Originally published December 1, 2020, by Steve Sobka, Director of Technology and Infrastructure, and Bill Sorenson, VP of Product, at www.elite.com.
Cybersecurity has long been an area of concern for law firms; New York has even proposed cybersecurity CLE requirements. The changes of 2020 require every firm to reevaluate their current security posture and determine if changes are needed.
Certainly, the focus on cybersecurity pre-dates COVID-19, especially as law firms continue to be actively targeted by cyber threat actors in well-publicized breaches. However, the issue becomes even more urgent today. Leaders need to consider how the drastic changes in working environment brought on by the pandemic have impacted their security controls.
In this article, we’ll outline 10 best practices that every law firm should consider adopting or reviewing and why.
1. Re-evaluate Your Security
As firms this year have grappled with the challenges of supporting remote work and adapting in-office processes, technology, and client interaction to accommodate, security may have taken a back seat to productivity and “keeping the lights on.” It’s time to take a look at how those necessary changes have impacted security.
For example, where before you may have concerned yourself primarily with the security of your physical offices, you need to now also consider home security and how to adjust your policies and technical controls to accommodate.
And all this isn’t just limited to the current remote work situation. For many firms, big and small, 2020 has shown that remote workers can remain highly productive. Regardless of how long remote work is necessary, for some firms, some level of remote work will remain an option post-pandemic.
From reviewing your Bring Your Own Device and remote work policies to a full-scale review of your technical controls, taking a step back and considering how recent changes impact security will help ensure your client data remains secure no matter how it’s being accessed.
2. Least Access Approach
One of the most common techniques cybercriminals use is to target junior staff members as a means into an organization. Once they secure such credentials, they can then either a) access everything that employee has access to, or b) use that account as a “Patient Zero” account to infect others, even up to managing partners.
With a least access approach, firms can control their exposure by being vigilant about what any given person can access. Instead of determining what data and which systems should be blocked from a given user, think critically about what they need to access. Doing so helps ensure that even if a cybercriminal gains credentials or if ransomware is deployed at the firm, that your exposure is limited.
3. Security-first Mindset
A defensive mindset is critical to maintaining a secure environment—not just digitally, but physically as well. In an office setting, that might mean validating the copy repairman or the person who waters the plants. Online, it could include confirming that an email requesting data is actually real.
The crux of the security-first mindset is that it’s not limited to IT. Every person at your firm needs to take a “Question everything” mindset. You can’t afford for it to be “just IT’s problem.”
4. Ongoing (Not Annual) Training
This one seems obvious, but it’s critical that firms consider training as an ongoing activity rather than an annual one. Required annual cybersecurity training typically isn’t sufficient to keeping staff vigilant. Instead, consider lighter, more frequent training, and use responsive training tools to help educate your team on phishing attacks. Ultimately, your employees are your last line of defense. Make sure they’re prepared.
5. Email Security Is Not Just About Tools
While email security tools are an important component of catching phishing emails, they are far from infallible. The rising sophistication of phishing attacks means that no email security tool alone can defeat phishing attacks.
In addition to the training highlighted above, law firms should ensure they have policies and procedures in place to mitigate risk. This includes proactive measures such as a policy that requires financial transactions to be confirmed in person / by voice, not just email or reactive, outlining a clear incident response plan so everyone knows what to do if they’ve been phished.
6. Multi-factor Authentication and Password Managers
It’s time to get serious about these two. Any firms that haven’t yet implemented these (and it could be as many as 50%) need to make this a priority.
Cybercriminals exploit the very human desire to keep things simple and convenient. The result? Gaining access to one account can often be easily translated to several of that person’s accounts. With multi-factor authentication, criminals would need access to multiple components to access a target’s data. One nuance here; text-based two-factor authentication is better than nothing. But given the choice, firms should require authenticator apps which are far harder to hack.
Meanwhile, password managers make it easier to maintain different, long, and complex passwords for every account. With a corporate account, firms have the added benefit of quickly shutting down access to all those passwords in the event of a termination.
7. Encryption Everywhere
The simple message here: encrypt everything, everywhere. Ensure your data is encrypted at rest (if you’re operating in a cloud environment, this will be automatically built-in), as well as in transit.
8. Remote Workspace Adoption
Virtual desktops provide a significant security upgrade. While the experience for the user is nearly identical to keeping everything on the local machine, the desktops are actually hosted in a public cloud environment where everything—from the data sitting on the desktop to the connection to critical applications such as Firm Central and ProLaw®—are running in cloud-based servers and are both encrypted and backed up. Cloud desktop represents a much more secure environment than a typical virtual private network and can also eliminate the performance impact that VPNs introduce.
With a virtual desktop, you can isolate your damage, particularly in an era where employees are accessing their applications and data from insecure home WiFi networks. If a computer is stolen or a laptop is damaged, no data is exposed or lost. You can just procure a new computer and get access to your cloud desktop as if nothing ever happened.
9. Physical Security
With many offices only lightly staffed, if at all, there are often minimal controls to ensure that only authorized personnel can access the office. If your infrastructure is still on-premises, you may not have insight into who can access your hardware.
The simple solution? Stop owning physical infrastructure. The truth is that there’s nothing you can do that will be more secure than Amazon® or Microsoft®. By upgrading your infrastructure to the cloud, you transfer your risk to the cloud providers and save yourself the expense and headache of keeping that physical infrastructure secure.
10. Cloud Security
The move to the cloud can be a huge security upgrade for law firms. But how do you ensure that your cloud security is secure as well? The first is to confirm what you mean by “the cloud.” Public cloud providers such as Amazon and Microsoft spend hundreds of millions—even over a billion—dollars on security, far more than you or even a private cloud provider can spend.
You’ll also want to consider how your cloud provider is treating your environment. In many private cloud environments, for example, you can consider the infrastructure to be similar to an apartment building. While your locked door helps to keep your environment secure, you’re still subject to communal impact. If another tenant has a fire, that fire could easily spread to you.
In contrast, a single-tenant environment is like owning your own house, with lots of land around. The actions of your neighbors won’t impact you as heavily, if at all.
Conclusion
Security is a hefty responsibility. Undoubtedly, you’ve already implemented at least some of these 10 best practices. But there are likely at least a few that bear further consideration or upgrading from your current set up.
It can be daunting to consider implementing all of them. But the good news is, that by turning to the cloud, and a trusted cloud services partner to help you, 8 out of 10 of these best practices can be either offloaded or significantly supported by a partner. (If you guessed 2 and 3 as the outliers, you’re right).
Security practices should be reviewed regularly and at any time a major change happens to the business. So as 2020 comes to a close, take the time to review, re-evaluate, and emerge with a stronger security posture and confidence that you’ve done everything you can to keep your client and firm data secure.