People + Access = Biggest Security Threat

I recently read an article comparing security of on premises solutions to hosted (“cloud”) solutions. The author, who sells a cloud-based practice management system, asserted that hosted solutions are much more secure. I couldn’t resist commenting—pointing out his conflict of interest and asserting that there is nothing inherently more secure about cloud solutions. Such articles cause confusion and give people a false sense of security.

Rather than spreading fear and misinformation about on-premises or hosted solutions in an effort to drive sales of software, we should be offering constructive feedback about training personnel to be more secure. The issue is about access—be it physical or electronic. Edward Snowden had electronic access which enabled him to take data, no matter whether he took it from where he sat, from another building, or from the cloud (wherever that is for the NSA).

The biggest security threat is people. Social engineering is the simplest way for hackers to get to sensitive data. You don’t need to be Tom Cruise, lowering yourself on a wire into the NSA vault, to steal data. All you need is to get someone’s credentials or plant malware (think keylogger) onto a computer and you’re in. We need to be talking about security holistically, and training people to avoid being taken advantage of via social engineering.

If firms spend all their time focused only on buying firewalls and intrusion prevention systems, they’re missing the point. If a firm selects a cloud solution for its finance/practice management or its document management system and thinks there’s nothing more to worry about because the vendor is secure (and some vendors sell their solutions on such claims), their complacency is a guaranteed recipe for disaster.

People re-use passwords across multiple accounts (Facebook, LinkedIn, Gmail, etc.) from services who’ve had usernames and passwords stolen. It’s easy to trace one account to another and thus have access to private accounts. People share passwords, and use simple passwords, too; ones that can be guessed by computers running simple “dictionary attacks.”

It doesn’t matter where data resides; if credentials are so simple or have been cavalierly shared (as I have witnessed numerous lawyers doing), imagine how easy it is for someone else to log in to that cloud solution—the one the vendor touts as being accessible anytime, anywhere, from any device—and access the firm’s data. Do those firms audit every login? Some might audit that information on their internal systems, but few, if any, do so on cloud solutions. Does that mean that on-premises solutions are therefore more secure? Not necessarily.

Physical security matters. One law firm I know recently announced ISO 27001 accreditation (on just its data centre). Another large firm was proudly accredited a few years ago on its document management system. Those announcements are a farce; what about all of the physical files moving around their firms or data on other systems? File folders, documents on printers, mail—none of those were covered by either firm. With no controls on physical files, and without training on handling those files securely, those firms may as well have openly challenged hackers to attack them. I’ve heard countless stories of people leaving computers, file folders, entire briefcases in taxi cabs, at restaurants, and in other offices.

So, what’s the point? Firms need to spend more time focused on training. They need to train, test, and remind personnel about the numerous dangers. Responsible firms take security more seriously. They hire experts to perform penetration tests. They hire experts to perform social engineering tests to try and trick personnel into giving away sensitive information. They perform physical audits to look for easy access to sensitive data such as printed files, mail in the post room, anything. They hold regular security and awareness training. If lawyers don’t know what to look for or how to recognize the more sophisticated threats, they are far more likely to fall victim to them. If they aren’t regularly tested, firms can’t truly claim to be prepared or be secure. Good luck with that secure cloud solution.

About Ben Weinberger

Ben Weinberger

Ben Weinberger is the Chief Strategy Officer for Phoenix Business Solutions where he helps formulate strategy and message to market for a global software and services provider. He is a qualified lawyer and technology leader with more than 20 years of experience in the strategic development, transformation, and direction of IT and operations in a variety of public and private organizations. He previously served in senior executive roles for a top-40 UK law firm, two AmLaw 200 firms, and the Los Angeles City Attorney’s Office. As a consultant, Ben completed projects at several multinational organizations including The Walt Disney Company and Chevron. As a lawyer, he advised professional regulatory boards for the State of Illinois and completed a federal judicial clerkship. He is a regular speaker on such topics as Information Governance and Emerging Technologies and Transformational Trends in Professional Services. He holds a BA in Economics from the University of Michigan and a JD from the University of Wisconsin.

Check Also

Cyber attacks

How to Launch a Pre-Emptive Strike Against Costly Downtime and Cyber attacks

Cyber attacks are continuing to cripple organizations around the world.  Law firms are particularly vulnerable to these attacks.