IT SAFETY TIPS FOR LAW FIRMS, BY ANDREW EASTERBROOK
The purpose of this article is to scare some IT safety into you, dear lawyer. The security of any system is only as good as the weakest link. Understanding how your IT systems function and communicate with each other, allows you to identify vulnerabilities that might be exploited. In this article I will explain how a typical law firm network and system might be set up, and how its component parts create risk.
Basic structure
A common setup might be something like this: Employees normally do their work from a computer physically located in an office. Logins are required to access the computer, and the computer automatically locks if there is no activity for about five minutes. Once logged in, a user is able to access information on a server where client data is stored. That server might be located elsewhere in the office, a data centre, or an offshore cloud system accessed through a web browser. Access to client and firm data is managed by the firm’s client management system (CMS). Storage of any data outside that CMS is prohibited. Remote access is possible normally through either a VPN, or a web browser (like ActionStep).
Links in the chain
A system such as that described above relies on hundreds of linked components. A breach in any one of them could enable unauthorised access to your system. The most significant components are:
Devices
- Office computers that are linked to the network. An unauthorised person who can gain access to an unlocked computer will have the ability to do anything an authorised person can do.
- Other computers on the same network. This includes computers used outside the office (like those at home, connected through a VPN), devices in meeting rooms, and devices connected to the wifi network. A device connected to a firm network might be able to:
- Access information stored elsewhere on the network and copy it.
- Infect other devices on the same network with malware or ransomware.
- IT provider computers. The network security of your IT provider’s systems could be a weak point. If your IT provider has full access to your system, any unauthorised access to their systems could expose your system in turn.
Software
- The firm client management system. That software – like most software these days – is not likely to be developed entirely in-house. It will include pieces of code from public libraries. These pieces of code may have vulnerabilities that could put client data at risk.
- Other software on computers that have network access. A computer runs programs. Programs on a computer tend to have access to everything the computer itself has access to. If a user installs a program on their computer, that program could do something unintended or malicious, causing loss. There is no good way to know exactly what any given application might do behind the scenes. There is therefore no safe way to let users install programs of their choice.
People
- Users can’t be trusted. Not necessarily because they are deliberate risk-takers, but because often they don’t understand that what they are doing is risky. For example, employees will try to get around security restrictions out of a genuine desire to make their job easier or simpler.
- Password security is very poor and the adoption of password managers is low. Users might not realise that if they use their firm password elsewhere, like on LinkedIn or Zoom, and if that system is hacked, the firm’s systems are exposed. No online service is safe from potential data breaches: Yahoo, LinkedIn, Facebook, MySpace and Adobe have all suffered from significant hacks.
Some scenarios
Here are some examples that show how a vulnerability in one part of the chain puts all other parts at risk.
You allow remote access via VPN. If a staff member’s home (personal) computer is infected with malware, that malware could jump across to your firm network. If an employee’s home PC is used by a teenager, who downloads a pirated movie which turns out to be ransomware, and your employee then logs into the firm network from that same computer, your firm network could be infected.
If an IT staff member working from home leaves their computer logged in, a flatmate or family member could easily gain full access to firm systems.
An inadvertent mistake made by an external software developer (e.g. Zoom) might result in stored passwords not being encrypted. The software is then hacked and logins published. Logins are easily tied to the firm because they include the employees’ email addresses. Your firm network can then be accessed, and client data could be lost or misused.
What to do
There is no perfect solution. All computer systems are likely unsafe to some degree. You can mitigate some of the risks by (at a minimum):
- Insisting all employees use password managers, randomly generated passwords, and do not re-use firm (or any) credentials anywhere.
- Tightly controlling remote access, and ensuring remote users are trained on security.
- Tightly controlling physical access to computers that have network access.
- Separating networks so that client data is not on the same network as client wifi. Only trusted devices should be allowed onto a network that can access client data.
This article was first published in ADLS LawNews on 10 September 2021.
Every effort has been made to ensure accuracy in this article. However, the items are necessarily generalised and readers are urged to seek specific advice on particular matters and not rely solely on this text.
RELATED PEOPLE
