Downloading an app to your work phone without consulting the IT staff isn’t recommended, but it shouldn’t be banned and it can be managed.
This was one of several key takeaways from the Committee on Technology and the Legal Profession’s Second Annual Cybersecurity Thought Leadership Conference.
As remote work has evolved over the last 12 months, the committee has issued several recommendations to help keep members safe on issues including Shadow IT, Business Email Compromise, Multifactor Authentication and Bring Your Own Device (BYOD).
Using flashdrives or social media apps, outside of the control of your firm’s IT Department, better described as Shadow IT, is seen as risky by information security and management professionals. However, it is not so risky that it cannot be properly managed. In fact, experts argue that shadow IT should not be banned because it would stifle innovation.
The committee acknowledges that the pandemic has created many challenges for organizations, but, “unless an organization provides all remote hardware and software for remote staff and then locks the system down completely, there is going to be Shadow IT.”
Instead, the committee recommends organizations “develop an approach to better manage Shadow IT use, and monitor activity on their systems, to address these risks.” Policies, procedures, and best practices for Shadow IT can strike the right balance between employing a flexible and innovative technology adoption, while successfully managing risks.
Business Email Compromise
As recently as 2019, Americans lost more than $700,000 in ‘Nigerian Prince’ email scams. Business Email Compromise (BEC) is a form of funds transfer fraud involving a scheme where the perpetrator impersonates the real owner of an email account to trick the recipient info forwarding money under false pretenses. The goal is to convince the recipient to direct money to accounts controlled by the perpetrator.
The legal industry is considered a prime target for BEC, particularly real property law firms. Examples of scams include theft of down payments, and fraudulent requests for escrow disbursements.
Law firms are generally considered not to be doing enough to protect themselves, which also makes them an attractive target. No firm is too small to be hacked. Likewise, even the most tech-savvy attorneys can fall victim to these schemes.
Simple ways for attorneys to protect themselves include enabling two-factor authentication, not opening unfamiliar email and double checking the sender’s email address. Continued training for staff is essential.
Multi-factor authentication, such as fingerprint recognition or facial identification, can help attorneys manage their multiple passwords. Eventually, passwords might be replaced with some type of biometric authentication, such as fingerprint, iris or face scanners, especially as they become more affordable and secure.
Law firms may struggle with the adoption of MDA technologies due to complexity and lawyers viewing them as overly complicated or burdensome, even when firms needs to use MFA to reduce business risk and/or comply with regulatory requirements.
Organizations could also consider using a centralized identity database, where identities could be securely documented, stored and authenticated.
The use of mobile devices in a BYOD setting amplifies the risks associated with remote work. Risks are further increased by the use of multiple devices at the same time and the “merger” of devices as old ones are retired, new devices come online and electronic information is transferred to or consolidated into a new device.
The committee recommends that public and private entities should have in place or develop policies that set parameters and rules for the use of mobile devices. The notice and distribution of these policies should be unequivocal and complete.