A Comprehensive Guide to Layered Data Security for Law Firms
While we have long advocated for law firms taking a layered approach to their security, the increasing number and sophistication of attacks necessitate that legal professionals take a fresh look at their defenses and examine where additional security measures might be deployed. That requires understanding the overall concept of layered security and the aspects that need to be covered.
Eric Hoffmaster
Chief Operating Officer Innovative Computing Systems
This article aims to demystify the layers involved in creating a robust data security posture and provide guidance on prioritizing security budgets for the coming year.
UNDERSTANDING LAYERED DATA SECURITY
Layered data security means implementing different security solutions and controls in different areas of the organization. This approach ensures that if one layer is compromised, others are still in place to prevent further infiltration. No single layer of security protection is sufficient, as attacks can be complex and target different areas or must breach multiple layers to be effective, so combining multiple layers with redundancies is required to have an effective cybersecurity posture.
This is particularly crucial for law firms due to the sensitive nature of the information they handle.
If no single layer is sufficient, how many are needed? Different companies have different areas of potential risk based on which technologies they use, how they use them and the distribution of their workforce.
Here are some key areas and common types of protection for each. An effective layered data security strategy combines one or more solutions in each of these areas.
1. Perimeter Security
Firewalls act as the first line of defense, controlling incoming and outgoing network traffic based on predetermined security rules.
Intrusion detection and prevention systems (IDPS) monitor network traffic for suspicious activity and can take automatic actions to thwart attacks.
2. Network Security
Virtual private networks (VPNs) encrypt internet connections to ensure secure remote access for employees.
Network segmentation divides the network into smaller, isolated segments to limit the spread of potential breaches.
3. Endpoint Security
Antivirus and anti-malware software protects individual devices from malicious software.
Endpoint detection and response (EDR) and managed detection and response (MDR) are an enhanced version of antivirus software that often uses behavioral-based detection, artificial intelligence and dynamic protection to provide continuous monitoring and response to advanced threats on endpoints.
4. Email Security
Email authentication uses protocols like DMARC, DKIM and SPF to ensure inbound and outbound emails are validated and legitimate.
Phishing and spoofing protection detects and prevents email phishing and spoofing threats before the emails reach the recipient.
Dangerous URL and file protection identifies malicious links and files in emails and keeps users from accessing them.
Secure email delivery allows for secure, encrypted emails with external parties to protect email content.
5. Data Security
Encryption protects data at rest and in transit to ensure that even if data is intercepted or accessed without authorization, it cannot be read.
Data loss prevention (DLP) keeps sensitive information from being shared or leaked outside the organization.
“Without enough security...it’s only a matter of time before your firm is breached and client data compromised.”
6. Identity and Access Management
Multifactor authentication (MFA) adds an extra layer of security by requiring multiple forms of verification before granting access.
Privileged access management identifies and manages user accounts that have elevated privileges and access to systems.
Role-based access control (RBAC) restricts system access to authorized users based on their roles.
7. Physical Security
Access controls include the use of keycards, biometric scanners and security personnel to control physical access to facilities and systems.
Environmental controls can mean measures such as surveillance cameras, alarms and secure server rooms to protect hardware from physical threats.
8. Security Policies and Training
Security awareness training educates employees on recognizing and responding to security threats.
Incident response plans provide a detailed guide for responding to security breaches to minimize impact and ensure a swift recovery.
DEVELOPING YOUR LAYERED SECURITY STRATEGY
With so many different layers available for each area, where do you start?
First, you don’t have to immediately implement a bunch of different security controls and solutions. Rushing to implement multiple security controls simultaneously means you may not be able to focus on the efficacy of each one, and implementing multiple controls that are ineffective may be just as bad as not implementing them at all.
Start by thinking through each area that is applicable to your business, then prioritize the areas that have the biggest impact or would create the most damage if there were a breach. Secure that area effectively, then move on to the next area on the priority list. Be methodical about choosing a solution, understanding the solution, customizing it as needed and implementing it — doing one thing at a time. Often with these security solutions there is end-user impact, and a successful rollout requires planning and end-user training and support.
When considering your security strategy, it is important to keep in mind the impact to your employees, their workflows and productivity. Security controls and solutions often impede productivity — that’s the nature of the beast. For example, with an MFA system, you must enter your password and use another form of authentication like a code, key or biometrics. That inherently slows down the login process at the cost of ensuring that person is legitimate. It is easier to begin the security journey by implementing solutions with the least impact on users to ease the team into security changes.
As for cost, there is a balance between keeping your business secure and keeping it running. Focus on either of those too heavily and your business will suffer. Without enough security, however, it’s only a matter of time before your firm is breached and client data compromised. The impact on a firm after such a breach can be catastrophic and may potentially cause its collapse.
In general, the most impactful areas and layers to prioritize are endpoint security, email security and multifactor authentication. These areas tend to be the most dangerous in terms of malicious activity, attack surface and impact to the business. A common approach might be to add endpoint protection first. Once that has been successfully deployed, move on to multifactor authentication, then email security. After both of those have been done, layer in data security, perimeter security and/or network security. Continue until each area is covered.
A layered approach to data security is essential for protecting law firms from the evolving landscape of cyberthreats. By understanding and implementing multiple layers of security, law firms can build a robust defense that safeguards sensitive information. Prioritizing the right areas in your security budget will help ensure that your firm is prepared to face any challenges that come its way.
Eric Hoffmaster joined Legal Management Talk to go in-depth about what data security layering looks like and how to implement it at your organization. He also talks about what layers may be necessary to qualify for cyber insurance and how artificial intelligence (AI) is enhancing the risk of a cyber breach. Tune in today!
About the Author
Eric Hoffmaster is Chief Operating Officer at Innovative Computing Systems.