‘We know we need to do more but we just have no idea where to start’
At the 2016 ABA TECHSHOW in Chicago, the theme on security was heard loud and clear. Everyone agrees that we’re all in the security game now. No longer is this a topic relegated to only the largest firms or the firms handling big litigation. No matter your size or specialty, you are a target for the legions of nefarious worldwide hackers looking to make a quick buck.
But knowing this this hasn’t made things any easier on what, exactly, to do about it.
Hopefully this can help. In part 1 and part 2 of our series on building a better law firm cybersecurity plan, we established a few fundamental principles for any sound security plan: understand what information you’re securing, where it resides, how it can be secured using the systems you (likely) already own, and how to engage your team to help secure it all.
The best part about these initial recommendations is that they require little or no capital investment. Time, effort and documentation, yes, but little money. The next set of tasks may require additional investments; however, they are still well within the reach of most law firms.
Step 3: Reduce your Attack Surface
Part 3 of our series focuses on one specific task – reducing your attack surface. ‘Attack surface’ is simply a broad term for ‘how many ways could you be breached’ or ‘how exposed are you’. If you’ve followed the advice from our initial posts, you’ll note that we have already begun the task of reducing your threat surface. How? By identifying your data and where it resides, we hope to encourage consolidation of the data thereby allowing your firm to better focus security on a smaller ‘area’ of your network.
Further reducing of the attack surface for your company can be accomplished through the following tools and procedures.
The very nature of email – easy user access, public internet transfers in the clear, common data formats – all make email a very insecure way to communicate. As a law firm you have two risk related considerations for email. The first is the content of your email (to or from a client) which requires confidentiality. The second is the fact that email often represents the primary means to infiltrate your network through fraudulent malware laden emails. In either case, keeping it secure is critical. Email encryption looks to secure your client communications by encrypting it in transit through the use of public and private security keys. In other words, the email is jumbled in transit and unjumbled when sent to the right person. While sometimes a little more cumbersome for employees, clients are nearly always willing to endorse security measures taken to protect their data.
Products to consider: Microsoft Exchange & Outlook Encryption, Products from Symantec, Trend Micro, or Services from SendInc or Cirius
Secure File Sharing
The process of sending clients confidential documents through email represents a wide open ‘back door’ to both you and your client’s information. Attaching a sensitive document to an unencrypted email, especially in a native MS Word or Word Perfect format presents risks that are simply not worth taking. Sending or receiving confidential files can be done through a service or through a secure portal. It’s a safer way to send information and allows you to verify that the document was received, the date and time it was received and was encrypted in transit.
Products to consider: Citrix Sharefile, Dropbox for Business, Hightail, Custom Portals that integrate with your firm’s document management or practice management system
Complex, Function Specific Password Management
The promise technology brings to the workplace is ease-of-use and convenience to improve efficiency. But all too often, making things “easier” comes at the cost of making things less secure. Nowhere is it more evident than in password management. According to the Verizon Data Breach Digest, 80% of cyber-attacks in the last year involved exploitation of stolen, weak, default, or easily guessable passwords. Passwords are the single most effective means to a breach a network (right behind user error). It is imperative that ALL companies employ complex passwords on ALL network access systems, require them to be rotated at least every 90 days, and ensure that those passwords are NOT the same passwords used for specific application access.
Business ONLY email
Business emails should be used for business communications only. Firms should require employees to NEVER use the company email for outside logins or usernames, particularly on social media. Screen scraping malware can easily take this information an attempt remote logins for any email domain it finds.
Dual Factor Authentication
Mobile access to files and information has gone from being a luxury to a job requirement for most employees in any industry. The legal industry is no exception. The challenge is that the very essence of remote access creates a vector of attack for ‘bad guys’ to gain access to your network and data. However, the use of multi or dual factor authentication greatly reduces this attack-surface.
Dual-factor authentication relies on using at least two of the following three things to identify you to the network: 1) something you know (e.g. password), and 2) something you have (e.g. cell phone), or 3) something you are (e.g. fingerprint). The process of authentication can be accomplished in many ways, however the simplest approach is to require the entry of a separate code, in addition to user name and password, to be entered when accessing networks or data from outside the firm. This is usually a random generated code with a limited time of validity that is sent to the user, often as a text, as they are attempting to login. Since the contact information was previously entered, it is assumed that the person receiving the text/code is indeed the person you expect them to be and can be given appropriate information access.
Next Generation Firewalls with Active Content Filtering
Most every business today employs a firewall with varying degrees of capability for securely managing traffic both in and out of the company network. When selecting the right firewall appliance for your business, factors such as features, performance, manageability, price and support are all key considerations. Along with those, however, is also the option of buying a Next Generation Firewall (NGFW)
Next Generation Firewalls are a relatively new line of products that support a range of security related features such as Unified Threat Management (UTM), Application Awareness, VPN, signature and behavioral based intrusion protection systems, and even tools that can access outside information such as blacklists and whitelists. With all this capability, the one feature least utilized by small and medium sized businesses is Content Filtering.
Content filtering represents one of the most straight forward means to limit traffic in and out of your company. Even some of the most well-known websites can carry malware and viruses into your network if employees are given free rein to traverse most any website they choose. Many firms feel that limiting common websites is overly restrictive for their employees. When these same restrictions are cast under the light of security, however, the discussion shifts away from employee ‘perks’ and moves toward company security.
Work with your employees to discuss what website are ‘needed’ during the day and work with your IT professional to start blocking all the rest. It’ll likely save you a lot of time and money at some point in the near future.
Recommended products to consider: Barracuda, Meraki, Cisco
Separate IoT and guest wireless access
The Internet of Things continues to explode. If your firm is like most, you have dozens of devices on your wireless network that have nothing to do with business functions. Televisions, fitness watches, your HVAC, cameras and music systems such as Sonos are all tapped into your wireless network and essentially represent unmonitored and unfettered access to your company network.
Luckily the answer is very simple. Every wireless access point has the ability to establish two (or more) wireless access points. We encourage firms to establish one for internal work, one for their non-business wireless access points (IoT) and one for Guest access. The last two should be complete separate and provide zero connections to the internal network. One key consideration is whether to ‘expose’ those networks or require users to enter the network name manually when connecting to them. The manual option is more secure however, this is decision that each firm can make individually.
Mobile Device Management
Once only a product for large firms, Mobile Device Management (MDM) is moving its way into small and mid-sized firms for obvious reasons. These devices maintain steady and unfettered access to the company network, emails, client information and accordingly represent one of the biggest cyber-attack risks within the company.
As we’ve said before, security often intersects directly with convenience and none of our recommendations illustrate this more than the use of MDM solutions. The biggest issue with MDM is that is often an all-or-nothing type implementation. In other words, using an MDM means using the secure email, contact lists and other features that are installed on the phone as part of the MDM solution and not using those features that come with the phone.
What this does however is secures the company information from outside access. It also allows the company to safely (and remotely) ‘wipe’ all secure information from the phone should it be lost or if the employee leaves the company. Use of an MDM is admittedly a more advanced solution for many firms however, for those that are serious about security, it’s a product well worth considering.
Recommended products to consider: AirWatch, Citrix Mobile, XenMobile
Higher end, more involved solutions are also available and we encourage businesses to explore these solutions whenever possible. The challenge many small and mid-sized organizations face, however, is that the total cost of ownership for these tools, including the hiring and training of internal resources to manage them, are often outright prohibitive. The one hot concept being thrown around in many security circles is a SIEM solution.
SIEM solutions refers to Security Information and Event Management. These systems are designed to collect security log data from a wide variety of sources within an organization, including security controls, operating systems and applications. Once the SIEM has the log data, it processes the data to standardize its format, performs analysis on the “normalized” data, generates alerts when it detects anomalous activity, and produces reports upon request of the SIEM’s administrators. Some SIEM products can also act to block malicious activity, such as running programming scripts that trigger reconfiguration of firewalls and other security controls.
Each of the suggestion listed above are key components of securing you network perimeter and reducing your overall attack surface. Please note however that they are not a comprehensive answer to your company’s security needs. As you undertake your own cybersecurity efforts, recognize that your plan starts with your data, leverages internal controls, hardens your defense, reduces your attack surface, and lastly, builds a culture of knowledge, awareness, and policies the whole company can follow. More on this last step part 4!