Remote Working & BYOD for Legal Practices: More Flexibility and Freedom – at a Price?

Remote working has seen a big increase over the past year, with many firms seeking to give employees more flexibility over where and when they work in the wake of the pandemic. But firms everywhere need to proceed carefully, because while these changes are no doubt welcomed by the workforce, they are also welcome by cyber criminals.

Share this post

We are already seeing increases in ransomware attacks and email account takeovers. And it’s a trend that’s set to continue and grow as firms seek to offer their staff more flexibility. The problem that home working and the bring your own device (BYOD) approach pose centre on the loss of secure boundaries. When all employees were office-based and using the same office network, keeping systems secure and visible was easier, as use of devices and access to the internet could be closely monitored.

Now, many firms have staff working from home and other remote locations as well as the office. And that’s giving rise to a whole host of issues that are leaving fraudsters rubbing their hands in anticipation of more successful scams.

The main security issues that remote working and BYOD give rise to include:

  • Use of unmanaged, unregulated devices
  • Inability to track user activity
  • Data leakage
  • Downloading of unsafe content and apps
  • Difficulty ensuring compliance with regulations

Firms know there are serious risks associated with remote working and BYOD and so do cyber criminals. When staff work from home, visibility and control is lost. The problem has been exacerbated by the speed with which the transition from office to remote work has happened, mainly due to COVID. As a result, many staff have been using unsecured personal phones and laptops for work at home, rather than company devices.

It’s likely that these personal devices are shared with other people and/or synced with other devices in the home. And we have first-hand evidence of the problems caused by syncing multiple devices such as tablets and phones. Workers are entering passwords for important work systems that are immediately becoming accessible on multiple devices, giving scammers more opportunity to exploit entry points into important enterprise systems and networks, putting vital firm data and sensitive client data at risk.

The Ponemon Institute has conducted research into the effects of BYOD on firms’ security. It revealed that over two-thirds of security professionals had seen a reduction in the safety of their IT infrastructure as a result of remote workers using their own devices to access apps and other network features. Perhaps, more worryingly, the research also revealed that nearly 33% of the organisations surveyed did not have multi-factor authentication (MFA) processes in place. And it’s not just tablets, laptops and phones that pose a security risk. Smart watches, TVs, cameras and other devices linked to home wireless networks are also susceptible to cyberattacks, as this recent UK government research reveals.

What’s the solution for Law Legal practices and remote working?

It’s clear that for many firms, some form of remote working will remain in place. So, overcoming the security threats posed by this new way of working is going to take a highly organised, multi-faceted approach covering:

  • Implementation of technology solutions
  • Policy and governance changes and enforcement
  • Staff training to raise awareness of the risks

Technology

Firms across the legal sector must implement authentication and device management solutions, such as fingerprint, PIN, or facial ID log-in features. These will enable staff to use their own devices for remote working more securely. MFA offers an extra layer of security that should be deployed as widely as possible, as it helps prevent cyber criminals from harvesting credentials.

Taking a Zero Trust approach is also worth considering. This entails every user or system, whether inside or outside of the cloud, being considered as a potential threat until they are verified as safe and trusted. It’s an approach that works for devices, technology and employee work practices, with verification achievable through a variety of means, including MFA, various permissions systems and IAM (Identity Access Management).

Policy and Governance

It’s important for firms to clearly and formally define how they expect employees to operate when working remotely. All rules and regulations covering areas such as passwords, access management and virus protection need to be communicated to all staff. This is likely to be a time-consuming process, but is vital to reduce risk and thwart cyber threats.

Employee Education

Staff will play a vital role in supporting the effectiveness of any technology solutions and policy or governance changes. Security awareness training should be regarded as essential, so that employees know the security risks posed by home working, especially on shared devices, and can take the appropriate steps to reduce that risk.

With remote working options for employees likely to remain in place across the legal sector, all employees in firms must take responsibility for mitigating the threat of cyber risks. Technology also has a part to play, so too strong policies and procedures, to ensure that this most flexible of approaches to working benefits businesses, not cyber criminals.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post