Cybersecurity Check for Y2K18
|As we start out a new year, it’s time to take stock of where we stand on cyber security. Recently, my firm conducted a survey of small law firms, and we learned that many of you don’t know what specific security measures to take with your clients’ data. It is understandable when you are faced with the task of simply getting through the day. Many firms admitted taking no specific measures to protect client data stored on their computers or mobile devices.
As attorneys, you may regularly use a standard that the fictitious ‘reasonable person’ might demonstrate. At my firm, we spent much of 2017 determining just how that standard translates to cyber security. What security measures are reasonably well known, relatively easy to implement and widely available? When it comes to a data breach, and negligence is suspected, where do we draw the line as to what protection we should have had in place? As in many professions, attorneys using Information Technology in the course of their businesses are simply out of their element to properly consider the risks in using these products. Most Information Technology products are a work in process, constantly changing and updating. As the software developers address one vulnerability, another opens. The entire landscape can change from one day to the next.
When it comes to regulations, we don’t get much relief. Depending on the nature and location of your practice, your firm will be subject to state and/or federal regulations. In most cases, the regulations are out of date or too generic for you to easily interpret specific actions you should be taking. Depending on who your clients are, they may impose additional or specific restrictions on your usage and care of their data in your files. On top of all that, you have professional standards and ethics to consider. Just how is it possible for a small firm to merge all of this into a proper protocol for their office? If there is a breach in your firm, there will be lots of questions asked about what you did to protect data. Your actions may be compared to what a reasonable person (or reasonable professional person) might do.
Information Technology is commonly perceived as complex and somewhat overwhelming to many people. The complexity leads to fear. Fear, in turn can lead to all kinds of dysfunctional behaviors. Avoidance comes to mind as one of those behaviors. In all seriousness, however, we do see firms successfully navigate Information Technology and Cyber Security risks successfully. Their secret is to keep it simple. To keep it simple, you just need to break down where your risks may lie. My philosophy as a cyber security professional has always been to focus on the basics. Time and again, we perform risk assessments and identify simple security measures not taken. The basics also represent the biggest opportunities to reduce risks with the least cost and effort. These are the low hanging fruit. Once you’ve nailed the basics, the cost and complexity of measures you may take beyond those increase exponentially.
What’s the secret? The secret is to nail the basics. As a small firm, nailing the basics will most likely buy you compliance with state and federal regulations, contracts you have with your clients and meet or exceed professional ethical standards. The basics also go on par with what a reasonable person would do to protect data entrusted to them. The basics break down into categories of People, Process and Technology measures. The key to getting them right is to first address the Process part, then implement technology and training to manifest your process vision.
Keep in mind that your success lies in staying true to the concept of keeping it simple. Take the Process part. We see a lot of clients break their workflow down in to 1 or 2 pages of what to do and similarly, what not to do. That sounds simple and mostly is. From a process perspective, a basic tenant is to contain your data inside your control at all times. Absent a directive from the partners, employees will use what they must in order to get the job done. In assessments I do, I routinely see client data scattered between office servers, local computers, laptops, employee personal mobile devices and the ubiquitous Dropbox or one-drive accounts. Cloud technology has simply amplified the chaos in these cases by giving employees more places to stash data. Here’s a simple policy you can put in place to contain, control and protect client data in this situation. ‘All files must be stored in your company DropBox folders. A company DropBox account has been provisioned for your use when working with internal company documents or client case files. You will receive training on file and folder structure usage and naming conventions.’ With these 4 lines, you’ve solved a mess of leaked data and reduced your exposure to losing or accidently disclosing client data. You’ve also gone a long way towards solving the backup and disaster recovery question. By placing files in the company DropBox, you not only contain your data, but you back it up as well.
There are, of course, more risks you may face in implementing this policy. Let’s refine this a bit. We still have the risk that the DropBox files may be accessed from by unauthorized device from an un-authorized location. To expand on the policy, you can and should keep a lid on where the DropBox files are accessed. Here’s another example. ‘All employees must secure their respective DropBox account by using a strong password enabling 2-factor authentication in their security settings. Employees may not access their company DropBox from home or personal computers or mobile devices. All access is logged.’ We are really cooking with fire now. We have seven lines in our policy, and we’ve already contained our data, backed it up and made it easy for employees to find the files they need to do their job quickly and efficiently.
A reasonable person may ask at this point, what happens to all of the DropBox files cached on computers, and are they safe? That’s a good question. We should answer that by locking them up. ‘Computers and mobile devices used to access the company DropBox must be encrypted. Windows computers must have the BitLocker feature enabled. Mac computers similarly must have the FileVault feature enabled. You will receive training on how to enable these features. Backup encryption keys are to be stored in the company DropBox.’ With just a few straightforward and easy to follow policy guidelines, you’ve ensured that all of your client data is encrypted when at rest and when in transit within the confines of your firm’s practice. There’s more to come on data in transit.
Documents are the core, tangible work products of your firm. Similarly, email is the glue that’s going to mesh your firm with its clients and others. The thing about email, however, is that it can be extremely unsecure if not used with intention and process. A standard email, when traveling between you and its recipient is like a postcard riding in trucks and passing through postal facilities. At any point, it may be subject to disclosure or loss. It may be copied and archived on one of the waypoints. Let’s consider a policy example that can address this. ‘You will receive a firm-specific email account for use in conducting the firm’s business. You must use this account for all firm business conducted over email. Under no circumstances may you use a personal email account for conducting company business. Mail containing sensitive content must be encrypted when sent. You will receive training on how to use the company email system and how to send and receive encrypted messages.’ With those few lines, you’ve now contained email communications to your firm’s designated mail system and arranged for encryption of data in transit.
Can you guess where we are going next? A reasonable person might be concerned about email being stored in unsafe locations or, god forbid, on personal mobile devices. Let’s deal with that. ‘Employees may access their company email from computers at the office only. Under no circumstances may employees connect or cache company email on their personal mobile devices. Company mobile devices used for access to email must have a passcode lock and encryption enabled. You must enable the 2-factor authentication setting on your company email account. You will receive training on how to access email securely and enable a passcode on your device.’ Wow, that statement does a lot to reduce cyber security risk in your firm.
Documents and email for sure make up a lot of work that is done in your firm. Stepping back and looking at Cyber Security as a risk management problem makes it easier to grasp. Now you understand how to easily deal with some of those risks by looking at how you handle documents and email. Depending on the nature of your firm, these areas are going to represent a good portion of your overall cyber security risk. Is it 30%? Keep in mind that it is impossible to eliminate cyber security risk entirely. We are simply going for the standard of what a reasonable person could and should do. For sake of discussion, let’s say that documents and email do actually represent 30% of the exposure in your firm. With some simple measures and policy statements, we’ve done a good job of managing that risk. Any reasonable person is going to look at this and say, ‘good job’.
I talked about your overall risk in terms of people, process and technology. We’ve spent some time on the process part by coming up with the policy statement examples. Now for sake of discussion, let’s assume that people are 30% of your exposure. Consider things that people may do on their computers and mobile devices in the course of their work. Also consider what damage they may do absent of training to keep them in check with your carefully crafted policy. Hold that thought and we will come back to this in a minute.
I also mentioned that technology plays a role. I’m going to estimate that technology represents 20% of your risk. You must be asking, now, Did I just hear a technology vendor say that technology represents only 20% of my cyber security risk? Yes, you did. The message you may be used to getting from technology vendors is that their specific product solves all of your cyber security problems. Get our anti-malware software on your computers and forget about it. I submit that technology, per se is, not your greatest source of risk. The risk lies in how you use it. Using it in the context of the policy you’ve put forth makes it much less risky.
You will need some technology to reduce your risks, but it’s a small part of your strategy. Once you have your policy, you can match it up with some technology solutions to allow your grand strategy to take shape. There are lots of competent vendors, and now you know specifically what you want, so you will be in the driver’s seat when buying these products. It’s important that your vendor understand your data security and privacy objectives when putting together the products you will use in your firm.
Now back to the people part. This is the MOST important part of your strategy. Your people must be clearly informed on the risks facing your firm and the strategies you have in place to reduce risks. Your success in reducing your exposure comes down to what your people do with your client data day in and day out. Your people need to follow the policy and process to keep your data safe. They also need to know how to recognize when something goes awry, or when someone or something tries to coerce them into spilling data. Small firms have great results using a recorded web meeting attended by partners and employees of the firm. During the meeting, key points of the policy (process) and technology measures are discussed with everyone. Employees have the opportunity to ask questions which are recorded and archived for viewing by new employees when they come on board. The training sets the bar of how a reasonable person in your firm handles client data.
You might be thinking, at this point, that our risk spectrum only adds up to 80%. What about the other 20% of my exposure? Did I over simplify the process? Yes, this list is not all inclusive and although you will reduce your risks by following these instructions, there are lots of other risks facing your firm. You will face diminishing returns as you dive deeper into the topic. That’s why I recommend starting with the basics. You will get the most reduction in your risks for the least amount of cost and effort by making sure you have the basics handled.
At the point you feel you’ve nailed the basics, or you just want to supplement what you’ve done so far, you may want to consider buying some insurance to address the residual risk.