6 Ways To Protect Law Firms From Clouds Security Risks
Law firms are just as, if not more likely, to face a cyber-attack due to the confidential nature of their business. Teaching lawyers and other staff the basics of cybersecurity will do much to protect the company, but, increasingly, automated services can automatically provide protection as a more legal business is done in the cloud.
Gone are the days (almost) of faxes and envelopes containing weighty contracts and other legal documents. Most firms require cutting-edge business efficiency with digitally signed documents winging their way around the internet in seconds to clients. These documents are increasingly created by automated services, with lawyers providing oversight and their critical knowledge as the pace of law continues to pick up.
As most law firms slowly adopt cloud services, for everything from accounting to document and case management, they are required at both compliance and business-peace-of-mind levels to ensure that data is protected at every step. The American Bar Association’s latest cloud computing survey, asks and answers the question on many law firms’ minds, “Is the cloud secure enough for law firms? With so much prominence placed on data security, cloud-based software can be a powerful way to get your firm in order.”
1. Humans are still the weakest link
As ever, security starts with people. Lawyers, legal secretaries, and all other staff must be taught from day one to be suspicious of rush requests for financial information, email attachments, even phone calls that could be from a “senior partner”, but might be part of a criminal scam.
Technology does help, with firewalls and malware scanners checking each and every email or file, but solid training during onboarding, and ensuring staff only have access to appropriate information stores will help protect the business. Also, removing all privileges when interns, paralegals, and other staff change department or leave will protect the business from insider and disgruntled leaver attacks or abuse of power.
2. Build in strong access protection
Firms should already be asking staff to use passphrases instead of passwords, and update them every few months to minimise the risk of a password-based breach. Even though we are all encouraged not to, most people still use only a few passwords. So, one breach of a shopping website that an employee used a company email address to buy office supplies can easily become a hacker’s way into the business.
Improving security through two-factor authentication (2FA) and other means will also help when lawyers are working from home or traveling, with their business mobile device providing a secondary layer of security, either through an SMS message or using apps like Authenticator.
3. Encryption across the business
Local encryption on servers is a common way of legal operations to protect documents at the file level. This allows only recipients with the key (sent separately) to read the document. However, as files increasingly move between multiple applications and services, data needs to be encrypted across networks and clouds.
To ensure compliance with local and international storage rules, law firms must increase their security, like email, VPNs, and other methods all have some weak points. Using end-to-end encryption ensures secure file storage and sharing across networks, but the firm’s IT team needs to understand the layers and levels of encryption across their clouds.
For example, “Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.” But that doesn’t mean your data is safe if it leaves Google’s cloud.
4. Load balancers are the multitool for the cloud
Larger firms have many cloud servers and services in operation. Load balancers originally shared those resources fairly among users, but have evolved to become smarter tools, providing application security features, often including, pre-authorization and single sign-on, web application firewalls and advanced traffic management as part of the service to protect legal data.
5. Firewalls everywhere
Firewalls and antivirus or malware tools remain the stalwart of all business security efforts, but are more flexible in their cloud forms, and often a part of other solutions (see Load balancers). But it is easy, especially for firms without extensive IT resources to think that one firewall does it all.
However, office firewalls (be they software or hardware) only protect incoming data, deciding if it is safe or not. Methods include packet filtering, a rules-based approach or using proxy servers and application gateways to allow or block certain types of data. Cloud and web application firewalls do a similar job but protect legal documents and services outside the business, protect web apps by blocking malicious internet traffic traveling to the application, as well as preventing unauthorized data from leaving the app through policy-based tools. Increasingly automated, firewalls do an endless job protecting law firms.
6. The power of automated compliance
Compliance is a dominant mantra across legal and regulated industries, so it comes as no surprise that many cloud services offer automated compliance monitoring with firms having to do little more than select what legislation regimes they fall under, and the compliance tools checking services and documents, bringing any issues to the attention of managers.
A layered defence is the best way to protect your law firm and its legal documents or services, using most or all of the tools at your disposal.
Secure Your Law Firm With Edgenexus Web Application Firewall
What is a Web Application Firewall?
The Edgenexus Application Firewall is a virtual appliance (Isolated container) that protects Web applications by controlling the conversation between the application and clients. It runs at the application layer and aims to fill the security gap that traditional firewalls fail to address. It can be download via the app store here and new rules can be downloaded here.
Edgenexus Web Application Firewall Features
The Edgenexus Web Application Firewall incorporates industry leading, hardened firewall technology to provide Layer 7 application protection for web-based applications.
How does the Edgenexus Web Application Firewall work?
The Edgenexus Web Application Firewall controls the input, output and access to and from an application by inspecting the HTTP conversation between the application and clients according to a set of rules.
These rules cover common attacks such as cross-site scripting (XSS), SQL injection, session hijacking and buffer overflows which network firewalls and intrusion detection systems are often not capable of doing. The rules may be also used to enforce security policies required by PCI DSS or other security standards in order to block leakage of sensitive information like credit card numbers.
By customising the rules to your application, many attacks can be identified and blocked. The effort to perform this customisation can be significant and needs to be maintained as the application is modified. A Set of PCI DSS rules come as standard to the product and can updates (assuming a valid support contract) via the software update function of the ALB-X.