Cybersecurity for solicitors
Gareth Dalton explains his work to protect firms from cyber breaches
The covid-19 pandemic saw a significant increase in the adoption of remote working, with employers offering the tools required to facilitate this shift in working practice. More and more businesses now see the agile advantages of running their platforms within a hosted or cloud environment, with users able to access information and data from the majority of internet-connected devices, such as laptops, tablets and smartphones.
Whilst having on-premises infrastructure by no means guarantees a secure environment (far from it in fact), how do you ensure all your users who connect remotely, are bona fide users, and not someone who has hacked a compromised account?
With data breaches and compromised user credentials steadily increasing over the past decade, hackers are being completely indiscriminate when abusing this data. They don’t care who it is or what the business does – if they can exploit it, they will.
A recent report by the Department for Digital, Culture, Media & Sport (DCMS) found “in the last 12 months, 39 per cent of UK businesses identified a cyber attack, remaining consistent with previous years. More so, it suggested it is businesses with enhanced cyber security that make up this number, suggesting less cyber-mature organisations are underreporting.
“Of the 39 per cent who identified as being attacked, the most common threat vector was phishing attempts (83 per cent). This is where a form of communication such as email is used to solicit user credential information.
“Around one in five (21 per cent) identified a more sophisticated attack such as malware, denial of service or ransomware attack with 56 per cent of these businesses having a policy not to pay a ransom.”
There are a number of solutions your firm can adopt to help you with cybersecurity, particularly around the security of user accounts. Securing this user gateway into your systems is paramount, especially as the human aspect of unwittingly falling for a phishing attempt and publishing user credentials is on the rise, as these emails get increasingly sophisticated and difficult to spot.
Multifactor Authentication (MFA)
This additional security layer to the user sign-in process is becoming more and more common within businesses of all sizes.
Generally, we find users are initially resistant to change – but, in reality, it quickly becomes part of the routine. You need to remember MFA has been around for many years now, but is normally associated with financial institutions such as banks, pension providers and investment savings.
MFA is applied after the user enters their username and password. Before access to your systems is granted, a further authentication method is presented to the user, which they will have to pass in order to successfully log in.
This authentication method could be in the form of a text to a nominated mobile phone, an automated call to a nominated landline, or to an app on a mobile device, which may require modern techniques such as biometric or facial recognition.
Should the situation arise where your credentials are leaked, the chances of a potential hacker also having access to a separate authentication method are low, thus reducing the risk of a security breach.
In addition to MFA, a further step to secure your systems could be to introduce some risk management in the form of Identity Protection. This is available on the Microsoft Azure platform.
Microsoft Azure ‘Active Directory Identity Protection’
Azure is a cloud platform provided by Microsoft. It offers a range of business cloud and virtual services, including storage, analytics, networking and computing. Azure Active Directory is the service that controls your users' access to Azure, via a Windows Virtual Desktop application.
A compromise of Azure Active Directory exposes your business’ infrastructure and creates a significant area of attack leading to data breaches, loss of brand reputation and a financial loss to the business. Previously, the weakest link in systems security was the human element through phishing or malware.
Microsoft Azure Active Directory Identity Protection helps detect, remediate and investigate potential issues with unauthorised access, enabling your firm to stay on top of suspicious sign-in behaviour within your environment. It does this by allowing environment administrators to accomplish certain key tasks:
1. Automate the detection of identity-based risks
Automation is an important part of identifying risks efficiently. Risk policies are created to set the criteria for what may be classed as a risky user. Risk can be detected at a sign-In and user level both in real-time and offline.
As Microsoft describes it, a sign-in risk is the probability an authentication request wasn’t authorised by the identity owner. Every Azure Active Directory sign-in undergoes real-time assessment to calculate user and sign-in risks, which can be none, low, medium, or high. Organisations can define sign-in risk-based policies to automatically remediate sign-in risk – a sign-in can be blocked, or a user can be required to use MFA to confirm their identity.
An example of this may be two attempted sign-ins from geographically distant locations, where at least one of the locations is the typical location for a user, given previous login behaviour. It will also take into account the time between the locations, highlighting the fact it would be impossible to travel that distance between sign-in locations.
Another example would be a sign-in attempt that differs from the norm. Azure stores information about previous sign-ins and will trigger a risk detection unfamiliar to Azure. These unfamiliar circumstances could be IP, location, browser, or device-based. New users will automatically be in ‘learning mode’ for a dynamic period long enough for Azure to gather enough information about the user’s sign-in patterns.
User risk is the probability an identity is compromised. Much like when evaluating sign-in risks, Azure Active Directory Identity Protection analyses suspicious actions every time a user signs in. Organisations can define risk-based policies to automatically remediate user risk - a user can be blocked, asked to pass a MFA challenge, or made to securely change their password.
An example of this may be leaked user credentials. When your credentials have been compromised, these would normally be published on the dark web or traded on the black market. The Microsoft Leaked Credential Service monitors these areas and is then checked against Azure Active Directories current valid credentials. If it detects a leak, the account will be disabled for investigation.
In addition to sign-In and user risks, Microsoft monitors known attack patterns across its global Azure user base and applies this internal knowledge as well as those from external intelligence sources into its algorithms.
2. Investigate Risks
Once Microsoft Azure Active Directory Identity Protection has identified and contained the risk, it needs to be investigated. System administrators are notified of the risks where manual action can be taken, if needed.
Administrators are informed about the users at risk, details about the detection, a history of all risky sign-ins and the risk history. Action can then be taken to either reset the user password, confirm the user has been compromised, dismiss the user risk or block the user from signing in.
Referring to the report mentioned above, the DCMS concluded: “cyber security is now seen as a high priority by a greater proportion of businesses than in previous years driven by a good high-level understanding at the senior level of the risks of cyber-attack and the use of cyber security experts helping organisations practice good cyber hygiene.”
However, the DCMS report continues – there “remains a lack of technical know-how expertise within smaller organisations. Many organisations remain in a reactive approach to cyber security rather instead of proactively driving improvements.”
Additionally, the report goes on to say that “organisations do not tend to engage with industry standards such as Cyber Essentials. Uptake for these is still in the minority. There is a low awareness overall, and those that are aware do not feel accreditations are tailored enough for their needs, meaning they cannot meet criteria.”
The introduction of MFA drastically reduces the risk of compromised accounts being hacked. Introducing it into your environment should not be the headache it is maybe perceived to be, especially if you explain users have been using MFA for years for online banking and purchases.
Adding Microsoft Azure Active Directory Identity into the equation, if your platform is Azure, creates a robust, intelligent environment that will keep you, your firm and your users safe.
Gareth Dalton is managing director of Techn22, offering bespoke IT Support and iSolutions designed to support businesses in effectively deploying IT and cloud technologies enabling end-users to achieve their strategic goals: techn22.co.uk