Skip to main content

Operating in the new normal: Best practice cyber security advice for law firms returning to the office

(Image credit: Image source: Shutterstock/jijomathaidesigners)

2020 has certainly been a shock to the system. Mid-March saw a mass migration to remote working for a huge number of businesses across the UK, and we are now coming to terms with what a ‘new normal’ way of working will look like. Whilst some law firms are closing offices entirely, many more are adopting a hybrid working model in which employees split their time between their homes and the office.

With the UK Government keen to get us safely back to work, law firms are taking their first steps towards reintroducing their people to the office environment. Cyber security and data protection should be primary considerations for all organizations, not least law firms that handle large quantities of highly confidential, legally privileged data.

How is your law firm managing its return to the ‘new normal’? In this article we will provide best practice cyber security advice on how to bring users and equipment back from the wild in a way that minimizes risk and maximizes productivity.

Step one: Review your user accounts

As people begin to return to the office, it’s important to review their user accounts. Healthy user account admin is essential to any law firm, not only for productivity – giving users access to the tools they need, when they need them – but also for cyber security and data protection. Remember, former staff and disgruntled current employees have the potential to wreak havoc if they have access to systems and data they shouldn’t. In this regard there are four key areas to address when reviewing user accounts:

  • Suspended accounts. Review suspended accounts, and decide on whether or not you still require them. If furloughed users’ accounts have been suspended, establish when they will be returning. Plan for each user’s return – there’s nothing worse than getting back to the office only to find your login has been suspended and you are unable to start your working day!
  • Elevated privileges. With a distributed user base and fewer members of IT staff to service support requests, some users may have been given elevated privileges so they can remain productive. Remember that malware detonates in the context of the user – if any of your firm’s users have elevated access, such as local admin rights to install software, the risk and potential impact of a data breach increases. Review elevated privileges, and remove them if they are no longer necessary.
  • Account ageing. Some users may not have logged in to their accounts for several months. Account ageing suspends inactive accounts, rendering them unusable. Make sure to review before users return to the office.
  • Atypical login activity. As IT staff begin to return to work, they may want to review logs for atypical login activity. Examples of atypical login activity include users logging in from other countries, multiple logins from different locations, or logins from unexpected devices. If you have a Microsoft Azure tenancy, Azure Active Directory Identity Protection enables you to identify high risk users and secure their access as appropriate.

Step two: Always keep it clean

It is much harder to control how people use their devices when they are working remotely. If users and their devices have been away from the office for some time, it’s worth considering what they have been using their laptops and equipment for. Non-work uses such as teaching children and streaming movies may be innocent enough, but they can introduce security vulnerabilities that become damaging when the equipment is reintroduced to the corporate environment. When returning user equipment to the office, remember to always keep it clean:

  • Patching reviews. It goes without saying, but always stay up-to-date with the latest patching versions. In order to achieve this, review your company’s patching policy to ensure it is fit for purpose. Also look for devices that haven’t been connected for some time – including those in your office. If they haven’t connected to the VPN for some time, they may have outdated patching levels. These should be addressed as a priority, as unpatched equipment is a major cause of data breaches.
  • Car wash and compliance standards. Review each device before it is allowed back into the office. Establish a segmented section of your network where you can operate a ‘car wash’ scan on all devices, updating them where necessary before they reconnect to the corporate network. Additionally, establish minimum compliance standards to expedite the process. At a minimum we suggest all devices should have critical security patches for operating systems and applications, and an antivirus signature that is less than a week old.
  • Device software audit. What software applications have been downloaded to a device whilst it’s been out in the wild, especially by users who have been given extended user privileges such as local admin rights? Don’t just check user privileges – audit software and remove all unwanted, potentially vulnerable software from users’ devices.

This is a challenging time for all businesses. Law firms face a unique set of considerations as they return to the ‘new normal’, given the complexity of their operations and the highly confidential, legally privileged nature of the data they manage. By reviewing user accounts and carrying out a ‘car wash’ on returning user equipment in alignment with defined compliance standards, you will take important steps towards reducing cyber security risks as users return with their laptops and smartphones from the wild.

Richard Holland, Legal Sector Lead, Six Degrees