In today’s law firms, most IT professionals view user behavior and lack of training to prevent these behaviors as the top risk to security. Indeed, user behavior/training arose as a greater concern than ransomware or any threat actor tactic that would exploit these key drivers of organizational productivity. However, there is one unassailable truth: Users are human, and they will always be fallible no matter how much training you throw at them. Thus, blaming them or exercising an extreme focus on securing their behaviors will not lead to defensive actions that secure the organization.
In cybersecurity, simple solutions rarely solve holistic problems; for every complex problem, there is usually a simple solution, but it never addresses the complete issue. Complex problems require complex solutions with a dedicated focus on delivery. Firm IT, with support from leadership, must take a stronger stance to defend systems — assuming users will make mistakes — while also training these users to reduce risk on multiple fronts.
A recent research report issued by Conversant Group and the International Legal Technology Association (ILTA) titled ”Security at Issue: State of Cybersecurity in Law Firms” shows that users only present risk when they click the wrong link, open the wrong attachment, access the wrong website or conduct other risky behaviors. Firms can dramatically reduce these risks by using controls that eliminate these options from their users. Many of today’s firms expect users not to engage in risky behaviors but still enable those behaviors. Data from the report shows that 90% of firms do not block or restrict external file hosting sites and 72% do not automatically enforce encryption of email through content examination. This would be like an airport TSA checkpoint listing forbidden, hazardous materials, but failing to scan for them, putting the onus of security on the traveler. Simply put, threat actors exploit users because organizational controls allow them to.
The recommended remedy is to stop allowing and start blocking. Today, systems are largely open by default and blocked by exception; for better security, they must move to closed by default and open by exception. Otherwise, firms are making security optional, at the whim of human foibles with potentially disastrous consequences.
Firms should move toward a policy of zero-trust: Trust no one and nothing by default. Zero-trust assumes that everything poses a risk to the organization unless proven otherwise and implements security policies to mitigate that risk. Following the policies of zero-trust, for example, firms should choose one IT-vetted password vault and block all others; choose one browser and block all others; choose one file-sharing platform, and by default, block all others (and so on). All necessary exceptions should be tracked on a risk register. Once a threat actor takes control of a user’s endpoint, the user endpoint and threat actor become synonymous in how freely they can move throughout and access your systems. Systems are simply not designed to detect and block a threat actor accessing systems from an approved device and user account when systems are open by default. Thus, the tools a firm might purchase for remote control, like Screen Connect, SolarWinds, Manage Engine, Bomgar, etc., can also be used by a threat actor for the same. Risks must be managed from this paradigm: if a user or IT admin can do it, assume that a threat actor can as well.
Finding the right balance in a security program can be a difficult exercise with multiple points of pressure, and we are very familiar with the many challenges law firms face in staffing, resources and time dedicated to security. We also are aware that firm IT and CISOs must work with firm leadership to gain approval for changes that impact organizational efficiency and budgets. Yet it is imperative to organize firm defenses against these threats rather than around user convenience. Because you can’t ever control the actions of your users, IT must take charge at the level of the controls and then educate users on why these controls are necessary, and this stance must be supported with the full advocacy and buy-in of leadership. User training is still important (it provides a multi-pronged approach to addressing risk — a layered strategy). However, it is necessary to shift the paradigm of the law firm security approach away from users and toward stronger controls.
Emphatically, no. The core issue is that systems are open by default, and this configuration must change. Additionally, many law firms have not invested in adequate security operation center services and lateral movement/backup defenses to prevent a non-recoverable mass destruction event. But they should consider them for a more comprehensive security program.