10 Major Security Holes in Almost Every Law Firm
If you are a law firm, there's a good chance your security is critical to your success. It is equally likely that there are holes in your security you may not realize or be thinking about.
The security holes in most law firms, make their organization a hackers dream. If cyber criminals can take this security holes and use them as a way to get in- they have a party on their hands. We know that is something you want to avoid.
We've listed 10 major security holes we see in almost every law firm. Read them and identify how many of them apply to your firm. If you have even one of these security holes, it is time to take action.
- No defined security permissions on file shares.
While we completely understand the convenience of everyone having access, this is a hackers dreamland. When you combine this with some of the other weak security controls cited below (no two-factor authentication, no conditional access, no email logging, no security information management, no EDR, no ongoing security awareness training and testing, admin access to local machines without separation of privileged accounts, etc) you create an open web of opportunity for hackers. The basics of this issue is that when it’s open then it’s open to any and everyone, and when one person is exploited everyone is exploited.
- Users have local admin rights without separation of privileged accounts.
Often we hear firms tell us that many users, or in some cases all users, have admin privileges locally with their standard active directory account. This is non-separation of privileged access and is a major security weakness. When the standard user account (the one logged into for daily use) has full security privileges for the machine it’s like leaving the alarm system off and all the doors wide open. Bad actors can easily exploit users machines from bad websites, phishing attempts, documents with scripts, etc.
- No two-factor authentication (2FA) for M365 and VPN.
Without 2FA on your Microsoft 365 accounts and your VPN, you are opening major gaps, and very likely have been compromised at some point already. M365 is the largest attack vector right now and is being exploited heavily through phishing attempts – it is low hanging fruit because so many people fail to employ 2FA. Once a bad actor has access to your M365 account they can traverse email, send emails, monitor email behavior in order to impersonate users, etc. You can imagine with a law firm the potential damage this could do if someone could read sensitive email, monitor email and eventually begin to mimic users email behavior as one example.
- No conditional access on M365.
Conditional access is setting up specific rights inside of email and other M365 systems so that users cannot easily exfiltrate data, or have data exfiltrated without them knowing it.
- No email logging and security event management.
This is like having a break-in but your cameras and security system doesn’t log or retain data, so there is no way to see who broke in or what codes they used. Having logging and event management provides alerting when known threats or anomalous behavior is happening, thereby increasing the speed (and time to resolve) of security issues. It also provides the forensic data in order to know when it happened, how it happened, and potentially who the bad actor was and what they did.
- No security event management on the VPN and firewall.
This is exactly the same as above, only it pertains to all of the traffic coming to and from the network from the internet piece. Combine this with all of the other weak security controls and you have very limited, to no, way of detecting, alerting and remediating security incidents.
- No end-point detection system.
A lot of firms are not implementing AI and Machine Learning based, pattern building, EDR systems that rather than relay on old-school anti-virus pattern signature files, utilize AI and ML to understand common behaviors, and normal behaviors and began to take action when odd behaviors take place. These types of systems also do the old school way, but they shine on the “zero-day” exploits where bad actors are using code execution, macros, and other more undetectable and known methods.
- No ongoing security awareness testing and training.
The best defense is a well trained and educated workforce, and “phish testing” them regularly is the best way to see how they would respond, and who are your more susceptible targets in the organization and therefore where you need to direct training, help and additional security controls.
- Lack of Internet Content Control and DNS Level Filtering.
We understand the need for certain members of your team to have “Deeper” access to sites because of the nature of what they do, this should not preclude a company from investing in strong internet content and DNS filtering controls. This alone can stop 80-90% of issues by stopping people from making bad mistakes on websites to visit, etc. The controls can also be set to allow for access when needed to sites but also alert you to the fact these sites are dangerous.
- Lack of policies and procedure, and the requisite testing of those P&P is an issue.
You cannot rely on the heat of the moment to respond to an issue, you have to have well documented plans, policies, teams, responsibilities, then educate, train, test and update those on a regular basis. Very soon your cyber insurance companies will require these – as a matter of fact we’ve already seen our customers with cyber insurance have to get this done.
The goal is to think/assume incident/breach. Don't be naive in assuming you can stop it – instead assume it will happen, and put all of the pieces in place to:
Just as much as you don't want cyber criminals throwing a party at your expense, we don't want them throwing a party at your expense either. If you identified with the security holes or have questions about what you can be to doing to protect your firm, reach out to The IT Company today.