Posts

10 Best Security Practices for Securing Client Data

Keeping client data secure is always a minimum requirement for law firms. The combination of recent events, maturing technology, and evolving best practices make now a good time to reevaluate your security procedures and whether you’re doing enough to keep your practice and clients safe.

Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Netgain’s Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.

Why address security now?

As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.

To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.

1. Re-evaluate your security policies and posture

The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.

2. Remote Workspaces / Virtual Desktops

One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.

Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.

3. Physical Security

So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.

4. Cloud Security

While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.

5. Security-First Mindset

It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.

6. Training

Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.

7. Email Security

Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.

8. Multifactor Authentication and Password Managers

While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.

Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.

We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.

9. Encryption

While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.

10. Least-Access Approach

One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.

The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.

Getting started

To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.

Stepping Up Your Cyber Security Game – Protecting Your Assets

Originally published June 26, 2020, by Bill Sorenson, VP of Product, Netgain at www.elite.com.


Learning from the COVID-19 Impact

We’ve seen a dramatic change over the last four months in relation to the coronavirus pandemic. One of the significant places that have impacted most firms is the work-at-home requirements placed across the country. Some firms were able to respond quickly, and others struggled for a significant time to enable their employees to work. One of the large impacts has been the increased risk exposure associated with cybersecurity. How you handle this impacts your firm’s value, both overall as well as in the marketplace.

Risk Management at the Heart: Protecting Your Assets

It all gets back to risk. In our industry, most of what we do and the decisions we make are related to risk and risk mitigation. When we look at cybersecurity, there’s no difference. Expanding your risk footprint with work-at-home employees dramatically increased your risk. The question is, is it short-term or not?

  • Running Your Technical Environment: First let’s look at your technical environment and, as an example, how you run 3E® or ProLaw® and your other applications. You may run it internally with your own equipment, in a computer center somewhere else, or in the public cloud. Each implementation has different risks and productivity considerations for your employees and the firm. For the firms that have run it and the rest of their applications in the cloud, the move to work-at-home was simple. They were already used to the idea that their employees could work from anywhere. For the other firms, the move to work-at-home created a hectic environment with a struggle to get everyone working at the same time, the performance was horrible, and security became an immediate concern.
  • Cybersecurity as a Base: When we look at cybersecurity and the extension of a firm’s environment to each employees’ home, many things raise red flags. First, simply locking down employees’ technology to restrict confidential information exposure has been key. Additionally, in many situations, the computers people use at home are shared. This dramatically increases the exposure to the firm. By implementing key controls around the devices that employees use, firms have been able to reduce this risk exposure quickly. Make sure you’ve reviewed the risks specific to your firm and have implemented controls to keep your firm’s data secure.
  • Coming to Grips with Reality: Going forward, there will now be an increased focus on disaster recovery, business continuity, and cybersecurity. Focusing on those protections related to your employees and the remote workforce will significantly level-up your overall security. In a time when there is a dramatic focus on hacking each of your employees, there is no time to waste to secure your environment.

Protections Needed Now

  • Work-at-Home: You need to implement technical controls on each user’s device and put in place additional policies and procedures around work-at-home, bring your own device, and possibly, confidential information exposure.
  • Disaster Recovery / Business Continuity: You need to review your disaster recovery and business continuity plans and look at how they were implemented with COVID-19 and adjust.
  • The Human Element: Training, training, training. It is time to step up and help your employees protect you. If you haven’t already rolled out cybersecurity training, it’s time to do that now. And this includes partners. Partners are really the focus of phishing attempts and, many times, are greenfield for hackers. By training employees, you increase the sentries that are protecting the firm.
  • Direction to the Cloud: One thing COVID-19 has shown us is that firms that had already adopted the cloud were well prepared. They made those decisions based on cybersecurity, costs, and productivity gains for the firm. It is time for you to look at that as an adoption rather than a review.  By choosing Amazon® AWS, or Microsoft® Azure®, you’re able to leverage the best in the world at costs you can afford. The key piece is finding a partner who’s focused on your industry.

The Transition Back

As the pandemic progresses and different states begin to transition industries back to a more normal work life, it’ll be time for you to look at transitioning your firm back. As you’re making that decision, take into account the lessons you’ve learned during the pandemic. Key takeaways from this article for you and your core partners to review include:

  • Staffing Lessons: How did our staff respond, and how did we help them?
  • Client Lessons: Were we able to provide what our clients needed and expand our services in response to the pandemic? If not, could we have?
  • Technical Lessons: Were we prepared for this emergency? Did we use our disaster recovery plan, or did we take it for granted? Do we need more focus on moving to the cloud now to protect us from this type of situation going forward?
  • Firm Lessons: Was our mindset one of quick response and focus on where we could help, or was it reactive and overwhelming? Would we be better served by spending time walking through realistic examples and responses? Can we be better prepared?

Set up some time with the firm leaders and take the time needed to go through your new normal.  As you are reviewing the past months, be open to input, criticism, new methods, and ideas from all levels. Many people have been impacted in several different manners. Understand how you can step forward and help your partners, staff, and your clients now and in the future.

Why Multifactor Authentication is Essential

 

If there’s one thing that law firms have in massive quantities, it’s information. From email inboxes containing clients’ addresses and signatures to file folders that detail highly sensitive particulars about financials, attorneys possess reams of data that can damage reputations and ruin lives should it happen to fall into the wrong hands.

While numerous methods of protection exist to keep eyes-only information just that – including passwords, firewalls, identity theft resources and physical security – there are equally as many ways of gaining access. Be it hacking, malware, phishing or skimming, bad actors resort to a wide assortment of underhanded tactics to expose and make off with private data.

Multifactor authentication throws a wrench in these malicious methods. Instead of entering just one password or inserting a single keycard, multifactor authentication – otherwise known as 2FA – requires two or more credentials for access to be granted. Generally speaking, the more that are required, the harder it is for information to be stolen. As noted by Carnegie Mellon University, 2FA involves several “somethings”:

  • Something you know (e.g. password, security question, PIN number);
  • Something you own (e.g. key fob, ID card, smartphone);
  • Something you are (e.g. fingerprint, face, voice, palm vein)

This latter something is a fairly new technology in terms of availability and usage. It involves biometrics, or the analysis of physical characteristics for authentication. Because no two fingerprints are perfectly identical, it makes them difficult to replicate or steal.

Given the effectiveness of 2FA, more industries are adopting it. Many handheld devices now require users to input two or more credentials, or at least provide this option.

“Many attorneys and law firms aren’t fully embracing this security methodology.”

However, whether due to resistance to change, in general, or unfamiliarity with technology, attorneys and law firms aren’t fully embracing this security methodology, ABA Journal reported. If you’re among them, here are a few reasons why you may want to reconsider:

Data breaches are more common than ever
At one time, it seemed like every cyberattack was reported by the mainstream media, particularly those that impacted retailers. They’ve largely fallen out of the news cycle, but that doesn’t mean they’ve become any less common. According to the most recent statistics available from the Identity Theft Resource Center, the number of consumer records stolen in 2018 rose 126% from the previous year, totaling 446.5 million overall. That’s up from 197.6 million just 12 months earlier.

The chances of data being stolen are significantly lower when 2FA is in place. As reported by Forbes, household-name software providers say 99% of automated attacks can be successfully blocked by enabling 2FA. Several other telecommunications and technology companies also hail the effectiveness of multifactor authentication.

Firms are a top target
No business or industry is entirely immune from data breaches, and that especially includes the business sector, an umbrella that law firms fall under. Of the 1,632 breaches that took place in 2018, 907 of them affected business, ITRC reported from its findings. This equated to 181 million records, with healthcare in a distant second at 5.3 million records and 384 breaches.

Small law firms in the crosshairs
According to the most recent polling available, tracking how many practicing lawyers are currently in the U.S., the number sits at over 1.3 million, based on the ABA’s figures. The vast majority of these attorneys work for small firms. Conventional wisdom might suggest the big firms would be targeted the most, but as Attorney At Law Magazine reported, those that have fewer partners tend to receive the lion’s share of the attacks because there are more out there to potentially exploit.

2FA helps to guard against attempted data heists by adding an extra layer of security.

If your firm has transitioned to the cloud, you can’t afford a software solution that doesn’t incorporate multifactor authentication. Built on the largest cloud provider in the world – Amazon Web Services – Afinety leverages 2FA, firewall protection and unparalleled monitoring to ensure information stays under lock and key. For more information on the Afinety Cloud Platform and its offerings, contact us today.