A Primer on Vulnerability Management

You are a business that stores data on your organization’s network and wants to keep the network as secure as possible. Protecting your business assets has become a complex challenge that includes keeping up with cybercriminals and ensuring you meet all regulatory compliance requirements while keeping a watchful eye on every user and device on your network from a security perspective.

Over the last few years, the volume and evolution of cyber-attacks have become overwhelming for even the most security-conscious organizations. It requires a comprehensive understanding of organizational risks and vulnerabilities, current threats, and the most effective policies and technical solutions for addressing them. Once organizations understand their risk, they can adjust their security budget towards the technologies and strategies that best work to reduce or eliminate that risk.

One of the critical processes in securing any business is testing it for vulnerabilities. Cyber-attacks can be prevented with proper vulnerability management strategies, primarily Vulnerability assessments and Penetration testing. These two strategies are not mutually exclusive but complementary of each other.

Both tests are different, and each has its distinctions. They work together to provide a comprehensive cyber-attack prevention plan for your business.

Vulnerability Assessments

A vulnerability is an inadvertent flaw in software, an operating system, or a device that cybercriminals can exploit. These flaws are primarily the result of software programming errors or incorrect computer or security configurations. If left unaddressed, vulnerabilities become easy fodder for cybercriminals.

The first step in the vulnerability management process is to run a vulnerability scan. This automated process of identifying security vulnerabilities within the network, application, and devices is a powerful tool for better understanding your business’s state of security.

Essentially, this is a security audit of your network and the underlying infrastructure, which indicates your network’s confidentiality, integrity, and availability. This scan is conducted using a software application targeted at an IP address (or a subnet) and digs through your entire network.

The scanning process includes detecting and classifying vulnerabilities in devices, computer systems, applications, and third-party software, looking for security holes such as open ports, outdated software, or accounts with default passwords. The scans also predict how effective countermeasures are in case of a threat or attack, producing a report of all vulnerabilities identified. These findings can then be assessed, analyzed, and interpreted to identify opportunities for the organization to improve its security posture.

Vulnerability scans look for vulnerabilities already known to the security community, hackers, and software vendors. As technology is constantly evolving, there are newer vulnerabilities that are currently unknown. The scan will not find them. That said, the new age vulnerability scanners are updated continuously to reduce vulnerability blind spots.

Penetration Testing

Another aspect of the Vulnerability Management program is Penetration Testing. Penetration tests are often confused with vulnerability assessments; however, these are two very different processes that proactively defend your organization against cybersecurity threats.

As organizations conduct periodic vulnerability scans, so do the hackers and cybercriminals, scanning your network to find a hole or a weakness to break it. This is where penetration testing takes that vulnerability scan to the next level to understand how a cybercriminal can exploit a vulnerability and complete an attack.

Penetration testing is in high demand. Many testers will run a vulnerability scan, generate a report for executive consumption and call it a penetration test. This, however, is just the first step in a two-step process. The scan reveals the existence of a vulnerability; however, an actual penetration test verifies that the vulnerability is exploitable and under what circumstances it can be exploited.

A penetration tester will manipulate the vulnerability and discover the depth of the problem to determine the extent of damage that could be caused if it was exploited. This is the crucial difference between a vulnerability assessment and a penetration test, whereby the output of a vulnerability assessment is further probed, similar to how a cybercriminal would do.

The results of a penetration test are also ranked by severity and exploitability, and any steps to remediate are provided.

Vulnerability Management at Afinety

Vulnerability Management is an ongoing process. Vulnerability scans and assessments should be more frequent (monthly or quarterly), whereas penetration testing can be done on an annual basis or after a significant change to the environment. A single vulnerability scan is only indicative of your organization’s security posture at that point in time.

Afinety conducts vulnerability scans on all its client-hosted environments and its backend infrastructure. These scans identify the risk impact of each vulnerability providing a severity score (Critical, High, Medium, and Low). An Afinety Security Analyst assesses the severity of vulnerabilities in the context of the target environment considering various factors within the assessment, such as exposure to the public internet or remote exposure potential, network topology and depth of exposure, sensitivity/value of data, regulatory compliance/breach potential and compensating controls or mitigating factors, if any. Based on this threat assessment, a decision is made to determine which vulnerabilities should be targeted first and most aggressively.

Afinety also conducts penetration testing on its entire backend infrastructure annually. While this does not include each client’s hosted environment, we offer penetration testing to our clients as a part of our Security Services portfolio.

Performing these two types of tests helps Afinety avoid vulnerabilities and proactively act against cybersecurity threats. This also demonstrates to our clients and regulators that we are taking measures to identify vulnerabilities and apply the appropriate defenses to mitigate the potential risk of an attack.

Plan for the Next Disaster NOW: 9 Questions to Mitigate Future Risk

Business continuity and disaster recovery (BC/DR) plans went through a universal stress test last year the likes of which have never been seen before. As we start to emerge from the pandemic, it’s tempting to immediately focus on delayed initiatives and newly identified projects coming out of it. Before moving on, pause and evaluate how your BC/DR plan performed and plan for the next disaster while this memory is still fresh.

Law firms should take the time now to seriously evaluate how their practice adapted over the past year, and most importantly, what they need to do to improve their response to the next crisis. While the global pandemic is hopefully a once-in-a-generation event, there is no shortage of other threats that require the activation of a firm’s BC/DR plans—from regional natural disasters like wildfires or hurricanes to targeted cybersecurity attacks such as ransomware.

Risk Analysis and Tolerance Drive BC/DR Strategy

For law firms, mitigating legal risk for their clients is second nature. Mitigating business risk for themselves does not come as naturally. Actively planning for and managing non-legal business risk in small to mid-sized firms often takes a back-seat to productivity and firm growth initiatives. Many business continuity and disaster recovery plans are often determined by one or two influential vectors (e.g. cost and IT partner recommendation) without proper and careful consideration for business impact.

Ultimately, your BC/DR strategy depends on fundamentally understanding business impact. Your strategy will grow and evolve over time — this isn’t a one-time exercise. By sitting down periodically with key stakeholders, we recommend at least annually, you can identify new risks and prepare a plan based on current business activities. Simply having the discussion will help you weather the storm — whether that’s a literal storm, a figurative one such as the COVID-19 pandemic, or more commonly, malicious hackers seeking profit.

Every BC/DR strategy should be informed by a Business Impact Analysis. This analysis can be formally conducted by professionals or informally done in-house, and involves asking a series of questions to help you more deliberately understand your business requirements. These requirements are operations your firm really needs to have functional during a crisis, and ultimately will inform the decisions you make with regard to budget, technology, and priorities.

Getting Started with a Business Impact Analysis

The following nine questions will get you started so you can more pragmatically determine how to build the right level of resilience throughout your organization, regardless of how big or small your firm is. Your answers will be influenced by your clientele, the size of your firm, your risk tolerance, and how you handle business risks and objectives.

The more you ask uncomfortable questions when there isn’t a crisis, the more likely you’ll be able to avoid business-shattering consequences.

1) How much risk are you willing to take on and in which areas?

Step one is evaluate your risk tolerance. How much can your business withstand and still come out the other side? In a crisis, what percentage of your clients would continue to need immediate attention? How long can your clients get by if you can’t access your systems? Are there times of the year, quarter-end for example, where a disruption or security incident has an outsized impact? What are clients’ expectations of you, and how tolerant will they be if you can’t meet them?

By answering the above, you’ll be able to more accurately map your business priorities and objectives to information security and disaster recovery efforts. If you don’t understand your risk tolerance and how that relates to your business priorities and objectives, you can’t make a BC/DR strategy and plan that ensures you meet them.

2) What types of data do you have and where is it kept?

Closely related to the first step is understanding exactly what kind of data you hold and where it’s being held. If you haven’t already conducted one, you’ll want to go through a data classification exercise. Part of minimizing your security risk is reducing the threat surface and centralizing what you can so that sensitive data isn’t scattered in multiple places.

For law firms, nearly all the data you hold is sensitive, but it might not all be stored in the same place. Your billing system, for instance, holds different information than your document management system. How much data is being shared via email or tools like Sharepoint or Dropbox? Do you have data subject to regulatory constraints, and if so, where is it held?

By clearly mapping out what data you hold, how sensitive it is, and where you hold it, you’ll be able to make decisions on a system-by-system basis of how much you can afford to invest to secure the data held within a particular application.

3) Is your technology infrastructure secure?

Operating a firm requires a blend of technologies, and unfortunately, these technologies are vulnerable to different types of malicious attacks. With few exceptions, you rely on information technology systems to communicate within your organization, deliver your services, protect client identities and data, and meet deadlines. That means that you need to think about how to secure those systems to keep your business running smoothly.

Your decisions will drive IT investments, architecture decisions, and management of IT assets. It will also help you create a security policy, including how to access your network remotely, a password policy, and a social media policy. Your tech stack enables you to run your business and securing it with the appropriate security solutions and policies keeps it running smoothly.

4) Do you have a disaster recovery plan?

Beyond security, think about what you’ll need in the event of a disaster. This could be isolated, e.g. a single critical system going down, or it could be more impactful like a crisis that affects the entire region.

Considerations here include whether your systems are cloud-based and redundant and whether your employees can work remotely. Have you determined your minimum level of access and service? Which systems/data/business functions are mission-critical? Do you have the processes, policies, and technology to deliver the absolute necessities?

policy for remote working helps with natural disasters, pandemics, and personal emergencies. You’ll also want to consider the criticality of the services you provide and how much of it can be conducted remotely. A law firm may be able to conduct the majority of its business and client interaction remotely, but you may still have some business that you typically do in person, such as court-related activities. Investigate alternatives – are there new ways to conduct in-person activities remotely if absolutely necessary?

Disaster recovery plans describe how you and your team can get back to work quickly after an unplanned incident to help you minimize the impact on your business and decide which investments make the most sense to keep your business running when the unexpected happens.

5) How long can your firm survive without access to its systems?

To help you make your disaster recovery plans, you need to consider downtime. Based on your analysis, you may determine the need to invest in a secondary set of infrastructure that you can fail over to in case of a disaster. You may also decide that it’s worth risking a few hours or days of downtime to save on the high ongoing costs of a secondary site.


  • What does it cost your business to be down for 15 minutes?
  • What about being down for a day?
  • What’s the cost of keeping a site recovery option, with full failover (meaning your systems go down and switch immediately to a backup — with no downtime)?
  • Do you need full environmental failover, or does application failover provide enough functionality for your business?

In the abstract, more security and immediate failover always sounds like a great idea, but in reality, the costs for immediate failover are likely to be more than double what you’re currently spending. You need to really weigh the likelihood of risk and the cost of downtime against the cost of immediate recovery.

In BC/DR terms, there are two critical factors to determine:

  • Recovery Time Objective – this is the amount of time it takes to get systems back online and operational. Put another way, how long your firm is non-functional.
  • Recovery Point Objective – this is how much data loss can you withstand. For example, if you restored your systems as of 11:59 PM last night, you will have lost all of the work your team has done today. Is that acceptable or do you want a system that would lose at most an hour or two of work?

Making clear-eyed decisions about this when you’re not under extreme stress will help you make choices that work to keep your business functional long into the future. And the reality is that by NOT making a decision about this, you’re still making a decision. If you haven’t prioritized your critical systems now, then when a disaster hits, it will be too late to take action.

6) Do you work with clients in regulated industries? If so, what kind of security controls do you need to impose given your access to client data?

Different industries have different regulations that impact your business operations and requirements. If you work with clients in highly regulated industry, your work and data may be subject to the same regulations that theirs is.

Even without that consideration, for the legal industry, downtime results in clear practical risks; if you can’t access documents, you can’t meet client requirements. The biggest risk in the legal industry, however, is data exposure. Clients hold legal counsel to a high standard, and expect that any information about them remains protected, regardless of cyberattacks or data breaches.

7) What risks can you solve with technology?

While headlines about data breaches and cyberattacks might lead you to think that technology only causes risks, it can actually solve them as well. Managed service providers can take a lot of the technology questions off your plate, but you still have some responsibilities that technology can help with. This blog series will help you understand more about how to protect your mission-critical assets through policy management, monitoring and response, data security, application security, endpoint security, network security, and perimeter security.

8) Have you reviewed your technology partner’s security posture?

If you’re outsourcing, make sure you ask your third-party providers about how they protect you and your business. Does your partner have controls and plans in place that meet your business requirements?

Simply asking these questions will help you understand what to expect from managed services and what you need to handle internally. If you don’t know who’s responsible for handling a risk, chances are that no one is.

9) What risks do you solve with internal training?

Training seems like a minor issue, but it can solve big problems. Employees make innocent mistakes, and your training and policies can significantly reduce those risks. You’ll benefit by training employees in basic security principles, such as requiring strong passwords, discussing appropriate internet use, establishing rules for handling and protecting customer information, and how to avoid phishing and other social engineering attacks. Internal training can prevent a lot of confusion, and even cyberattacks, which will save you time, money, and stress.

Build a framework that makes your business more secure and resilient

Upfront planning and thoughtfulness around what is critical to you and your firm (rather than generic recommendations) will help you build a cybersecurity strategy and information security framework for what to do in case of emergency, regardless of what that emergency is. And you can keep it up to date by just having a regular check in to see how your answers to these questions might have changed.

Cybersecurity for Law Firms: Our New Blog Series

Why Should a Small/Mid-Sized Law Firm Worry So Much about Cybersecurity?

In a recent article, Managing Editor Zeljka Zorz of Help Net Security wrote:

“Businesses in the Professional Services industry (more specifically: law firms) have been heavily targeted by ransomware attackers.”

And you don’t have to look very hard to find evidence of that. In 2020, a banner year for ransomware, experts estimate that cybercriminals made off with $370 million in profits.

The reality is (as the ever-growing list of victims of such attacks makes clear): Cybercriminals are actively targeting organizations of nearly all sizes. And law firms, with their access to highly sensitive data, are a prime target.

But this blog post isn’t designed to be a scare tactic. Instead, we hope to help you better understand the steps you can take to mitigate your risk. Our goal is to do our small part in advancing broader cybersecurity awareness and education within the legal community, particularly given the exponentially escalating nature of these cyber-threats.

A Layered Approach to Security

Over the next couple of months, you’ll be seeing a series of blog posts – from high-level security strategy highlights to security tools that law firms can use right now – that we hope will shine a light on different areas of security and provide law firms with key considerations and best practices to keep in mind.

We’ll structure the discussion using a layered security model we have adopted for our own security roadmap. This includes:

  • Perimeter Security
  • Network Security
  • Endpoint Security
  • Application Security
  • Data Security
  • Policy Management & Enforcement
  • Monitoring & Response

Within each security layer, we’ll explain that layer’s purpose, and highlight:

  • Common security mistakes organizations can make
  • Minimum security measures every organizations should take
  • Best practices around security that organizations should consider

Layered approach to security

Some of our recommendations will be familiar – who hasn’t heard of multi-factor authentication? – but will be no less important for being familiar. (According to at least one survey, 78% of Microsoft 365 administrators do not have multi-factor authentication activated.)

We’ll also talk about security philosophies and mindsets – least-privilege and zero-trust for example – and the steps you can take to help improve security in your organization – regardless who manages your IT infrastructure.

Shared Responsibility for Security

For too long, managed service providers and technology partners (including us) have taken the stance of shielding our clients from the headaches, intricacies, and complications that a strong security stance involves. While it’s true that we can significantly reduce the burden of security on our clients and their teams, the responsibility is still shared. We owe it to our clients to ensure they not only understand the steps we’re taking as their IT partner, but also the measures that require their active participation and consent.

We hope this series of blog posts will help form the basis for those conversations, and we’re looking forward to more discussions to come.

10 Security Practices Every Law Firm Should Follow

Originally published December 1, 2020, by Steve Sobka, Director of Technology and Infrastructure, and Bill Sorenson, VP of Product, at www.elite.com.

Cybersecurity has long been an area of concern for law firms; New York has even proposed cybersecurity CLE requirements. The changes of 2020 require every firm to reevaluate their current security posture and determine if changes are needed.

Certainly, the focus on cybersecurity pre-dates COVID-19, especially as law firms continue to be actively targeted by cyber threat actors in well-publicized breaches. However, the issue becomes even more urgent today. Leaders need to consider how the drastic changes in working environment brought on by the pandemic have impacted their security controls.

In this article, we’ll outline 10 best practices that every law firm should consider adopting or reviewing and why.

1. Re-evaluate Your Security

As firms this year have grappled with the challenges of supporting remote work and adapting in-office processes, technology, and client interaction to accommodate, security may have taken a back seat to productivity and “keeping the lights on.” It’s time to take a look at how those necessary changes have impacted security.

For example, where before you may have concerned yourself primarily with the security of your physical offices, you need to now also consider home security and how to adjust your policies and technical controls to accommodate.

And all this isn’t just limited to the current remote work situation. For many firms, big and small, 2020 has shown that remote workers can remain highly productive. Regardless of how long remote work is necessary, for some firms, some level of remote work will remain an option post-pandemic.

From reviewing your Bring Your Own Device and remote work policies to a full-scale review of your technical controls, taking a step back and considering how recent changes impact security will help ensure your client data remains secure no matter how it’s being accessed.

2. Least Access Approach

One of the most common techniques cybercriminals use is to target junior staff members as a means into an organization. Once they secure such credentials, they can then either a) access everything that employee has access to, or b) use that account as a “Patient Zero” account to infect others, even up to managing partners.

With a least access approach, firms can control their exposure by being vigilant about what any given person can access. Instead of determining what data and which systems should be blocked from a given user, think critically about what they need to access. Doing so helps ensure that even if a cybercriminal gains credentials or if ransomware is deployed at the firm, that your exposure is limited.

3. Security-first Mindset

A defensive mindset is critical to maintaining a secure environment—not just digitally, but physically as well. In an office setting, that might mean validating the copy repairman or the person who waters the plants. Online, it could include confirming that an email requesting data is actually real.

The crux of the security-first mindset is that it’s not limited to IT. Every person at your firm needs to take a “Question everything” mindset. You can’t afford for it to be “just IT’s problem.”

4. Ongoing (Not Annual) Training

This one seems obvious, but it’s critical that firms consider training as an ongoing activity rather than an annual one. Required annual cybersecurity training typically isn’t sufficient to keeping staff vigilant. Instead, consider lighter, more frequent training, and use responsive training tools to help educate your team on phishing attacks. Ultimately, your employees are your last line of defense. Make sure they’re prepared.

5. Email Security Is Not Just About Tools

While email security tools are an important component of catching phishing emails, they are far from infallible. The rising sophistication of phishing attacks means that no email security tool alone can defeat phishing attacks.

In addition to the training highlighted above, law firms should ensure they have policies and procedures in place to mitigate risk. This includes proactive measures such as a policy that requires financial transactions to be confirmed in person / by voice, not just email or reactive, outlining a clear incident response plan so everyone knows what to do if they’ve been phished.

6. Multi-factor Authentication and Password Managers

It’s time to get serious about these two. Any firms that haven’t yet implemented these (and it could be as many as 50%) need to make this a priority.

Cybercriminals exploit the very human desire to keep things simple and convenient. The result? Gaining access to one account can often be easily translated to several of that person’s accounts. With multi-factor authentication, criminals would need access to multiple components to access a target’s data. One nuance here; text-based two-factor authentication is better than nothing. But given the choice, firms should require authenticator apps which are far harder to hack.

Meanwhile, password managers make it easier to maintain different, long, and complex passwords for every account. With a corporate account, firms have the added benefit of quickly shutting down access to all those passwords in the event of a termination.

7. Encryption Everywhere

The simple message here: encrypt everything, everywhere. Ensure your data is encrypted at rest (if you’re operating in a cloud environment, this will be automatically built-in), as well as in transit.

8. Remote Workspace Adoption

Virtual desktops provide a significant security upgrade. While the experience for the user is nearly identical to keeping everything on the local machine, the desktops are actually hosted in a public cloud environment where everything—from the data sitting on the desktop to the connection to critical applications such as Firm Central and ProLaw®—are running in cloud-based servers and are both encrypted and backed up. Cloud desktop represents a much more secure environment than a typical virtual private network and can also eliminate the performance impact that VPNs introduce.

With a virtual desktop, you can isolate your damage, particularly in an era where employees are accessing their applications and data from insecure home WiFi networks. If a computer is stolen or a laptop is damaged, no data is exposed or lost. You can just procure a new computer and get access to your cloud desktop as if nothing ever happened.

9. Physical Security

With many offices only lightly staffed, if at all, there are often minimal controls to ensure that only authorized personnel can access the office. If your infrastructure is still on-premises, you may not have insight into who can access your hardware.

The simple solution? Stop owning physical infrastructure. The truth is that there’s nothing you can do that will be more secure than Amazon® or Microsoft®. By upgrading your infrastructure to the cloud, you transfer your risk to the cloud providers and save yourself the expense and headache of keeping that physical infrastructure secure.

10. Cloud Security

The move to the cloud can be a huge security upgrade for law firms. But how do you ensure that your cloud security is secure as well? The first is to confirm what you mean by “the cloud.” Public cloud providers such as Amazon and Microsoft spend hundreds of millions—even over a billion—dollars on security, far more than you or even a private cloud provider can spend.

You’ll also want to consider how your cloud provider is treating your environment. In many private cloud environments, for example, you can consider the infrastructure to be similar to an apartment building. While your locked door helps to keep your environment secure, you’re still subject to communal impact. If another tenant has a fire, that fire could easily spread to you.

In contrast, a single-tenant environment is like owning your own house, with lots of land around. The actions of your neighbors won’t impact you as heavily, if at all.


Security is a hefty responsibility. Undoubtedly, you’ve already implemented at least some of these 10 best practices. But there are likely at least a few that bear further consideration or upgrading from your current set up.

It can be daunting to consider implementing all of them. But the good news is, that by turning to the cloud, and a trusted cloud services partner to help you, 8 out of 10 of these best practices can be either offloaded or significantly supported by a partner. (If you guessed 2 and 3 as the outliers, you’re right).

Security practices should be reviewed regularly and at any time a major change happens to the business. So as 2020 comes to a close, take the time to review, re-evaluate, and emerge with a stronger security posture and confidence that you’ve done everything you can to keep your client and firm data secure.

10 Best Security Practices for Securing Client Data

Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.

Why address security now?

As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.

To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.

1. Re-evaluate your security policies and posture

The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.

2. Remote Workspaces / Virtual Desktops

One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.

Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.

3. Physical Security

So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.

4. Cloud Security

While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.

5. Security-First Mindset

It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.

6. Training

Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.

7. Email Security

Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.

8. Multifactor Authentication and Password Managers

While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.

Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.

We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.

9. Encryption

While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.

10. Least-Access Approach

One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.

The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.

Getting started

To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.

Stepping Up Your Cyber Security Game – Protecting Your Assets

Originally published June 26, 2020, by Bill Sorenson, VP of Product, at www.elite.com.

Learning from the COVID-19 Impact

We’ve seen a dramatic change over the last four months in relation to the coronavirus pandemic. One of the significant places that have impacted most firms is the work-at-home requirements placed across the country. Some firms were able to respond quickly, and others struggled for a significant time to enable their employees to work. One of the large impacts has been the increased risk exposure associated with cybersecurity. How you handle this impacts your firm’s value, both overall as well as in the marketplace.

Risk Management at the Heart: Protecting Your Assets

It all gets back to risk. In our industry, most of what we do and the decisions we make are related to risk and risk mitigation. When we look at cybersecurity, there’s no difference. Expanding your risk footprint with work-at-home employees dramatically increased your risk. The question is, is it short-term or not?

  • Running Your Technical Environment: First let’s look at your technical environment and, as an example, how you run 3E® or ProLaw® and your other applications. You may run it internally with your own equipment, in a computer center somewhere else, or in the public cloud. Each implementation has different risks and productivity considerations for your employees and the firm. For the firms that have run it and the rest of their applications in the cloud, the move to work-at-home was simple. They were already used to the idea that their employees could work from anywhere. For the other firms, the move to work-at-home created a hectic environment with a struggle to get everyone working at the same time, the performance was horrible, and security became an immediate concern.
  • Cybersecurity as a Base: When we look at cybersecurity and the extension of a firm’s environment to each employees’ home, many things raise red flags. First, simply locking down employees’ technology to restrict confidential information exposure has been key. Additionally, in many situations, the computers people use at home are shared. This dramatically increases the exposure to the firm. By implementing key controls around the devices that employees use, firms have been able to reduce this risk exposure quickly. Make sure you’ve reviewed the risks specific to your firm and have implemented controls to keep your firm’s data secure.
  • Coming to Grips with Reality: Going forward, there will now be an increased focus on disaster recovery, business continuity, and cybersecurity. Focusing on those protections related to your employees and the remote workforce will significantly level-up your overall security. In a time when there is a dramatic focus on hacking each of your employees, there is no time to waste to secure your environment.


Protections Needed Now

  • Work-at-Home: You need to implement technical controls on each user’s device and put in place additional policies and procedures around work-at-home, bring your own device, and possibly, confidential information exposure.
  • Disaster Recovery / Business Continuity: You need to review your disaster recovery and business continuity plans and look at how they were implemented with COVID-19 and adjust.
  • The Human Element: Training, training, training. It is time to step up and help your employees protect you. If you haven’t already rolled out cybersecurity training, it’s time to do that now. And this includes partners. Partners are really the focus of phishing attempts and, many times, are greenfield for hackers. By training employees, you increase the sentries that are protecting the firm.
  • Direction to the Cloud: One thing COVID-19 has shown us is that firms that had already adopted the cloud were well prepared. They made those decisions based on cybersecurity, costs, and productivity gains for the firm. It is time for you to look at that as an adoption rather than a review.  By choosing Amazon® AWS, or Microsoft® Azure®, you’re able to leverage the best in the world at costs you can afford. The key piece is finding a partner who’s focused on your industry.


The Transition Back

As the pandemic progresses and different states begin to transition industries back to a more normal work life, it’ll be time for you to look at transitioning your firm back. As you’re making that decision, take into account the lessons you’ve learned during the pandemic. Key takeaways from this article for you and your core partners to review include:

  • Staffing Lessons: How did our staff respond, and how did we help them?
  • Client Lessons: Were we able to provide what our clients needed and expand our services in response to the pandemic? If not, could we have?
  • Technical Lessons: Were we prepared for this emergency? Did we use our disaster recovery plan, or did we take it for granted? Do we need more focus on moving to the cloud now to protect us from this type of situation going forward?
  • Firm Lessons: Was our mindset one of quick response and focus on where we could help, or was it reactive and overwhelming? Would we be better served by spending time walking through realistic examples and responses? Can we be better prepared?

Set up some time with the firm leaders and take the time needed to go through your new normal.  As you are reviewing the past months, be open to input, criticism, new methods, and ideas from all levels. Many people have been impacted in several different manners. Understand how you can step forward and help your partners, staff, and your clients now and in the future.

Why Multifactor Authentication is Essential

If there’s one thing that law firms have in massive quantities, it’s information. From email inboxes containing clients’ addresses and signatures to file folders that detail highly sensitive particulars about financials, attorneys possess reams of data that can damage reputations and ruin lives should it happen to fall into the wrong hands.

While numerous methods of protection exist to keep eyes-only information just that – including passwords, firewalls, identity theft resources and physical security – there are equally as many ways of gaining access. Be it hacking, malware, phishing or skimming, bad actors resort to a wide assortment of underhanded tactics to expose and make off with private data.

Multifactor authentication throws a wrench in these malicious methods. Instead of entering just one password or inserting a single keycard, multifactor authentication – otherwise known as 2FA – requires two or more credentials for access to be granted. Generally speaking, the more that are required, the harder it is for information to be stolen. As noted by Carnegie Mellon University, 2FA involves several “somethings”:

  • Something you know (e.g. password, security question, PIN number);
  • Something you own (e.g. key fob, ID card, smartphone);
  • Something you are (e.g. fingerprint, face, voice, palm vein)

This latter something is a fairly new technology in terms of availability and usage. It involves biometrics, or the analysis of physical characteristics for authentication. Because no two fingerprints are perfectly identical, it makes them difficult to replicate or steal.

Given the effectiveness of 2FA, more industries are adopting it. Many handheld devices now require users to input two or more credentials, or at least provide this option.

“Many attorneys and law firms aren’t fully embracing this security methodology.”

However, whether due to resistance to change, in general, or unfamiliarity with technology, attorneys and law firms aren’t fully embracing this security methodology, ABA Journal reported. If you’re among them, here are a few reasons why you may want to reconsider:

Data breaches are more common than ever
At one time, it seemed like every cyberattack was reported by the mainstream media, particularly those that impacted retailers. They’ve largely fallen out of the news cycle, but that doesn’t mean they’ve become any less common. According to the most recent statistics available from the Identity Theft Resource Center, the number of consumer records stolen in 2018 rose 126% from the previous year, totaling 446.5 million overall. That’s up from 197.6 million just 12 months earlier.

The chances of data being stolen are significantly lower when 2FA is in place. As reported by Forbes, household-name software providers say 99% of automated attacks can be successfully blocked by enabling 2FA. Several other telecommunications and technology companies also hail the effectiveness of multifactor authentication.

Firms are a top target
No business or industry is entirely immune from data breaches, and that especially includes the business sector, an umbrella that law firms fall under. Of the 1,632 breaches that took place in 2018, 907 of them affected business, ITRC reported from its findings. This equated to 181 million records, with healthcare in a distant second at 5.3 million records and 384 breaches.

Small law firms in the crosshairs
According to the most recent polling available, tracking how many practicing lawyers are currently in the U.S., the number sits at over 1.3 million, based on the ABA’s figures. The vast majority of these attorneys work for small firms. Conventional wisdom might suggest the big firms would be targeted the most, but as Attorney At Law Magazine reported, those that have fewer partners tend to receive the lion’s share of the attacks because there are more out there to potentially exploit.

2FA helps to guard against attempted data heists by adding an extra layer of security.

If your firm has transitioned to the cloud, you can’t afford a software solution that doesn’t incorporate multifactor authentication. Built on the largest cloud provider in the world – Amazon Web Services – Afinety leverages 2FA, firewall protection and unparalleled monitoring to ensure information stays under lock and key. For more information on the Afinety Cloud Platform and its offerings, contact us today.