When it comes to law firm cybersecurity, “trust, but verify” is a good approach.
But a “zero trust” mindset is even better.
The term “zero trust” – also called zero trust architecture, zero trust network access, or perimiterless security – has been bouncing around the IT world since the 1990s. But only recently has it entered the mainstream.
“Trust, but verify” is like locking the front door to your law office. Nobody gets in until they are verified, but once they’re in, they can wander around the entire office – the lobby, computer room, break room, wherever. Under a “zero trust” philosophy, nobody gets in until verified. But once in, they are further restricted as to what rooms they can enter and what they can do once inside.
In practice, this is done by giving employees access only to the specific tools, equipment and data needed to do their job – not a general “hall pass” to wander throughout the building.
Join us on March 29 at 12 noon CST for our free, one-hour CLE webinar Law Firm Branding: Practical Tips and Ethical Traps.
“Zero trust is the cybersecurity equivalent of the slam, lock and nail approach,” says this article in Forbes. “Zero trust assumes every user, device and service that attempts to connect to a network is hostile until proven otherwise. The fundamental principle of zero trust is to secure an organization’s data wherever it might live, while allowing only legitimate users and entities access to relevant resources and assets.”
A zero trust approach is especially important when a law firm stores data in multiple places (ie, on-site, in the cloud, off premises, at various branch offices, etc.).
“[It] is a whitelist method for granting access, based on a device, user credentials and behavior,” according to Forbes. “Security personnel need to apply authentication permissions, including multi-factor authentication at the device- and user-level for each session, ensuring continuous and adaptive authorization.”
Zero trust starts with an assumption that every connection and endpoint is a threat and operates on the principle of least privilege (PoLP).
“Essentially, a user or program should have the minimum privileges (or, to follow the metaphor, house keys) necessary to perform their job,” says business writer Emily Heaslip for the US Chamber of Commerce. “For instance, only an employee whose job it is to transfer payment to your vendors should have access to the vendor’s bank account details.”
Read “What is Zero Trust?” in the US Chamber of Commerce newsletter CO.
Did you know that Alta Pro Lawyers RPG is one of the nation’s leading providers of cybersecurity CLE webinars and resources for Solo and Small Law Firms? Hundreds of lawyers have attended our free, one-hour cybersecurity webinars that feature top industry experts sharing insider tips on everything from spotting email phishing scams to securing your cloud data. If you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan and your professional liability coverage is managed through Alta Pro RPG, you’re automatically a member of the Alta Pro Risk Purchasing Group (RPG). Other membership benefits: 24/7 access to the Pro Practice Playbook and Pro Practice Blog; Risk Management E-Alerts; Reminger Law claims assistance; discounts on CLIO practice management software; tax savings on health insurance; and access to the Risk Pro, who can help keep your firm safe and successful. Register here and start enjoying your Alta Pro RPG benefits.
5 Core Principles of Zero Trust
Following is from the Forbes article:
- Assume the network is always hostile.
- Accept that external and internal threats are always on the network.
- Know that the location of a corporate network or cloud provider locality is not enough to decide to trust a network.
- Authenticate and authorize every device, user and network flow.
- Implement policies that are dynamic and calculated from as many data sources as possible.
Read “5 Core Principles of Zero Trust” in Forbes.
Steps to Implement Zero Trust
- Advanced detection
- Automation and orchestration
Sources: 5 Core Principles Of The Zero Trust Model Of Cybersecurity (forbes.com)
US Chamber of Commerce newsletter CO
Your law practice has unique characteristics that identify it to the public and distinguish it from other firms. Are you maximizing those strengths? Are you blending all the disparate elements of your practice – experience, expertise, personnel, website, logo, font type, community involvement – into a clear, consistent and compelling law firm brand? Join us on March 29 at 12 noon CST for our one-hour CLE webinar Law Firm Branding: Practical Tips and Ethical Traps. You’ll learn the basics of branding, the relevant Rules of Professional Conduct on messaging, marketing and advertising, and best practices for compliance with the ADA and other laws. And you’ll learn how to clearly and concisely articulate who you are, what you do, and why you’re the right lawyer for the job. Yet another benefit of the Alta Pro Lawyers Risk Purchasing Group! Click here to register.