For many smaller firms, the answer to that question is no. For any number of compelling reasons, smaller firms are often missing a critical focus on cyberthreats. If your firm has yet to put as much emphasis on security as it should, now is the time to get on the path to a better program. The first step is understanding the nature of today’s security risks and how to combat them.
COMMON SECURITY RISKS
At smaller firms, both security infrastructure and placing a priority on security can be lacking. Servers often sit in an unlocked closet or corner of the office, which effectively leaves all of the firm’s work and data unprotected. User devices, employed more frequently than ever, may not include key mobile device management functions, so every time someone sends or receives an email or downloads a document to a personal device, the firm’s risk exposure increases.
Risk exposure also increases when employees use unknown and unsecured Wi-Fi networks for firm business. While less frequent these days, a prime example of this is lawyers traveling and using hotel or airport Wi-Fi. When employees operate on random networks, all communications to and from their device have the potential to be intercepted.
In the days before email was encrypted, a common attack method was to infiltrate the data flow, wait for a good conversation to hijack and then inject a new communication in an attempt to have funds rerouted. Email encryption has addressed some of the risk; however, failing to secure devices can open the door to the same types of breaches.
KEY SECURITY MEASURES
Combating today’s security risks requires an awareness of those risks and how they impact your firm. You already know that your physical data needs to be protected and maintained within the firm’s control, but electronic data must also be protected under a similar umbrella. As the owner of that data, your firm needs to determine how people are accessing its data and protect it where it resides and when it is moving between devices. Then safeguards need to be in place to ensure it is encrypted on devices, when communicating back to your organization and that you can remove it from devices when it should no longer be there.
Data security is no different than physical security — if something looks wrong, don’t trust it. We’re used to identifying physical risk because we see it every day. It’s time to start thinking about digital risk in the same manner. You monitor the people you interact with, the ones you let into your spaces and how freely they are able to move about your office; you should also be monitoring which players are connecting and how they are connecting to your systems just as vigilantly.
Think back to the example of lawyers on hotel Wi-Fi — even if data in transit is encrypted, whoever controls the Wi-Fi has access to the devices on that network. Those individuals can potentially read or exfiltrate data if the device is not properly protected and encrypted. Device management ensures that you restrict access to your data to only outlets under the firm’s control, including minimum security standards such as patch levels, malware protection and encryption and authentication requirements.
Data security is no different than physical security — if something looks wrong, don’t trust it. We’re used to identifying physical risk because we see it every day. It’s time to start thinking about digital risk in the same manner.
Of particular relevance today are the various devices your staff are using remotely. Do you know all of the laptops, phones, tablets or other devices your employees connect to your network? Even if they are not firm-issued, every device used to access your data needs to have mobile device management and security parameters. They must be protected with approved malware tools and be running current versions of operating systems — in short, they need to not be easily hackable. If devices don’t meet minimum requirements, they must be denied access, even if their users have proper credentials.
There are many simple security measures that can be put in place that are often overlooked by small firms. For example, firms should require complex passwords that change every 90 days. Data should be encrypted both at rest and in transit. Multifactor authentication should be in place, requiring information beyond a password to access email and systems in order to thwart attackers if credentials are compromised. Internal systems should always be up to date, with all hardware and software continually patched to prevent third parties from taking advantage of known flaws.
Incredibly important is security awareness training: Employees should undergo regular security awareness training on current threats. End-users are the final line of defense for your organization, and if they aren’t familiar with what to look out for or how they should react, they won’t. Security measures are only useful if your employees understand why and how to use them.
GOING FORWARD
Small firms are realizing they haven’t taken all the necessary steps to optimize their security posture. Now is the time to address your most critical security gaps.
No firm can implement foolproof security in a single effort. From a budgetary perspective, there are only so many things you can do at once. From a user perspective, there’s only so much change you can impose upon your staff. Your firm’s security posture should continually evolve to meet the changing threat landscape.
Consider what is most critical today — things like security awareness training, enforcing password complexity and encrypting devices — and implement that first. Then consider what you want to focus on next year and your wish list for the future.
The key to security is constant evolution and addressing it in a way that’s supportive of the main goal of your business: serving your clients. The right security implementation will give you all of the tools and practices you need to keep your firm safe without interfering with your ability to provide great client service and generate revenue for the firm.