Keeping client data secure is always a minimum requirement for law firms. The combination of recent events, maturing technology, and evolving best practices make now a good time to reevaluate your security procedures and whether you’re doing enough to keep your practice and clients safe.
Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Netgain’s Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.
Why address security now?
As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.
To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.
1. Re-evaluate your security policies and posture
The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.
2. Remote Workspaces / Virtual Desktops
One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.
Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.
3. Physical Security
So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.
4. Cloud Security
While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.
5. Security-First Mindset
It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.
Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.
7. Email Security
Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.
8. Multifactor Authentication and Password Managers
While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.
Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.
We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.
While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.
10. Least-Access Approach
One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.
The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.
To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.