional assistance at no charge.

 

How Safe Is Your Laptop or Other Portable Device Housing Confidential Client Data?

Every once in a while I read an article in the news which reminds me to remind all of you about the responsibilities you have to safeguard client data.  Sometimes we forget how much “stuff” may be on digital dictation devices, smartphones, flash drives, laptops, netbooks and other devices, which are prone to disappear.  A recent article in the Philadelphia Business Journal entitled “Laptop Crime Wave at Office Buildings May be Solved” reminded me it’s time to remind you once again.  The  27-year-old suspect has been charged with stealing more than 30 laptops from four Philadelphia business towers since May.  During the day.  Many of the locations housed law firm tenants. 

What happens to your client data if your laptop is stolen?  How about if you lose your smartphone, dictation device, etc.?  Does your laptop have a boot password?  Is the hard drive encrypted?  Can you “wipe” your smartphone remotely? 

With a laptop stolen at the rate of more than one every minute in the USA, these are questions you must be able to answer.  You may find this article entitled “Safeguarding Laptops, Electronic Devices, and Protecting Confidential Client Data” to be a good starting point.  Rule 1.15 [Safeguarding Client Property] requires you to give this some thought, and take reasonable precautions.  Given the vulnerability of these devices, don’t wait to find out the hard way that what is considered reasonable precaution may be far beyond what you currently employ.

 

Disaster Legal Aid Help for Civilians

Some PA residents and businesses, like me, dodged a bullet when hurricane Irene passed through.  But others are not as fortunate.  I have been getting lots of calls on the PA Bar Association Hot Line from lawyers whose offices were flooded, or worse, mudded, resulting in a loss of client files and other valuable papers.  Many people lost everything of a personal nature, including their homes, and many businesses are struggling to survive.  No, I will not take this opportunity to provide any lectures about disaster prevention steps that could have been taken.  I will reserve that for another time.  Right now I just want to get the word out about what resources are available to help.

The PA Bar Association has teamed up with PA Law Help to create a virtual law clinic.  The Allegheny County Bar Foundation has created a detailed model resource for Volunteer Attorneys.  In addition, local Bars have set up 7 sites for disaster relief around the state, and are asking their members to mobilize to provide support to the community.  The 7 centers are:

Wyoming County Tunkannock Area Administration 41 Philadelphia Avenue Tunkhannock, PA 18657

 Bradford County Towanda Fire Department 101 Elm St., Towanda PA 18848

 Luzerne County Community College 1334 South Prospect Street Nanticoke, PA 18634

 Dauphin County Harrisburg East Mall 3501 Paxton Street Harrisburg, PA 17111

 Lycoming County 740 Fairfield Road Montoursville, PA 17754

 Columbia County Agricultural Center 702 Sawmill Road Bloomsburg, PA 17815

 Sullivan County at Loyal sock State Forest District Office 6735 RT. 220 Laportte, PA 18626

These 7 sites are opening today, Wednesday, September 14, from 1 p.m. to 7 p.m. and starting tomorrow, on Thursday, September 15th, from 10 a.m. to 7 p.m. daily. Disaster officials recommend that individuals register before visiting a DRC so if there are any questions about the application process they can be answered face to face. Individuals may visit any DRC regardless of where they live or work.

Register for assistance online at DisasterAssistance.gov; the screens will prompt you through the registration process.

 One can also apply by web-enabled mobile devices at m.fema.gov, or call 1-800-621-FEMA (3362). Disaster assistance applicants who have a speech disability or hearing loss and use TTY, should call 1-800-462-7585 directly. For those who use 711 or Video Relay Service (VRS), call 1-800-621-3362. Operators will assist individuals seven days a week between the hours of 7 a.m. to 10 p.m.

Reach out to those around you.  That includes your vendors, employees, neighbors and friends.  Make sure they know of these resources.

Terror Lurking in the Cloud

The title of this post likely conjures up disturbing memories of 9/11.  And it should.  A newly released book presents the disturbing possibility that online gaming and virtual world communications have provided terrorists with an ideal medium to communicate and plan deadly assault scenarios, all of which is flying under the radar of the CIA and NSA.

Dutchman Emile van Veen spent two years researching how terrorists could utilize so called Massively Multiplayer Online Role Playing Games (MMORPGs). These online games appear to be an unbreakable code for intelligence agencies and offer communication channels like email, chat and voice chat. They are violent by nature, making it virtually impossible to detect dangerous conversations. They can be accessed from any computer, anywhere, by using anonymous accounts.

Recently the danger of terrorists using computer games as a secure communication channel led to alarming news articles by major newspapers in Europe, following the release of Van Veen’s technothriller “MMORPG: How a computer game becomes deadly serious.”

Van Veen’s story is set in both the real and the virtual world, a novel concept in itself. The author said, “Especially reproductions of our real world are dangerous. Someone who wants to blow up the Brooklyn Bridge could examine the target in detail and scout his way in and out as well.”  He thinks the real-life danger is imminent.

The CIA tentatively acknowledged this threat in its 2008 Data Mining Report and started the Reynard Project as a “seedling effort” to detect suspicious behavior and actions in the virtual world. Although online gaming has exploded and hundreds of millions of people participate in these games, not much has been heard about the Reynard Project since.

The book MMORPG: How a computer game becomes deadly serious [ISBN 9781456318086] by Emile van Veen is available through most retail channels in both paperback and eBook.

Admittedly, this isn’t the type of information I normally post on my blog.  But after yesterday’s post I figured most of my readers would be fretting about how far behind they might be in technology, and how it might hamper their ability to compete.  So now, to put things into proper perspective, I’m giving you something bigger to worry about!

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Mobile Computer Security

By all accounts, a personal computer is lost or stolen every 12 seconds. Most contain confidential or sensitive information. Having to explain to a client or disciplinary authority about lost or exposed client data on a missing laptop would be unpleasant and difficult. With all of the reported instances of this happening, how could anyone seriously maintain that they had no idea that a laptop with confidential information could be lost or stolen? And PCs aren’t the only mobile devices that can contain confidential information.

It follows then that when we talk about mobile security, we are primarily talking about training staff and lawyers to be aware of the risks of losing important information, and about adopting policies to secure confidential information. There is a need for every firm to develop and implement a computer use policy which carefully balances the need for security with the need of users to accomplish tasks effectively and efficiently without creating undue administrative burden.

An article entitled “The Lawyer’s Guide to Mobile Computer Security” will examine the various areas to be considered when drafting and implementing a computer use policy. It was recently posted to the web site of Freedman Consulting, Inc. It should be a must-read for managing partners, IT professionals, law firm administrators, and chief information officers.

==========

To return to the main page of the blog, click here. To return to the blog Index, click here.

When a Small Tech Adjustment Turns Into a Big Tech Headache

Too many IT people step over the line from cutting edge to bleeding edge or wind up just plummeting off the edge entirely into an endless free-fall of bad consequences for all end-users, all for the lack of a little forethought and well-considered conservatism. I’ve seen it one too many times.

Whether the IT person is in-house talent or outside service personnel, the result is too often the same. An hour after they leave, or sometimes moments after they arrive, the system comes screeching or grinding to a halt over a careless action. And they are either unavailable or powerless to fix it, leaving the end users holding the bag.

Example? How about the IT person who decided to just shut down a network without prior notice or query to implement a “3 minute” power supply replacement, only to find the system would not reboot with the new supply, and the old one officially died upon removal. Oh, did I mention that a lawyer was in the conference room in the middle of a 4+ hour complicated closing at the time? You would have thought it was the fourth of July based on the fireworks.

Example? How about the IT person who heard a funny noise coming from the PBX phone switch and decided to reboot it on the chance it would take care of the problem. Want to take a guess? Yep, you got it. It was an impending hard drive controller failure, and the hard drive failed when it stopped spinning. The firm was without phone service for over 24 hours, and lost all its voicemail messages, current and saved.

Example? How about the IT department at Research in Motion making a minor software update that was supposed to optimize system cache memory, without adequately testing it first? Want to take a guess? Well, if you know any Blackberry users, you probably already know most needed a padded cell and/or methadone to deal with the withdrawal symptoms when the system failed and left literally millions of users jonesing to use their thumbs from late Tuesday, April 17th, into Wednesday the 18th. Complicating matters was the fact that the company’s backup system also “performed poorly.”

“The system routine was expected to be non-impacting with respect to the real-time operation of the BlackBerry infrastructure, but the pre-testing of the system routine proved to be insufficient,” Research in Motion said in a statement.

I don’t care whether you outsource your IT, have your own in-house talent, or if you literally do it yourself. Just always keep in mind that you should never mess around with anything, no matter how “simple” or “straight-forward” or “non impacting” you think it will be, without first asking yourself what you can do to undo it if the worst happens. Do you have the ability to “go back” software-wise short of a full restore? If you have to do a restore, do you have a current backup? Have you done a restore recently, or even tested your back-up to make sure it will work as desired when needed?

If the system is down, even for a few minutes, who will be affected? Have you checked with them to see if they can deal with it without adversely impacting client deadlines?

How will you fix it if it turns into a boo-boo? How long will it take?

Always test everything you can in advance. Always make sure you have a full software backup before installing any software, patch update, whatever. Never ever power down unless you are pretty darn sure you can power back up, or have back-up hardware available. One thing I’ve learned time and time again — if you suspect a hardware problem, the worst thing is to power down before a technician with replacement parts arrives or is enroute. Ok, we’ll make an exception when there’s smoke coming out of the exhaust vent. :-)

If we learn nothing else from RIM’s recent outage, it should be to remind us that there is virtually nothing we can do to our computers which is truly “non impacting,” so always take a conservative approach.

==========

To return to the main page of the blog, click here. To return to the blog Index, click here.

Less Than Electrifying News

The proliferation of always-increasing battery power-consuming devices has left battery technology in the dust. As more features are added to our convergent devices, the energy gap widens. I, like so many of my fellow earth-friendly geek friends, have been watching hopefully for news of some significant advances in battery technology.

A news headline in Wireless Week today promised the first real advancement. The article started out with the announcement that “Powercast, a new Pennsylvania-based startup, has a better battery solution that it promises is not only reliable, FCC-approved and safe, but will be ready to power millions of small devices by the end of 2008, using radio waves.”

Imagine the break-through this technology promises. But no, the article goes on to state “According to the company, its platform can harvest a few milliwatts of energy within a meter of the transmitter; enough energy to charge a single depleted cell phone battery about halfway overnight.”

Ok, the meter limitation means it will be the equivalent of a Bluetooth-type charging device. Just put the cell phone within distance of the power transmitter and no need to plug in. But all night to achieve only a halfway charge? Clearly the technology is not the breakthrough needed. But at least it’s a start . . .

It does remind one, though, to keep in mind battery life when purchasing ones smart phone. All of the add-ons, like the MP3 players, digital cameras, etc all come at a cost — additional power consumption. Because our convergent devices aren’t a luxury anymore, they’re essential. Nothing is worse than being in a situation where you have to make a critical call, or find that essential telephone number, only to discover your battery is too low to perform the desired task. For that reason I gave out emergency cell phone power supplies to my close friends as holiday gifts this past season.

Speaking of economical, this is a small disaster avoidance step you can take now to make sure you’re prepared later. Buy one for the glove box, and your suitcase.

Meanwhile, I’ll keep watching the news for any glimpse of battery life improvement technology breakthroughs.

==========

To return to the main page of the blog, click here. To return to the blog Index, click here.

Email After Death

When I read this title in Woody’s Email Essentials I thought it was a reference to the kooky service one can subscribe to which sends emails out on ones behalf after death. But it turns out it’s about more serious issues — how to access the email of loved ones when the unthinkable and inevitable happens.

Woody’s points out that most email storage is deleted by ISPs after a period of inactivity (30, 60 or 90 days). I join the many readers who are disturbed about the inactivity time limit on email accounts and especially the fact that the inactivity might not be the date of death but some date earlier. Aside from any business or financial information on the email accounts, there may well be important personal messages that could be a comfort to family and friends.

Woody’s points out that a Power of Attorney is normally only active while the person is alive. Upon death it lapses and control moves to the executor or administrator (once confirmed by a court). With modern medical care and the ability to prolong life for some time, it’s probably a good idea to have a Power of Attorney to let someone handle your business affairs if you’re incapacitated. At least that means that someone will have the authority to access your emails on your behalf and deal with the issues which arise.

Since so much business in our personal lives is now conducted via email, it’s easy to see how it can be important to enable someone else to access our email if we are incapacitated for any significant length of time. And if we are taking care of the affairs of a deceased family member, we need to move email access to the top of the list, because there may be only a 30 day window in which to access unread email.

What did I learn from this eNewsletter? I have my mother’s banking information, and am a signatory and hold a key to her safe deposit box, where most of her vital information can be found. But I see now that is not enough. I need to leave some documentation and account access details for my mother just in case, and I need to get the same from her.

It may not be an easy subject to raise, but doing it now can save hassles later at a difficult time.

==========

To return to the main page of the blog, click here. To return to the blog Index, click here.

WordPress Themes