Moving Past Password Complexity: Security for the Modern Law Firm

Reprinted with permission from: International Legal Technology Association, April 2019, published by the International Legal Technology Association, 159 N. Sangamon Suite 200, Chicago, IL 60607. Authored by Joseph Hoegler of Kraft Kennedy. Here.

New Security Challenges

Mobility, the cloud, and the modern workplace have fused to create unprecedented opportunities for law firms to connect with clients and optimize productivity. With these opportunities, however, comes an increasing focus on the need to protect law firm users and sensitive data, as risks such as breaches and data leakage are now substantially greater.

We’ve all heard about highly publicized security breaches in the corporate world—according to security intelligence vendor Risk Based Security, over 6,500 publicly disclosed breaches exposed more than 5 billion records in 2018 alone. With a large quantity of sensitive information across numerous large, global, and public organizations, law firms represent a logical target for those who wish to maximize the impact of an attack.

The Three Pillars of Security

Security can be a large, nebulous, and daunting effort, even for a seasoned technology professional. Further complicating the matter, coordination with business stakeholders is crucial given the potential impact on attorney productivity as well as the need for support and vigilance from all users within a firm.

To make security more approachable, the capabilities and posture of a firm can be organized into three key pillars: Threat Protection, Identity Protection, and Information Protection.

Threat Protection

Threat protection involves defending the firm and its users against both external and internal threats such as viruses, malware, spoofing, phishing, and spear phishing. A security awareness program with formal training, recurring educational modules, and user analytics is a crucial component of this effort to ensure that users are equipped to protect themselves against malicious actors, both in their corporate and personal lives.

Additional tools and services can and should be deployed to protect the firm before a potential user error occurs. Attachment and link scanning are two such solutions that should be considered for inclusion in any environment. Leveraging a third party application or service that can, at scale, sandbox, analyze, and detonate malicious attachments, as well as verify the validity of links sent via email, can go a long way toward protecting users from the most common forms of external threats.

This is, however, only part of the battle. Analytics of user behavior, benchmarking of your firm’s security posture relative to similar firms and the world at large, as well as alignment with global security and governance best practices such as GDPR and ISO (even if your firm isn’t aiming for a formal certification) are all important data that help to quantify risk.

Identity Protection

Identity protection involves defending the undisputed center of any security model—user identity. Without a trusted and validated identity, it becomes nearly impossible to assess who should have access to what, when, and from where. User behavior cannot be tracked and analyzed, which results in difficulty establishing normal versus abnormal behavior. At the center of identity protection is the user password, currently the primary, and in many cases singular, barrier between illegitimate access and behavior. Historically, passwords have been viewed as a necessary evil required for identity validation. This led to the trend of setting standards regarding password complexity, password change frequency, and account lockouts, which has actually resulted in poorer security. How many users write down their passwords, reuse old ones with simple numerical increments, etc., because it is hard to remember them?

Recently, multi-factor authentication (MFA) has become accessible to and in fact standard at firms of all sizes. MFA, which provides an additional level of identity protection, can be thought of as something that users have, rather than something that they know, as in the case of passwords.

Recently, multi-factor authentication (MFA) has become accessible to and in fact standard at firms of all sizes. MFA, which provides an additional level of identity protection, can be thought of as something that users have, rather than something that they know, as in the case of passwords.

That said, MFA doesn’t solve the issues of legacy password authentication but simply masks them. Now is the time to move beyond passwords to modern forms of authentication. Device-specific facial recognition, biometrics, and PIN codes can be used until they eventually remove the need for passwords entirely from the corporate environment. This kind of shift will take time but modern advances in operating systems and devices allow firms to start to embrace and reap the benefits now. To truly understand user behavior and granularly control access, firms should also consider third-party tools and services such as Microsoft Azure Active Directory Identity Protection and Microsoft Azure Advanced Threat Protection for additional layers of security beyond authentication. Understanding authentication, user risk (as a point-in-time determination), and access behavior, and controlling them differently based on device state and user location (including historical data) can significantly increase a firm’s awareness of and control over who accesses data, when, and from where.

Information Protection

Information protection entails protecting what is most important to a law firm—its information, intellectual property, and reputation. One aspect of this is data loss prevention, which refers to establishing, at a basic level, which information should not leave the firm, advising users of that determination, and preventing data loss should someone inadvertently or purposely attempt it. It also includes identifying and reporting data loss that does occur so that proactive communication and remediation can take place before the firm’s name is featured in a news article in an unflattering light. Another aspect of information protection is embedded protection within documents that either must be shared externally or are internal but sensitive enough such that legitimate user access must be monitored, controlled, and perhaps even revoked. Firms struggled with rights management for many years. Many solutions simply didn’t work very well or were complicated to use and manage. Modern rights management solutions from vendors such as Microsoft, Intralinks, Seclore, and others have solved these issues. They effectively enable productivity without sacrificing security and control.

Kraft Kennedy and ILTA are partnering to bring a roadshow to cities across the country from April through June to discuss all of the above in more detail, share new capabilities that help law firms address security concerns, and hopefully hear what all of you are concerned about or doing relative to security. You can find your city and read more information here. We hope you can join us.