A Survival Guide for Legal Practice Managers

A Survival Guide for Legal Practice Managers

Cyber Security Awareness

Tuesday, August 08, 2017

By Ray Zwiefelhofer, President, Worldox 


You do not have to look far to read or hear of a major cybersecurity breach. It is becoming part of the constant information stream we receive. Because of this, it’s easy to desensitise and see this as IT’s problem. However, we all have a hand in preventing cyber security breaches and we all need to understand what we can do to help in this effort.

In late 2015 my colleagues and I were amused with the news that the US government’s Office of Personnel Management (OPM) was hacked, and that the hackers stole records for 22 million people. We discussed this casually without too much thought and concern – just another hack. A few days later I received a call from my son, who had recently graduated college and started a job. His mother and I had been references for his background check for the job and he was calling to let us know that all of our information was compromised in this latest OPM hack! Instantly my casual observation of “another hack” became really personal, really quickly.

Like my personal experience, your firm is probably feeling more pressure as increasingly major law firms are being hacked. The FBI calls law firms ‘soft targets’ – easier to gain access to than large corporations - and they often store their clients’ valuable information.

Who is the hacker?


When we think of a hacker, we assume we are dealing with a bad guy somewhere who is intent on gaining access to our valuable information. While this is correct, it gets a bit more confusing when we talk about the accomplices in this breach. A hacker can only get into your secure network through some type of vulnerability. Contrary to popular belief, internal staff members assist in most hacks. This, of course, is mostly unintentional. 

Rather than expending countless resources on mass attacks against your network which, through proper IT practices, can be mitigated, hackers send innocuous-looking emails to your employees which are often harbouring links that install nefarious software on your network. If your organisation has poor password policies, the hacker gains entrance to your sensitive data with little fanfare, and probably will not be noticed by expensive back end monitoring software, until it’s too late.

All of us from the administrator to the end user, partner, and IT need to be actively involved in protecting the firm’s intellectual property. A user’s password written down on a sticky note taped to their monitor bypasses even the best security.

Convenience vs. Security


Even the best security products on the market can be rendered worthless if they are so complicated to use that users circumvent it – the concept of “Shadow IT.” Security measures must mitigate risk but yet also be straight-forward enough to understand that people can seamlessly include them in their workflow.


A password policy is a good example of this principle.  In the past, guidelines set by US governing bodies such as National Institute of Standards and Technology (NIST), have specified how a firm should handle passwords. It was important to follow these guidelines, as the firm’s clients often inquire how the firm handles certain policies. Clients want to have a comfort level with the firms they do business with and ensure their security practices are sufficient. 

Passwords guidelines found acceptable involved password length, complexity, and frequency changes. We all know from personal experience the hassle associated coming up with yet another password that has special characters, has not been used before, of a certain length - that has to then be changed every couple of months. This issue is near to my heart, as we have many of these rules in house because of the nature of our business. 

Very recently our IT manager explained to me that we need to shorten the timeframe of required password changes for all employees. I  nearly lost my mind as we currently change every six months with all of the complexity requirements recommended!  My answer to him was that, if we adopted this approach, many of our day to day staff would not be able to memorise their passwords and would be forced into bad practices such as writing them down, etc. 

I challenged him to find an easier way to protect us that would be just as secure. I remembered our cloud support team utilised dual factor authentication along with their passwords to provide an added layer of security for that department.  I suggested we do the same for everyone in our office including the day to day office workers. After a little research, we found a solution that was only a few dollars a month per employee and sent a code to their cell phone. This is really a better practice than complex passwords alone as, not only does a hacker need your employee’s password, but they would also need their phone and password for that. 

In summary, we minimised the need for constant and overly complex password changes with two factor authentication.

The above password issue just seems like common sense, doesn’t it? 

If you force complex frequent password changes, staff will write down their passwords somewhere and cleaning crew or others can easily access them. Although common sense says this is bad, we look at standard groups such as NIST and blindly follow along. A few months after the password interaction with my IT manager, a new guideline was published from NIST that shocked the industry:

“New NIST guidelines banish periodic password changes”


Yes you read that correct, NIST now recommends that we no longer force periodic password changes and we no longer should force complexity requirements. In the appendix in the same section of the document, the strength of “memorised secrets” is explored in a concise and accurate manner. You can read the full guidelines here

While I don’t feel better about being vindicated to my IT Manager by a national standards body, it reemphasises that we live in an ever-changing environment where you need to use practical common sense when implementing security policies and procedures.


Editor's Note

2017 ALPMA SummitRay Zwiefelhofer will be speaking about the "Data Security in the Legal Industry" at the 2017 ALPMA Summit, held from 13-15 September at the Brisbane Convention and Exhibition Centre. This year’s Summit focuses on developing the key 21st century skills of collaboration, communication, critical-thinking and creativity at law firms. Join more than 300 law firm leaders and managers for an action-packed three days of professional development, networking and fun. Register now!


About our Guest Blogger

Ray ZweifelhoferRay Zwiefelhofer has over twenty five years’ product solution experience within the legal technology market with expertise in AMLAW 250 and Fortune 500. He was a President, CEO and CIO at several software solutions startups and the CTO at a Fortune 500 company. Those companies include Bowne, Imagineer, Equitrac and Diebold. Prior to joining World Software, Ray was the Founder and CEO for nQueue, a global cost recovery company.
Founded in 1988, World Software Corporation® is an innovative leader in the Email and Document Management Systems (DMS) category. The company's flagship product Worldox® has an install base of over 6000 companies in 52 countries.


Comments
Post has no comments.
Post a Comment




Captcha Image
Trackback Link
http://www.alpma.com.au/BlogRetrieve.aspx?BlogID=7349&PostID=713626&A=Trackback
Trackbacks
Post has no trackbacks.

  Subscribe to receive posts as email

Recent Posts


Tags


Archive

Australian Corporate Partners


Principal Summit Partner

Thought Leadership Awards Partner