Have you ever stopped to think about why your Internet security program updates on a fairly regular basis or why Microsoft, Apple, Adobe and other software companies release patches with similar frequency? The reason is that for all practical purposes computer security is something of a reactive defensive play. Internet security suites defend your computer or network from known and understood attacks. Once there is a new virus or other nasty program released by some cybercriminal, software and computer security companies investigate the malware and write code that will protect you from this new threat. Here is the problem. We all are potentially exposed to new and unknown attacks particularly if the computers that we're using have not been updated with the latest software updates or the most recent version of various programs. For example, Internet Explorer 6 is far more vulnerable than Internet Explorer 8 because the newer version has been written to be more secure.
Now, if we are all exposed to new threats, how much exposure is that and should we be worried? Consider this. The security company Symantec reported that in 2010 they identified 286 million distinct new malicious programs! Wow. Yes, most law firms have deployed Internet security software suites, intrusion detection systems, firewalls, and the like and these efforts do make a significant difference. We trust that the efforts of our in-house IT staff or outside IT consultant will keep us safe. This is where the false sense of security comes from because the interesting question is "Are these efforts enough?" The answer is no. While IT folks can do quite a bit and their tool box of solutions will continue to get better, one significant vulnerability remains. It is a vulnerability that IT simply cannot control and that vulnerability is us, the people who actually use the system.
As users, our actions can unintentionally circumvent the security tools that have been deployed. What we do with email, Internet browsing, downloading, social networking, and even how and where we do these things matters. Unsecured Wi-Fi is exactly that, unsecured. Just because a signal is there doesn't mean using it is a good idea. Cybercriminals have the same ability to access that signal as you do and how would you know they're there? Perhaps you are smart enough to avoid most attacks but how about the other attorneys in your office or your staff? Do you know what they are doing online?
What's the solution? How does one address the very real threat that comes from 286 million new malicious programs? I wish it were easy. Unfortunately, it isn't; but it is manageable. This is one of those situations where IT and firm leaders need to work together.
Part of the solution will lie in periodic and ongoing training in safe practices to include how to identify threats. This needs to be ongoing because the attack vectors will continue to evolve and change. Topics such as what is social engineering and how one can be tricked into allowing the computer network to be hacked, why peer-to-peer file sharing networks like the ones that use a BitTorrent protocol can be dangerous, and how can one securely login into the network from a remote location would all be worth discussing. Personally, I would start with a short session that teaches all attorneys and staff about how the particular security program that you run on your network will respond should there be an actual threat detected. What will that look like to the user and what should they do if it happens? Why do this? How many of your users know that if and when a pop-up box suddenly appears informing them that their computer is infected and telling them to click "yes" in order to start a scan that this is not, in fact, your security software doing its job? Instead, this can be an actual attack. If the user actually clicks on "yes," truly believing that this is the right thing to do in order to protect the system, that act will initiate the malicious program. That's not what you want to have happen.
Another part of the solution will be in establishing and enforcing a firm wide Internet use policy that spells out the dos and don'ts. Define what might be acceptable to download and what wouldn't. Allowing someone to download an eBook off Amazon might be okay if they were to do it over the noon hour, but downloading free stuff along the lines of screen savers, emoticon programs, desktop wallpaper, and even music may not be the best idea. What about accessing Facebook, LinkedIn, and MySpace? There are security concerns that come with participation in social media. Do you want to allow access to things like Skype, Instant Messenger, YouTube, or even personal email accounts? In the absence of defined rules, there will be some who will expose the network if for no other reason than through naivety. Don't focus just on the Internet spaces listed here. They are simply examples. All can bring value but all also bring a certain amount of risk.
Again, there is no easy solution, and unfortunately there is a Catch 22 for many attorneys. For example, there is often a temptation to simply block access to Facebook but this may be a bad idea because there will be times when visiting Facebook will be absolutely called for as part of handling a client's matter. The good news is that a great resource is available online to assist in the identification of the issues as well as in the development of a firm policy or policies. For additional information see www.sans.org/security-resources/policies/.
The final piece will be in committing to seeing that systems and software remain as current as economically feasible. Why? If you have an older version of a program still in use at your firm, do you know if it is still being supported? As newer and more secure versions of software come to market, software companies eventually stop supporting the older versions. Now this doesn't mean the program stops working; but it does mean the security updates stop coming. Continuing to rely on older software in order to save a little money is a serious misstep because many malicious programs specifically target older software. Cybercriminals know that the vulnerabilities in these older programs will never be addressed and that works to their advantage. Don't make it easy for them. Understand that when it comes to computer security, newer and better solutions for hardware and software will continue to enter the marketplace. When you think about what is at stake, isn't the investment cost of updating to the most current version of a software program available well worth it?
Mark Basssingthwaighte is Risk Manager with ALPS Corporation. He can be contacted at: firstname.lastname@example.org.