By: Rick Boza & Pete Sitero
Published April 2012 Edition of the Orange County Bar Association’s Magazine: “the Briefs”
Based on a report by the U.S. Government last November, there has been a dramatic rise in electronic espionage. That same month, the Federal Bureau of Investigation held a meeting in New York City with what they considered to be one of the weaker links in the online spy game: law firms. It’s an issue that is getting the attention of in-house counsel, especially as they share sensitive and potentially valuable data with outside counsel.
Rich with client information, many law firms are less equipped to fend off cyber-attacks than the corporations they represent. Those important files related to clients’ activities are usually much easier to find in the law firm’s network than the corporate network. Attackers go where the money is – these days law firms should assume that hackers will infiltrate their network, and should identify which digital assets are most at risk, and put the most security around those areas. Today, firms need to take a risk-oriented approach when protecting client information. Knowing what is of value to potential cyber-attackers can dictate security strategies.
Many corporations use security guidelines as criterion when choosing a law firm to represent them. A few questions they may ask your firm are:
Do the managing partner and executive committee champion and drive a culture of security? A ‘culture of security’ means that security must become an integral part of the daily routine of individual employees and the firm as a whole in their use of Information and Communications Technologies, as well as conduct of online activities. As availability of data becomes ubiquitous, the method in which it is made available must be secure. The expansive growth of laptops, iPads, and smartphones makes more and more confidential data available anywhere – it is critical that this information be stored and made available securely to protect the firm and its clients.
Does the firm secure webmail, remote access and servers with RSA tokens or another form of multi-factor authentication? As external access to internal data and systems has evolved, it has become clear that requiring a password – whether simple or complex – is not enough. Passwords are too easily broken, so other alternatives to maintain security are required. Multi-factor authentication solutions require access to ‘something you have, and something you know’ – typically a token generator or cell phone combined with a password or PIN.
Does the firm enforce complex passwords on workstations and servers, limit the use of IT personnel with highly privileged credentials, and closely monitor the logs of such highly privileged accounts? While external access is managed using multi-factor authenitcation, internal access should also include a different set of management of systems and system access.
Does the firm have state-of-the-art intrusion detection, session recording, log aggregation and enterprise level forensic tools? If your firm became a target, could you respond in a timely manner, determine what if any information had been accessed, or even know that an attack had occurred? Managed security solutions might be a good answer to a complex but manageable challenge.
Does the firm broadly grant user access to data on the network or is access granted on a need-to-know basis? As many network environments have evolved, access to systems has not always kept pace. Data access can be limited or broadly granted – do you have a system that allows you to manage such access, and do you proactively analyze that access? With the emergence of mobility and data access from mobile devices, have you taken steps to manage those devices? If a device is lost or stolen, what happens to the data on that device?
And finally, can you recall the last time your firm tested, reviewed or updated your security standards, policies and procedures?
Hacking attempts are no longer regarded as random attempts to break into computer systems for the fun of it. What was once an online attempt at thrill seeking for hackers has become big business – and they recognize that an attack vector that focuses on a corporation’s outside law firm is often an easier target than the firm itself. As a trusted advisor to your clients, would you want to be the firm responsible for leaking their data or compromising their intellectual property? Corporations are coming to recognize this as a potential area of risk and its becoming more critical that your firm have the right answers to their questions.
Some steps to consider are:
1. Evaluate access to both systems and data with an eye to the ‘least privilege’ approach to security.
2. Explore multi-factor authentication solutions that best meet your firm’s needs.
3. Investigate managed security services that could allow you to offload the management process to experts.
4. Evaluate how your firm allows data access and storage on mobile devices
5. Embrace a culture of security across the entire firm.
Managed Services and Managed Security can provide the right answers to your clients’ questions as well as provide cost-effective and highly efficient solutions to these potential problems. The best managed service providers can either provide complete IT outsourcing solutions or supplement your firm’s in-house IT support team. Proactive management of these challenges is the key. After all, no-one wants their security breach to be the next headline in the Orlando Sentinel!
Learm more about Security Solutions by Protechnica.
About the Author: Rick Boza is the President of and Security Consultant for Protechnica, a local Managed Services Provider and Technology Consulting firm. Headquartered in Central Florida, Protechnica provides superior consulting and training services for risk management, mitigation of IT Security network vulnerabilities, and Managed Security and Services solutions to law firms and the Orange County Bar Association.