Staff behavior a chink in firms’ IT security arsenal

An IT expert says security should be a top priority for firms in 2015, with increased mobility – and potentially threatening staff behavior – a ‘big risk’ for firm clients.

An IT expert says security should be a top priority for firms in 2015, with increased mobility – and potentially threatening staff behavior – a ‘big risk’ for firm clients.
 
Damian Huon, CEO of Huon IT, says law firms can do everything right in locking down their infrastructure and systems, but staff behavior would remain a significant risk.
 
“As consumer technology - such as iPhone apps - get increasingly combined with the business world, staff will often find ways around the system, out of convenience or pure habit,” Huon explained. “A common example of this is when, if a staff member knows they need to work from home on a document, they upload it to their personal Dropbox so they can grab it later. Now suddenly the firm has their IP sitting outside their network and are helpless to control security. This also introduces other complications like a lack of versioning, access by other staff and backup,” he said.
 
Firms – and particularly ‘virtual’ law firms pioneering new advice models utilizing mobile and contracted lawyers - are being urged to provide education, write crystal-clear policies and make it as easy as possible for staff to comply with IT security. “Document management, file sharing and remote access should be reliable and straight forward to use, so staff don’t have to find backdoor ways to get their job done.”
 
Huon categorizes law firm IT security risk as falling into two main categories – external protection, and internal systems. While external protection refers to things such as having the right firewalls, antivirus and other measures to protect systems and data from external intruders, internal systems include document management with granular access control, as well as intrusion protection to prevent against internal users inadvertently running malicious code in ‘cryptolocker attacks’.
 
Firms with a higher frequency of staff working from home or on-the-go need to assess how secure their remote access methods are, Huon said.
 
“This includes secure VPNs (virtual private networks), or web portal-based access such as Citrix and Windows Remote Desktop Services (RDS). Firms should also consider two-factor authentication through products like SafeWord or RSA,” Huon said.
 
“You also need to consider end-point protection of the device they’re working on, be it a laptop or mobile device, and whether it is personal or owned by the firm. If they are using it to access any corporate data, the firm needs to enforce a level of control including passwords, having the ability to remotely wipe devices, dictating mandatory software and security patch levels, and encrypting the device and even any external USB drives they might use,” he said.
 
Any firm with staff working remotely is particularly open to the risk of cyber security, according to Huon, so this makes virtual firms “inherently vulnerable”. However, Huon says even ‘BigLaw’ firms have staff working from home after hours and on the road.
 
“With the plethora of devices accessing from literally anywhere in the world, your data is becoming more and more widespread and harder to control,” he said. “Whether you’re a sole practitioner, up-and-coming virtual firm or a global enterprise, IT security needs to be top of your priority list in 2015.”