Cyber security seems to be the topic du jour in technology, the way the “Cloud” was several years ago. But what exactly does the term refer to, and why should we be concerned with it?
As Kraft Kennedy was preparing to launch its new Information Security and Governance practice group, Kraft Kennedy CTO Marcus Bluestein shared his thoughts on this important topic in an interview.
Q: What is “cyber security”?
Marcus Bluestein: “Cyber security” refers to the security surrounding digital property, used to protect an individual’s or a company’s data from attack or theft. This involves several coordinated elements, a mix of technologies and practices.
Q: What are we trying to protect?
MB: Most companies have proprietary or otherwise confidential data that they absolutely cannot afford to have divulged. Law firms, particularly, are the gatekeepers of a great deal of privileged data related to intellectual property, mergers and acquisitions, financial information, to name a few prominent categories. Desktops, laptops and mobile devices are the obvious things that need to be protected, but there are also networks, servers, backups, and cloud data. Some almost ubiquitous technologies are frequent targets. Ninety-nine percent of all mobile malware last year targeted Android devices. Java comprises about ninety percent of all web exploits.
Q: And who are we trying to protect all of that from?
MB: There are many parties out there, international and domestic, that would like to get their hands on that kind of information, for money or for competitive advantage. These groups, whether APT actors or cyber criminals, use a variety of methods to go after a network, such as malware, social engineering or attacks such as Cryptolocker, which demands a ransom fee to return your data. Malware creation hit a new record high recently. Sometimes it can be created with a few mouse clicks.
Q: Should law firms be especially concerned?
MB: Yes. Some firms are aware of the issue of cyber security from the pressure that is now exerted their clients, especially those in the financial and healthcare sectors. We have found that they are requiring our clients to undergo security assessments and to fill out long, detailed checklists regarding their security posture. RFPs from non-regulated clients are also asking these questions because they don’t want the risk of handing over their data if the law firm’s network is not secured. Then there are various regulations, like HIPAA and HITECH that set out guidelines for firms that act as Business Associates. A security breach seriously damages a firm’s reputation and credibility.
Q: What can firms do?
MB: We frequently recommend some basic measures to our clients that are more practical to implement and give a bigger return on investment. We also work with our clients on making sure that more complex measures that require more planning and resources, are in place.
Q: What is the first layer of protection?
MB: User account management is probably the most basic. Clients need to know which accounts are in their environment and what privileges the accounts have. These user accounts really need to use good passwords and locking policies. We believe that Firms should mandate long and complex passwords that are changed periodically. Also, PINs on mobile devices and automatic lockdown of a computers after a certain period of inactivity should be in place. Many firms are reluctant to force password policies on their attorneys, but this is very important.
Next, there’s network segmentation and firewall layering. This entails separating a network into two or more zones and implementing a firewall for each one. This is something that can be done with a client’s existing technologies but just needs a little time to architect effectively.
Some companies have implemented real-time alerting and monitoring of their networks which include threat detection, logging and vulnerability management. Not all firms can have a full-time person dedicated to this, but there are solutions out there for networks of all sizes that can make this feasible.
Encryption is another big one. Whether it is data on a laptop or moving across the Internet, it is baked into many platforms. TLS, or email and Internet encryption, is a fundamental, as well as hard-drive encryption.
Firms should also be conducting regular patch management. This is one of the things we do for our clients, especially for smaller companies. Most exploits happen to vulnerabilities that have been identified and known about for months if not years.
We also frequently recommend to our clients that they invest in a business-class secure file sharing service for the enterprise. Many professionals like the convenience of consumer products such as DropBox for sending large files, but we advise against this.
User education and training is very important. This includes everything from end-user awareness training to having your IT team perform incident response drills. The most expensive technologies in the world can be put into place but none will be effective if users are doing things they shouldn’t and you don’t know how to properly manage security incidents.
Q: Which solution do you think is most difficult to implement?
MB: I don’t think it’s a matter of one thing being more difficult to implement than another. You need to have a plan for your security program and this can be hard because there is no single “silver bullet” solution.
You need to have a layered security program that addresses issues around people, policies, technologies and processes to reduce the risk to the business. The right solutions need to be implemented at the right times. It is a challenge to communicate to users, management and staff that security is never “done,” and that there’s no-one-size-fits-all approach.
For example, application whitelisting is an extremely effective technique to mitigate threats. But, there are time and cost considerations involved in implementing this and it really needs to be done after other actions are taken to secure an environment.
User education can be difficult because it needs to be done on a regular basis with measureable outcomes to be effective. Simply conducting education or training once to check a compliance check box is not enough. Also, enforcing policies may be one of, if not the most, challenging elements of a cyber security plan. However, we have worked with firms to develop the successful adoption of such policies by making sure people understand the risks when they turn off or circumvent security controls.
Another thing is removing Local Administrator privileges for users. We recommend this to most firms and more generally to anyone connecting a computer to their firm’s network. This can be a complicated issue because of the needs of some users and firms, but it does mitigate the risk associated with an infected computer. There is a lot that can be done in modern Windows Group Policy environments that can balance rights and security needs.
We have implemented “thin-client” access, or Virtual Desktop Infrastructure (VDI) for many firms. This is a big undertaking that might not make sense for many companies at this point in time. Kraft Kennedy has experts on VDI who specialize in implementing this configuration, in which, essentially, the desktop computer is just a screen, with the main computing happening in a remote and centralized location. This is a great security strategy because it allows environments central management and the ability to recovery quickly after an incident.
Q: You mentioned education as a key component. What does ‘user education’ entail?
MB: This entails firms communicating guidelines, policies and the reasoning for them, then getting people to follow them. It also involves tracking the programs and their effectiveness. It is important to emphasize that there is a degree of coordination of moving parts involved to be successful.
Remember that there are user habits that are hard to break. You have to be able to demonstrate that by doing things a new or different way, with a focus on security, there can be additional benefits in productivity. Make sure the programs are fun and engaging so people really remember the right things to do when faced with a potential threat.
Q: What is the mark of a cyber security-educated user?
MB: First of all, they have an awareness of the issue of security and of how it can impact them or their firm. They follow firm guidelines, in the office and while working remotely.
They also follow a few “best practices” for safe computing. Savvy users know not to click on unfamiliar links in emails, for example. As you can see, something like this is hard to control. However, there have been some huge company-wide data breaches recently due to a single person opening a link that they shouldn’t have opened. They also know that mobile data, the data stored on phones and tablets, is more vulnerable to theft and protect it accordingly. They use different usernames and passwords for different websites, as annoying as that is. These days we have so many accounts to track. Password managers like RoboForm and LastPass help with that. Personally, I find it really useful. These are browser add-ons that securely saves your credentials and enters them for you. I only have to remember my RoboForm password.
Q: What does the future hold for cyber security? It seems like there’s something new to think about every day, like Heartbleed and then this last Internet Explorer vulnerability.
MB: It’s hard to say just for that reason. This will be an ongoing battle. As I said before, security is never done. An attacker only has to be right once and we have to be on top of our game at all times. As technology evolves and new trends emerge in work styles, such as mobility and the Cloud, there will be new threats that will require new safeguards. Cybercriminals and ATP groups are innovating and improving their methods, and we have to keep current with them. Our new Information and Security Governance practice group, made up of leading experts in the arena, will be well equipped to deal with the challenges facing law firms.