In Part 1 of our series of building a law firm cybersecurity plan, we discussed the critical first steps of cybersecurity – identification of sensitive data and verification of where it resides within your network. And yes, you have valuable data. Please ignore anyone who claims that your firm doesn’t ‘have anything that anyone would want to steal’. The information you maintain for your own employees alone is extraordinarily valuable to the right people. Add in your case and client data and you’re now smack in the cross hairs of cyber criminals across the globe.
However, simply knowing what sensitive information lives within your four walls, is only the start. The next step involves the securing of that data through several means – many of which are not overly technical.
Layered security, or what is also known as ‘Defense in Depth,’ refers to the practice of combining multiple security controls to slow and eventually thwart a security attack. It’s the approach we recommend for law firms of nearly any size.
Step 2: Secure the inside of your firm
In our recommended approach, your firm’s layered defense should start on the inside of your firm and extend out to the perimeter (firewall). Why? Because focusing only on the external perimeter implies that your best approach is to focus all your efforts into protecting all your information at once. At first glance, you might say ‘absolutely!’ but if you consider that your client list might be more valued than your marketing data, or your HR data might be more valued than your vendor list – you will see that a slightly more targeted approach could prove more effective. Below are a few ideas on how to secure your internal network.
Be smart about basic application access.
Assuming you are maintaining secure data in your primary operational applications (case management, accounting, time and billing, litigation support, document management, etc.), your firm should look to build a security policy for each application. Key questions to ask in creating this plan include:
- Who has access to each application?
- How are they accessing each application (e.g. in-house PC, mobile device, home network)?
- How is that access removed if the person leaves their position (internally or externally)?
- If many people have access to an application, can you setup restrictions to only show the user information that they need to access?
- Are the passwords to access the application complex?
- Are users prohibited from using the same login credentials across the network or to access other applications used by the firm?
Button up internal network vulnerabilities.
Keeping your environment updated is a critical step in world of cybersecurity. Most firms, however, only look to test their exterior for vulnerabilities. A regular internal vulnerability scan will often identify key threat access points such as:
- Unpatched hardware, software and operating systems
- User created vulnerabilities that are the result of malware or spyware
- Desktop Internet ‘back doors’ that could circumvent your security systems by ‘acting’ like legitimate web traffic while extracting critical information
Form a security militia.
People often point to user education as the key to avoiding cyber-attacks, and to a certain degree they are correct. Having a team that knows what to look for and what not to do in their daily tasks will save the firm substantially in the long run. And even though employees represent your biggest security risk, they can also be your greatest defense. Techniques for building a cyber militia include:
- Designate a person or team of people to head your cybersecurity efforts
- Have written security policies that everyone can follow (be sure to include who should be notified if they suspect something might be wrong)
- Test your users and policies on a regular basis though social engineering based penetration tests
By starting with these three steps, you’ll have a strong internal foundation onto which you can now build your external defenses. By building your cyber defenses from the inside out – you will have a clear understanding of what data is your most critical and how to use your people and your policies to effectively police it.
Stay tuned for Part 3: Building a proper outer defense.