RUNNING A CLIENT-FIRST COMPANY, I’m always looking to see how other companies measure up and if they are Client-First. So, what could The Air National Guard, The CFPB, Ransomware, and Process Serving possibly have in common? Well, let me tell you…
In the late 90s, I was a member of a team of professionals that provided information security technology and solutions to the government. One accomplishment I am most proud of is that my team engineered and deployed the first worldwide VPN network for the U.S. Air National Guard (USANG) using commercial Internet.
Then, like now, organizations want to have all available bandwidth to enable seamless corporate communication. With advancements in technology, there is also associated “risk.” Recently, many in the mortgage default industry have faced this increased risk by experiencing information security breaches and ransom- ware attacks. And, if your firm isn’t exposed to enough risk already, in August of 2023, the CFPB announced they will also be looking at your information security.
As a business owner in this industry, I’m thankful for my background in Information Security. However, you don’t need to be an Information Security wizard to manage your security risk. You need to ask some basic questions and understand some basic concepts.
Your firm interacts with 100’s of defendants a week, representing many high-profile banks, servicers, and other commercial entities. What would it mean to your business if you got hit in a ransomware attack? How long could you be down? Once it became commonly known that you had a security breach, how many clients would you lose? Would the CFPB get involved? What if the Blackhats are smarter this time, and they install ransomware and let it become invasive, infecting your systems and your backups? The good news is that the technology to prevent malicious attacks isn’t that expensive or even costly to deploy and maintain. So, where should you start?
First, let’s assess your “risk.” Your risk profile encompasses all the areas where your firm has an IT presence, like Data Centers, ISPs, and on-premises (PW, email, and other services). Many firms use a hosted case management system that is also integrated with other services that share information. Many of those platforms are hosted in the cloud, too.
What is your exposure if one of those services is compromised and your Client’s PII data is exposed? If your case management system’s nearshore data center in another country gets hit, what is your firm’s plan B? I doubt the CFPB will care that you were relying on your vendor’s assertions that their data center had the latest and greatest security measures.
Who is managing those security procedures? Have they been vetted? How often? Who does the vetting of the vetters?
In the interest of full disclosure, I am not a big fan of “offshoring,” nearshoring, or utilizing the cloud for critical applications. Why? “risk”.
The more vendors involved, the more people, the more “risk”. When thinking about Information Security, common sense goes along way to help you manage your “risk.” I’m not suggesting that we can’t utilize those environments, but you do need to fully understand the additional “risk” and plan accordingly.
Another essential thing to mention is that in my experience the ONLY reason that any vendor is offshoring anything is to lower their cost. What else are they skimping on if they are pinching pennies on infrastructure or staff?
At the end of the day, your firm is going to be on the hook for whatever lapses in security exist for any vendor you use, and you need to be comfortable with assuming that level of “risk.” The CFPB has demonstrated on multiple occasions that they won’t care what your vendor tells you.
When configuring your information security posture, think about building layers of security. Much like an onion, each layer would need to be penetrated before a hacker could exploit the next layer. Utilizing a layered approach also increases the likelihood you will detect any Information Security before much damage can be done to compromise your environment. Let’s look at three or four actionable items that you can do right now to help mitigate your risk.
First, you should have application-aware perimeter security. Many companies are offering 4th and 5th-generation application-level firewalls. These firewalls enable security policies to be developed based on the applications that you and your staff use daily. These devices are “smart,” meaning they can evaluate network traffic and determine if the communication is safe or suspicious. Many have some AI or machine learning capabilities as well.
This market has many players, but my favorite is SonicWall (www.sonicwall.com). They offer a complete line of firewalls and perimeter security devices. To effectively safeguard your company’s digital boundaries against sophisticated cyber threats, embracing cutting-edge security technologies is paramount. My favorite thing about SonicWALL is their support. For those with limited Information Security experience, you can purchase one of their firewalls, and for a small fee, they will configure it for you and get you up and going. They also offer a VPN client that you can install on your laptop or remote office computer to secure your remote office staff and all the services they need to be productive, like email.
Without a doubt, email is the most significant risk exposure today. Email is the source of most phishing attacks, viruses, ransomware, trackers, and other junk. Why? Everyone must have an email address, and yet the solutions for securing email still need to be more robust. So, I self-host our exchange servers in our data center. This requires more technical expertise, but for me, that outweighs the risk of outsourcing my email system.
To mitigate email risk further, I paired our self-hosted email with AppRiver’s (www.appriver.com) email threat protection. AppRiver is very cost-effective and provides a great deal of flexibility. My favorite feature of AppRiver is the ability to block email based on the country of origin and or geographic region.
Emails identified as spam or infected are quarantined and are never relayed to your primary email server. This feature has allowed us to block 99.9% of spam, viruses, etc. You don’t have to host your email to use this service, as it works with Office 365 and a few other hosted providers. It’s low cost but high value/return. Using a system like AppRiver will stop almost 100% of the attacks.
You should have a backup scheme that utilizes the 3-2-1 backup rule at a minimum. There should be three copies of data on two different media, with 1 of those being offsite.
While the 3,2,1 rule is great, we must add one more requirement – immutable backups. Immutable means that the backup cannot be changed or deleted, which means that its original integrity is maintained. Having an immutable backup has become critical for recovery and fighting ransomware.
This is because threat actors now routinely attack backups as well. My vendor of choice here is Veeam. (www.veeam.com). Again, this space has many vendors, but Veeam is my favorite because it is easy to use and configure. If you are using VMware, it comes with native integration that makes it easy to backup and replicate your servers locally or to a private cloud, e.g., instant disaster recovery!
Ok, so you have your firewall installed, email protected, and immutable backups going… what else can you easily do? Virus Protection for your servers and other endpoints! Again, this space has many vendors, but my favorite is Malwarebytes (www.malwarebytes.com). This application allows you to centrally manage virus protection on your endpoints (servers and client workstations). My favorite feature is that you get a weekly report listing any vulnerabilities found and what was done to mitigate them. The software will automatically quarantine whatever it finds.
Once installed, the end user can’t uninstall the security agent without your approval, so you know all your endpoints are protected. Again, it is easy to configure, install and manage. The support staff are top notch too. In today’s vendorscape many vendors may not prioritize the security of your information. Legal service providers and third-party vendors often focus on their competitive advantages, such as quick document processing or provided audit results. However, assurances from past security audits may not reflect their most recent status.
When was the last time you heard any legal service vendor or a 3rd party vendor mention your information security when they started working with your firm? A typical SOP vendor might list a competitive advantage as how quickly they can serve, e-file, etc., your documents. They might have an audit that attests they are secure and give you a copy of their latest SOC-3 audit results to assure you that everything is awesome, and you are covered. But that SOC-3 Audit was from October; now it’s January 2024 are they still secure? Never mind them, you are the Client. What about your data? Do they have the knowledge and technology to protect your information or secure their connection to you?
As a client, make sure you ask questions to assess if the vendor has the knowledge and technology to safeguard your data. Implementing solutions for these areas can significantly reduce the risk of information security incidents.
Integrating 360 TotalView technology into legal service delivery enhances transparency and efficiency in process serving, offering clients the ability to closely monitor and manage their cases with immediate updates and detailed analytics. This integration raises pertinent questions about security within such advanced systems. For instance, most vendors offer some sort of customer portal. What security measures have they implemented to ensure that the system is secure? Is all the information exchanged between your firm and the portal encrypted? Does their system actively scan for viruses and malware in the files that are exchanged between you and the vendor?
For larger firms that desire direct integration, do they offer VPN tunnels or other security measures to lock down these connections between your network and a vendor’s data center? It’s also crucial to integrate information security into your firm’s culture.
This can be easily accomplished by reviewing recent developments in Information Security during your monthly staff meetings. This is also a great time to remind everyone to NOT click on any hyperlinks or files that you receive by email that you were not expecting.
Every IT environment is different, and the items I discussed are not meant to be an all-inclusive list. There are several other areas that you should address, like passwords and software patches, among other things. However, the ones I introduced are a good start on your quest to increase your security. If you implement solutions that address these areas, you will have come a long way in reducing the risk of an information security incident at your firm.
If your current legal vendor isn’t actively engaging with you on information security, it might indicate a lack of internal focus. Instead, consider the competitive landscape and partnering with 360 Legal, a vendor that is not only committed to your success but also places the utmost importance on the security of your data.