Data Breaches: Redefining Best Practices
BY Justin Torres STAFF CONTRIBUTOR
Another day, another infiltration. In 2014, more than 700 data breaches were reported across businesses, governments, and educational and financial institutions. The technology to perform attacks has become more ubiquitous and the defenses currently in place are less effective than before. In response, law firms must evaluate their own infrastructures and make the appropriate changes in 2015.
The Latest Findings on Firm Security
The International Legal Technology Association recently conducted a survey asking more than 450 firms about their IT systems and practices and about their outlook on technology management. The firms surveyed ranged from those with fewer than 50 attorneys to those with more than 700. Firms with fewer than 50 attorneys were the majority group surveyed.
Last year, 40 percent of attorneys’ biggest tech annoyances were security and risk management issues, followed by the tasks of managing expectations and users’ acceptance of change. Even with security a primary concern, 44 percent of the firms still considered their IT department an expense to the firm (rather than an asset). And only 38 percent increased their 2014 budget over the previous year’s.
Still, not all hope is lost. Many firms are taking steps in the right direction to secure their operations. From network management to access control, attorneys are benefitting from software and hardware solutions that demonstrate their interest in long-term solutions. And on the frontend, users sometimes resist changes to new services, but the payoff is worth it in the long run for both parties.
Outdated Tools and Steps Forward
The browser is the most important tool in the daily life of an internet-connected attorney. Internet Explorer has caused headaches for as long as it’s been around, and thankfully, the legacy Versions of 8 and below are nearing user extinction. Version 9 is still the most popular, with Version 10 taking third place. Excluding IE, Google Chrome is the browser of choice among 80 percent of firms.
File handling can be overwhelming to manage, and it presents a huge security risk and a recipe for failure when done manually. Almost a third of the law firms surveyed had no file management system, no backups and no encryption on their desktop or mobile devices. Less than half of the firms had a security awareness training program for staff members.
We are undeniably in the age of mobile computing. Fortunately, 80 percent of firms provide some sort of financial support (device, plan and voice reimbursement) to make sure their attorneys can stay connected. Nearly all firms enforce an unlock screen to access phones. But more than half of the firms surveyed did not use any mobile device management software in case of stolen or lost phones.
No Perfect Protection
Using a combination of certificate forging and social engineering, the largest breaches of 2014 that hit iCloud, Home Depot, and other major companies made customer and corporate data public.
IT attacks will always be beyond the cutting edge of security defenses. It’s just the nature of technology. A company develops an operating system to the best of its abilities, but the system gets torn apart and reverse-engineered to reveal its weaknesses. The company can only release fixes for those weaknesses after they become known, and they are too often discovered by dishonorable parties.
On Christmas Day, the busiest gaming day of the year, servers for both Xbox and Playstation networks were taken offline, and a hacking group proudly claimed responsibility. They were able to successfully knock the systems offline using denial-of-service attacks, and their method was unique. Rather than using a botnet of infected computers, they used a massive network of vulnerable routers with outdated firmware and default passwords to stage the attack.
Not all massive data breaches are accomplished by exploiting technological vulnerabilities, however. A hacker trying to access a protected network will often try to phish employees until a person with just enough access and a weak enough password is compromised. And access to a partner’s account is often more valuable than a team of firewall crackers.
Even systems which have no apparent risk can be exploited for malicious intentions. Progressive’s Snapshot program, for example, gave users a dongle to plug into their vehicle’s diagnostic port in order to provide discounts to safe drivers. The device, which is currently used by two million customers, lacks any form of encryption. On newer vehicles, where nearly all vehicle components are computer-controlled, researchers can remotely access its complete array of sensors. It’s a concerning prospect.
Recommended Changes to Make This Year
Even if you made improvements to your IT infrastructure last year, there’s always room to improve the security and efficiency of your daily work.
Software is always a big concern for attorneys: shopping for it, keeping it up to date, and transferring data from different versions. While some choices seem simple (such as what word processor to use) other decisions (such as what litigation tools to acquire) can be difficult to make without guidance and proper follow-up training to learn the software after purchase. A good place to start is CDW, which nearly all attorneys (94 percent) used to purchase software and licenses.
Microsoft Outlook still reigns supreme in multiple aspects, managing the majority of inboxes and contacts, handling schedule management, and even acting as an outbound mass-emailer. Outlook’s utility can be maximized easily, but some firms surveyed evaded the secure options, eschewing two-factor authentication or allowing unencrypted remote access to email.
By moving and consolidating tools into cloud-based technology, it’s far easier to set up appropriate rules and to focus on securing a single point of entry than it would be using multiple software or hardware systems.
A staggering 78 percent of attorneys did not use a company communication tool, and instead relied on real-life exchanges, emails or personal messaging services. Both startups and established business are offering solutions for internal communication, including Glip, Flowdock and Microsoft Lync. They provide a secure environment to communicate, and they have better tools for multi-person, multi-group discussions than email.
A similarly whopping 40 percent of firms don’t back up their older emails, either locally or off-site, which is a setup for disaster. Those with email backups benefit from powerful archive search and instant availability because of cloud solutions.
A VPN (Virtual Private Network) is also highly recommended because it allows attorneys and staff to enter the firm’s intranet externally. Rather than setting up complex firewall rules, the user will establish an encrypted tunnel to access servers, printers and other resources only available from inside your LAN. VPNs can also protect you from snooping when you are using public hotspots, since your traffic is encrypted between your machine and the firm’s VPN server.
Encryption in general is a very good practice to get used to. It’s better to assume your traffic is being monitored than to transmit data freely and then resort to your disaster recovery plan (and only 56 percent of firms surveyed had one in place at all).
Looking Out for Payment Security in 2015
Client transactions face an impending change as dramatic as those seen online. Chip and personal identification number (PIN) credit and debits cards are making their way to the United States. President Obama has even announced that starting this year, any cards issued by the government will come equipped with this technology, which should help us catch up with the rest of the world.
An internal microchip will replace the easily spoofed magnetic strip that has been around since the 1970s. Purchases will require a PIN to be entered at the point of sale (POS), which will in turn generate a unique token to be verified by the issuer’s bank.
EMV (a coalition comprised of Europay, MasterCard and Visa which seeks to standardize the PIN and chip technology) will roll out in the U.S. this year. The processors will then switch the liability of fraud onto the merchants who are still using magnetic swipe POS. Once merchants have upgraded to the new technology, the liability for fraud goes back to the previous system.
According to the Federal Reserve, the chip and PIN method is 700 percent more effective at stopping fraud. In many European countries, where this system has already been in place for half a decade, removing the outdated technology has reduced credit card fraud by upwards of 65 percent.
So will this new technology affect your ability to invoice and collect payments? If you are using a POS system with a credit card swipe reader, you will need to upgrade your machine to a new chip and PIN system. The new microchip cards will not, however, change the way e-commerce transactions are handled. Digital payments will still have to be verified using the existing methods of verifying billing information and fraud prevention.