THE FIRM: 3 top security issues your firm needs to address

By Elizabeth Millard
The Daily Record Newswire

Numerous technology tools can help to lock down systems, including software and hardware controls as well as mobile-specific products. But even with all that firepower, security breaches are still common, and some experts believe that every company has already been breached at least once; they just don't know about it yet.

That can be a terrifying thought for anyone trying to keep data safe, especially the kind of information found within law firms. Here are three security issues to keep in mind, no matter what kind of tech tools you're employing:

1. Access by former employees and associates

Although it should be common practice to remove access to company data when an employee or associate leaves the firm, there are times when that doesn't happen immediately - or even at all.

A survey by cloud IT provider Intermedia and survey firm Osterman Research found that 89 percent of former employees retained access to company assets, including documents, email, and file-sharing apps. This can be especially detrimental for law firms, according to Dennis Dimka, CEO for Uptime Legal Systems, an Eden Prairie-based provider of cloud services that focuses exclusively on the legal industry.

"It's not just that these former employees have the ability to get in, they actively take advantage of that to reach back into the assets of former employers," Dimka says. "There's a great deal of attention paid to hackers in the press, because of major data breaches, but ex-employees pose a far greater threat to a law firm's systems."

Lock it down: To address the issue, Dimka recommends that a firm put IT security on an offboarding checklist, so that when someone leaves the company, they get their access removed along with an ID badge, firm equipment, and front door key card. The employee should hand over all passwords and VPN key fobs as well, and IT should securely wipe their laptops and firm-owned smartphones.

2. Use of a patchwork of systems, including online free storage

For many firms, their data storage and file transfer systems have grown over time, and involve multiple applications. A surprising number of firms lack a central application, Dimka says, which often leads employees and associates to transfer files and store documents in free online storage options like Dropbox or Box. But that means sensitive information is now "in the wild," and well outside the security controls that IT may have put into place.

"If a firm doesn't have adequate backup systems, employees may be concerned that their files will get wiped out if there's any systemwide problem," says Dimka. "So, they're just trying to protect their files. Or, they may be putting files into those systems so they can access them when they work from home. Either way, your firm will be at risk."

Lock it down: Although a sophisticated data storage system can be an investment, it's worth the security return. Relying on a hodgepodge of free tools and low-cost applications is a recipe for disaster, especially if former employees still have access, or if sensitive documents are shared without authorization. Consider a wholesale change to a firm's entire system, to create an automated and centralized resource. It tends to take time, money, and effort to make that switch, but it can be a huge boon for security and productivity.

3. Rise of spear phishing and ransomware

With ransomware, a hacker will slip into a system, then put encryption controls in place that locks users out. The hackers then demand money to "unlock" the data. With spear phishing, an attacker might target an entire firm, sending an email that looks legitimate, such as a legal form that needs to be filled out. But when a user clicks on the link, the action brings malware into the system.

These strategies aren't new, but they've been gaining a great deal of traction in the past few years, and security experts believe they'll be more prevalent on smartphones next. Vincent Weafer, senior vice president at security firm McAfee Labs, says that ransomware variants are being developed to evade security software even in cloud-based storage systems. "We expect this should move into the mobile space before long, so your phone would be locked until you pay a ransom," he notes.

Lock it down: In addition to creating a centralized system that can be upgraded with the newest security controls, it's also crucial to make sure that employees and associates are trained in the latest security risks. This doesn't have to be a large-scale, formal training that involves hours of information. Instead, try delivering training in bite-size pieces that get more attention. For example, pop a five-minute security training before meetings on other topics, or post notices in break room areas.

No matter how strong you believe your systems to be, it's always important to stay on top of security issues because they're always changing. Focusing on better access controls, a more efficient system, and more frequent training can go a long way toward helping your firm to stay safe.

-----

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek, and TechNewsWorld.

Published: Tue, Jul 21, 2015