Please enjoy this blog post co-authored by David Forrestall, CISSP CISA, Managing Partner, SecurIT360 and David Oxley, CLM, CISM, Director of Information Technology, Messerli & Kramer.
Everyone agrees that cybersecurity is absolutely essential. However, many firms still do not have dedicated security resources. And, if you are a smaller firm, do you really need to do as much as the larger firms? If you look at NIST, ISO 27001, or other frameworks, there is a lot to do, and much of this is still thrown over the wall to IT. Does all of that apply to us and if so, how in the heck can we get it done? Security for the new WFH environment has made it even more challenging. To be clear, not all small firms face tight resource allocation for security. Some firms, due to client requirements or firm philosophy, have robust, well funded security programs. But many do not. In this blog, we will explore what is reasonable for smaller firms and provide some practical advice on how to accomplish critical functions when you don’t have time, resources, or expertise available. We not only welcome your comments, we encourage them. We hope to start the conversation and integrate feedback from readers to maintain a dynamic, growing resource.
A quick visit to the Whys
At a general level, we all know that criminals are out there and people make mistakes. We know we should be keeping firm and client information safe. A quick reminder of the obligations: First and foremost, protect the client information - e.g. don’t get breached or allow risky behaviors. We need to keep confidential information protected and keep malicious entities away from the sensitive information our clients have entrusted to our keeping. But there are other layers to this onion. Regardless of the law practices your firm supports, you ARE subject to regulatory requirements. Even if you don’t have Healthcare or Financial data, you still have personal information of those who work at the Firm and there are a multitude of State, Federal, and now even Global data privacy and breach laws. Finally, there are client requirements that range from simple questionnaire responses to specific controls that are mandatory in order to continue serving the client. The latter are often due to more stringent regulation targeted at specific industries (banking, healthcare, other financial services).
What is the minimum we should be doing?
Unfortunately, this is not any easy question to answer. The short answer is to do as much as you reasonably can with justification for your plan based on risk. Technology is complex and continues to proliferate at an exponential pace. So, to really make sure we are covering all of our bases, a comprehensive approach is recommended following a large framework like NIST or ISO 27001. There are hundreds of items listed under each of these standards and your limited resources probably won’t allow you to address them all. The good news is that the larger standards have a high degree of overlap and also map to the CIS Top 20. To be clear, the Top 20 is not just composed of 20 items on a checklist. You should think of them more as general “Areas” in which you need to demonstrate a level of proficiency. There are sub controls for each of the 20 bringing the total number of requirements closer to NIST and others. And now we must consider any additional risks introduced by the WFH situation. We’ve been immersed in WFH over the past several months, but remote work implications run long and deep for firm information security. Most firms have addressed WFH security, but many did so in the form of a fire drill, and will be confronting new challenges as we settle into our “new normal”.
Great! You just added to my to-do list now tell me HOW!!
We have additional, more specific details below, but here are some strategies to implement your Cyber Security program with limited resources:
- Don’t try to do it all at once. Perform a Risk Assessment. This is NOT included in the CIS Top 20, but it is a must for planning. You can do one of these yourself with a questionnaire (Security Risk Assessment (SRA) tool is one example with a HIPAA focus - https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool ). This will also give you ammunition to present to management when you do ask for help.
- Hire a MSSP. They offer most of the basic blocking and tackling that you will need. Be careful of IT providers that call themselves security providers. Ask questions about their experience and how they go about security. Ask about their processes, not just the products they use. Ask them about how they can help you accomplish the Top 20; open-ended questions about their services and how they are provided. You may not be able to take full advantage of all the services an MSSP can provide, but you might be able to cherry pick those that provide the most value and protection for the investment. For example, Managed SIEM and 24/7 SOC monitoring can provide value and coverage you could never duplicate due to staffing limitations.
- Start small, identifying the actions that will provide you the most protection for your investment. Review the CIS 20+ listing below where we have offered some suggestions. Identify those items that are already addressed, can be addressed with minimal investment, and those that appear to be the most glaring, exposed gaps. From that list, draft an action plan, and track progress as you address each gap. Tracking is crucial - you can use your plans to show progress to others and it gives them confidence that you are serious about security.
- Leverage existing partnerships. Many of the areas can be addressed by a managed service provider (MSP or MSSP) as part of their service (inventory, patching, and backup/recovery come to mind as commonly outsourced roles). Arranging to receive monthly reports from an MSP is often sufficient to comply with both hardware and software inventory requirements.
- Configure in-house systems to provide reporting to provide evidence of compliance. Even if you don’t have an MSP providing services, you may be able to take advantage of the systems you’re using to manage your environment to provide regular reports that demonstrate the quality of your controls. For example, many antivirus solutions can produce regular automated reports detailing point in time levels of compliance. Patching deployment software can also provide proof of regular patching. Microsoft 365 and your DMS solutions may also have useful alerting and reporting.
- Train the staff you have. Security does not necessarily come easily to some traditional IT employees. There’s an element of subjectivity to it that can rub some IT professionals the wrong way. In addition, if your staff isn’t used to documenting changes, processes, etc, they can find the move toward a more secure environment to be onerous and even frivolous. There are a growing number of free security education resources available (of course, there’s ILTA, but in addition, SANS are Bright TALK are among the free online options, and some business partners sponsor opportunities).. Encourage study toward security certifications. Some security business partners even sponsor free certification prep programs. Promoting a security aware mindset inside IT is the first step needed to institute cultural change. In addition, the documentation needed is more likely to be completed if your staff is onboard with the shift to a more security aware firm.
- Engage and educate attorney leadership. As owners, attorney leadership needs to be aware of the risk and liability posed by security and governance gaps. The requirement that attorneys provide appropriate oversight of how risks are managed can be a powerful incentive to promote increased attorney involvement. The more aware your leadership is the better.
- Look for inexpensive utilities that can assist with some of the tasks like hardware and software inventory and account monitoring. There are quite a few available and we are hoping to follow this blog up with your suggestions.
A side note – how to SELL it to your management
You may not want to be, but now you are a Cyber salesperson and you need to convince your Firm to invest resources to the task of enhancing your security posture. While this can sometimes require us to pitch for additional funding, there are ways that can improve security at your firm without having to reach for the checkbook. By demonstrating a willingness to explore lower cost options, a resourceful IT leader builds trust with firm leadership. This in turn makes it more likely your requests that require financial investments will be approved.
For starters, security improvements can be integrated into your environment through the normal cycle of systems upgrades and replacements. You’re not going to move from security basics to being Fort Knox overnight. Plan to play the long game – bake security into your systems through the normal course of business. Add it as a criteria in your acquisition plans. Gradually incorporating it into your environment helps to accommodate the accompanying culture change and minimizes the impact of security as a dedicated line item in your budget (call it “security integration”).
It’s important to be seen as a security resource, but it’s just as important to demonstrate that you’re aware of and sensitive to the fiscal limitations faced by your firm. Being the long term voice of moderation may provide leverage to implement more changes long term. Build organically, aligning with practice groups and individuals who are sympathetic to these concerns. Promote compromise where it’s unlikely you’ll have the support to implement best practices.
As you’re already aware, it’s easier to justify security investment if it’s in response to a client request. Requirements are one of the least contentious ways an IT leader can obtain resources for specific security initiatives. Recognizing the direction your client is heading with their requirements can help you prioritize the security initiatives you ask your firm to implement. Reserve your political capital for initiatives that have a chance of being approved without your having to go to the wall. Allow client requirements to drive those that are more controversial. ,
A potentially powerful ally in your efforts to strengthen your Firm’s security position are the Model Rules of Professional Conduct, the ABA’s regulations that define an attorney’s ethical responsibilities.
Information security is not a static target. The items we address may still have the same names, but they require constant monitoring, evaluation, and adjustment. You won’t get all of this addressed at once. And as you make progress, new gaps will arise. The goal is to continuously improve your security position. It is a process not a product – it’s important not to get frustrated and disappointed in lack of rapid progress. Try not to compare your firm’s position to others, especially large firms. You have the resources you have, and no amount of advice can take the place of resources when it comes to covering all that needs to be addressed. Also, clients and regulators understand this. If you have plans and can show progress, it goes a long way even if you aren’t complete with certain items.
Thoughts on Smaller Firm priorities for the CIS Top 20 +5
We are choosing to re-order the Top 20 based on what we know about small Firms. Use it as your Risk Assessment if you want. For Firm compliance, there are at least 5 more that you need to work into your program. We have also added comments to consider for your newly remote workforce. If you want a more robust discussion of WFH security, take a look at here. But, let’s discuss...
Tier 1: Let’s score some quick wins by removing common attack vectors and big impacts; And you may already have funding or solutions in place.
- #10. Data Recovery Capabilities (WFH - would you need to recover anything differently?)
You might be surprised, but this basic control is imperative. EVERYONE is a target for Ransomware. We have dealt with it and it is painful. We do not wish this on anyone. Worst case - No recovery, no Firm, no job. Also - remember - if you haven't tested it, it doesn't work. Make sure that you have an offline copy. If you can get an MSP to manage, that could be a quick win. WFH consideration - if your remote access solution allows the saving of data to a local, remote machine, you may have exposure through the users’ home computing environment. If so, you’ll want to address this in your reintegration planning.
- #12. Boundary Defense & #9. Limitation and Control of Network Ports, Protocols and Services (WFH - where is your boundary?)
Another obvious call that you should be able to check off your list. If you install a firewall, make sure you have a third party verify its implementation. Make sure it has IPS/IDS and it is configured correctly (and turned on). Don’t buy the cheapest, but you don’t need a Ferrari either.
- #8. Malware Defenses (WFH can push this to the Endpoints…)
A must have for all. Specifically, there are four major components: 1) Computer OS, 2) Mobile Devices, 3) Email, and 4) Browser. Luckily, most Firm Management understands this. When looking at Endpoint solutions, consider fighting for a more advanced solution with more capabilities. It costs more, but can cover you in other areas of the Top 20.
- #7. Email and Web Browser Protections (WFH - Endpoints? Citrix, VDI, etc.?)
For smaller Firms, robust enterprise security solutions at the network level can be difficult to find the right mix of management and flexibility. However, acquiring these protections bundled with other products can simplify implementation and ongoing care and feeding (and can include your endpoint protections).
- #3. Continuous Vulnerability Management (WFH - this gets difficult on computers that haven’t checked in for a while and what about personal machines?)
Absolutely required, but let’s discuss “continuous.” For a smaller Firm, that would be great, but who is going to help you with that? You need to do a comprehensive Vulnerability Assessment AT LEAST once per year (cringing - what if a critical vulnerability is discovered the day after you do your assessment? 365 days till you find it?) to know that your patching is working. You can run your own vulnerability scanner and review/remediate the results (Nessus & Qualys are just two of the players in this space). MSPs also offer this as a service. Regarding WFH - if machines are provided by the firm, they can be remotely managed. If you’re using personal machines for work from home, at a minimum include the requirement that users keep home machines patched and have anti-virus installed in Work From Home policies.
- #17. Implement a Security Awareness and Training Program (WFH updates?)
This is the biggest bang for your buck. We know that many Attorneys don’t like to take time for training, but they need it. (If I had a dime for every time we were called b/c an Atty clicked on something…) There are good, affordable resources for security education (KnowBe4 is one of the best known). Enlist assistance from office management to facilitate participation. Solicit attorney leadership to ensure attorneys complete the training. This is a common requirement for financial clients, which can help garner leadership support. WFH consideration - be clear when emphasizing that security awareness isn’t an “in the office only” concern, and that they’re just as vulnerable at home as in the office - if not more so.
- #4. Controlled Use of Administrative Privileges (WFH - ensure secure use of admin accounts while remote and monitor!!)
Admin account management is a must. Top target for hackers. Not difficult to accomplish, but you need to take a little time to put together a plan. Make sure you have sufficient backup to allow admin access if you or your staff become incapacitated. Include an audit process that defines all admin accounts and has provisions for approval and decommissioning of administrative accounts.
- #19. Incident Response and Management (WFH - if there is an incident on a home network what will you do?)
This is an easy one to check off with a few hours of dedicated effort and since you don’t have any, you should identify all of the outside experts you need when something bad happens. There are many incident response plan templates available (the NIST Computer Security Incident Handling Guide is one of many - https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final ). It doesn't have to be complex, but should address what constitutes an incident, how an incident is prioritized, who is responsible for addressing, who should be notified, and if there are specific processes in place, they should be called out. Finally, debrief following an incident should be addressed as well.
- #15. Wireless Access Control (WFH - what about home wireless networks?)
This should be another one that you can quickly check off. Require encryption. Change keys regularly. Segregate guests. Test.
Tier 2: Now that we have conquered those, let’s move to the next level
- #6. Maintenance, Monitoring and Analysis of Audit Logs (WFH - what visibility do you have for your remote workforce behaviour?)
This is also a must, but may be harder to get to. Your network knows what is going on, but it can be hiding in your logs and you don't have time to look there. You can do it yourself, but WARNING - this will add to your already busy to-do list. We suggest finding an MSSP and there are plenty of options out there. Another thing to think about is that your MSSP may be able to bundle many of the other Top 20 in with their offering, which is a bigger win for your turnip which has no blood. One other benefit of an MSSP solution is that many can provide 24/7 coverage, which is important as hackers don’t work banker’s hours.
- #13. Data Protection (WFH - this is a concern. Without controls, it could arguably be a higher priority if files are regularly copied outside of your network)
It is very important that you have some rules around data use and storage. This is much easier for smaller organizations, but with all of the cloud services and mobility, it can still get complicated. You can't protect it if you don't govern its use.
- #9. Limitation and Control of Network Ports, Protocols and Services
We are going to assume that this is internal and you have dealt with your boundary defenses. This is extremely important and not very difficult for smaller organizations. You just need to take the time to do it once and then check it several times per year. And if you have other protections in place, they should help.
- #5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers (WFH - Mobile Devices, Laptops - ‘nuff said, but let’s discuss that personal computer at the paralegal’s house that is now in scope...)
There are CIS Benchmarks for Active Directory and M365 that you can implement yourselves, but it takes time. So, we are going to assume that you nailed it on our #3 above (CIS #8 - Malware Defenses) with a solid endpoint protection solution AND you considered your mobile devices with the help from other solutions (M365) and possibly a MSP.
Tier 3: The other things that you still need to do.
Don’t break your arm patting yourself on the back. You aren’t done yet. Still seven left to go...
- #14. Controlled Access Based on the Need to Know (WFH - pay attention to operational and administrative accounts. For Client files, it is very important to move more toward a closed DMS)
This is not difficult, but it takes a little time to document and implement. You can enlist help from other departments. The largest barrier here will be acceptance of the need.
- #16. Account Monitoring and Control (WFH - much higher priority. What the heck are people doing and is it really them or has their account been PWNED?)
It can be difficult at a smaller firm to have segregation between management and who is creating / disabling accounts. Be prepared to address this if you're facing a client questionnaire or audit. Having a well documented process outlining authorization and implementation flow will go a long way to satisfy requests.
- #11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Firewall is most important for smaller firms and we have addressed that above with your boundary defenses. Make that the priority. If you installed it yourself, then have someone double-check you. The internal network devices should show vulnerabilities when you check them with your vulnerability scanning and can remediate those as necessary. Long term, you will want to document your security policy around these.
- #1. Inventory and Control of Hardware Assets (WFH - do we know where they are?)
Yes, this is CIS #1, but we are assuming that you have SOME idea of what is on your network. It is relatively easy to manage with a spreadsheet, depending on the size of your fleet. It is important b/c a missing device could have sensitive info on it. Also, what if something new shows up on your network - rogue wireless access point?
- #2. Inventory and Control of Software Assets (WFH - similarly, what is installed on what now that it is outside of your network?)
Important b/c users may install software on their machines. Also might identify spyware, adware, toolbars, LogMeIn, etc. Spreadsheet won't cover spyware, adware, etc - will need a monitoring product for this. Solarwinds and SCCM are great products, but cost from an expense and resource perspective can make it difficult to justify. This is another area where a MSP/MSSP may be able to provide value.
- #18. Application Software Security (WFH - Most smaller Firms don’t have custom developed SW and are not going to have the capability to whitelist SW)
- #20. Penetration Tests and Red Team Exercises (WFH - you might want to test your security solutions related to remote access to ensure safety)
Finally, we agree on something. Remember, this is a TEST and you have to study for it. Study all of the other areas above and THEN get a penetration test. Vulnerability Assessments are valuable and less expensive. Having this conducted by a third party takes the load of your department and ensures an SME vets the findings. Documenting remediation efforts provides evidence of security progress.
Additional requirements for Firms:
We don’t have to get in a big discussion here. You know you need them. There are many sources for templates available online.
- Risk Management
We already mentioned above, but for client requirements you will need to demonstrate that you are regularly looking at risk. It can be fairly simple and straightforward, but still needs to be documented and have regular activities.
- Vendor Management
This can be a subset of your Risk Management Program. Again - this one doesn’t have to be complicated. Take one of the questionnaires that you receive and edit it. Send it to your key vendors and those that have access to firm and client information. You will need to do this annually and document that it happened.
- Audit functions
Now that we have established all of these things that we will be doing to stay safe, we need processes in place where someone validates that these are happening as prescribed. Again - doesn’t have to be complicated, but needs to be documented.
- Information Governance
Yes, it is asking a bit much for a smaller firm to put in a formal IG program, but you need to establish some rules that educate the Firm where things go and how long we keep them. Getting organized facilitates all the other efforts. Some good news - IT should NOT be in charge of IG, but support its efforts.
And one bonus thing to consider - Privacy. GDPR, CCPA, and HIPAA are specifically concerned with privacy and are bringing the subject to the forefront. Privacy and security are different - this is another topic that warrants its own discussion. Privacy is what you say you will do to protect and monitor access and use of sensitive information. Security controls provide a way for you to comply with your Privacy statements. At a minimum you should establish an avenue to field and assess privacy related requests. These are often fielded by a firm’s general counsel.
If you made it this far down - you must really be bored while staying at home - thanks for reading! We would love to hear your comments.