Tag Archives: cybersecurity

LINK’s SDK Integration for iOS and Android

Posted on by
Reply

Have you ever wondered what’s behind the unique and secure annotation capabilities in our LINK App? Read on to learn how one of our key partners helps us to offer this feature that has become so popular with our users.

If you’re familiar with LINK, you know that the technology we’ve developed allows lawyers to efficiently work on mobile devices like iPads and smartphones while maintaining the high security and privacy needed to manage sensitive legal documents. During development, we needed to integrate our app with existing document management systems to ensure seamless communication and data integrity across different platforms. We also needed to meet strict security standards to protect client confidentiality and avoid vulnerabilities that could occur when transferring documents between apps.

By incorporating Nutrient’s mobile SDKs for iOS and Android, we were able to allow lawyers to annotate documents directly within their existing DMS or email attachments. This eliminated the need for file transfers between applications, thus simplifying how user documents are managed and reducing the risk of errors. The integration also enhanced LINK’s security by keeping all documents and annotations within a secure, encrypted environment – critical for maintaining client trust and complying with legal data protection standards. To top it all off, the SDKs improved responsiveness, allowing our customers to work more efficiently and meet the fast-paced demands they encounter in their daily work.

Ultimately the SDK integration from Nutrient in our LINK App helps us to empower lawyers to work securely and effectively from mobile devices in any setting. And since our mission is to make it simple for lawyers to work securely from anywhere, we couldn’t have asked for a better fit.

Read more about our SDK integration here: https://www.nutrient.io/blog/mobile-helix-nutrient-sdk-ios-android/

New from NIST: Improve Your Security, Rethink Password Policies

Posted on by
Reply

Passwords remain a major risk to enterprises. This is true even though safe password practices have been widely promoted for a decade. Nearly half (49%) of incidents cited in Verizon’s 2023 Data Breach Investigations Report involved compromised passwords.

Enter NIST’s new Digital Identity Guidelines, SP 800-63-4. In the new report, NIST advocates for dropping onerous password requirements and focusing on the practices which are most effective. Let’s look at a few of the updated guidelines.

  • Do not require users to change passwords periodically, only mandate change when there is evidence of compromise.
  • Require passwords with a minimum of eight characters. The recommended length is minimum 15 characters.
  • Do not impose other composition rules, e.g., requiring mixtures of different character types.
  • Do not prompt users to use knowledge-based authentication, e.g., “What was the name of your first pet?”

Mandatory password changes are ingrained in enterprises. But NIST considers mandated changes to be outdated. Research has found that frequent password changes lead people to make minor changes which fit into a pattern, e.g., MinnVikings56 is followed by MinnVikings57. These patterns are often quickly cracked by algorithms. NIST recommends changing passwords only when there is evidence of compromise.

To make passwords safer, NIST recommends long passwords, at least 15 characters. A 12-character password takes 62 trillion times longer to crack than a six-character password.

Per NIST, passwords should consist of random characters or phrases.

There is an inherent challenge with requiring passwords to be long and strong. Long and strong passwords are difficult for humans to remember. To accommodate our limited memories, people devise hack-able workarounds. LastPass reported in 2022 that 65% of those surveyed use mostly the same password or a variation.

NIST has a recommendation for humans and our fallible memories.

Verifiers SHALL allow the use of password managers. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators.

Leading password managers include LastPass, 1Password, and Dashlane. In volume, the highest-rated password managers cost four or five dollars per user, per month.

You can improve your company’s security posture by starting with these two NIST recommendations:

  • Adopt the counter-intuitive practice of not mandating password changes.
  • Provide password managers to help employees use long and strong passwords.

And please, don’t ask me for the name of my first pet.

-Maureen

Maureen Blando is the President and COO of Mobile Helix, makers of the LINK App for lawyers.

NIST Definitions

Authenticator: Something that the subscriber possesses and controls (e.g., a cryptographic module or password) and that is used to authenticate a claimant’s identity. See authenticator type and multi-factor authenticator.

Shall: The terms “shall” and “shall not” indicate requirements to be strictly followed in order to conform to the publication and from which no deviation is permitted.

Should: The terms “should” and “should not” indicate that among several possibilities, one is recommended as particularly suitable without mentioning or excluding others, that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.

Subscriber: An individual enrolled in the CSP identity service.

Verifier: An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or more authenticators using an authentication protocol. To do this, the verifier needs to confirm the binding of the authenticators with the subscriber account and check that the subscriber account is active.

App Authentication Gets Easier with Intune

Posted on by
Reply

Remember the early days of MDM (Mobile Device Management)? You know, that company-mandated thing which black-listed your apps, tracked your movements, and monitored which websites you browsed?

We’ve come a long way from those days. Recent developments from Microsoft make authentication and data management easier for both users and for IT admins. Let’s take a look at these newer offerings from Microsoft and how you can benefit from them with our LINK App.

Integration with the Intune SDK and Microsoft Authentication Library

We have integrated the Microsoft Intune SDK and the Microsoft Authentication Library (MSAL) into our LINK App. If you are either an Azure Entra ID user, an Intune user, or both, our integration offers a simpler experience for users and IT alike.

Fewer sign-ins for both frequent and occasional LINK users

Integrating MSAL into our LINK App allows LINK to leverage Microsoft Authenticator as an authentication “broker.” This means that LINK employs the familiar federated sign-in process used by the Office apps from Microsoft. If you are signed-in to Office, you are signed-in to LINK without any additional password prompts. From the security and policy perspective, LINK supports all of your conditional access policies, including:

  • MFA requirements (either with MS Authenticator or a 3rd party such as Duo)
  • Device requirements (e.g., requiring Intune deployment)

Focused security of your data with MAM policies

LINK’s integration with the Intune SDK adds another layer of security and simplicity to managing and securing LINK. In addition to the standard MDM policies and management tools, Intune supports a different type of policy known as Mobile Application Management (MAM). These MAM policies apply to all apps that support the Intune SDK, including the Microsoft suite of apps and 3rd party apps like LINK. Many MAM policies are particularly focused on the careful treatment of corporate data.

Apps with MAM policies can be used together to enable secure workflows. For example, MAM policies allow our LINK App to share a document from a Document Management System to the Word app for secure, yet uncomplicated, editing.

MAM is a great way to ensure the security of your corporate data without asking users to give up any control of their personal devices.

Image Source: Microsoft

LINK for Intune

To add MAM support to LINK, we have released a new app – LINK for Intune. Deploying LINK for Intune offers the same functionality as the “regular” LINK app, and it adds in a deeper integration with Intune so that policies can be applied to LINK even when the device is not MDM-managed.

With these recent developments from Microsoft, we think that the optimal path going forward is:

  • Use the Microsoft Intune SDK and the Microsoft Authentication Library (MSAL) to simplify authentication
  • Advance from “managed devices” to “managed apps” using Intune MAM policies

Are you considering moving to these newer approaches? What questions or observations do you have? You may download our Intune brief here.

-Seth

Seth Hallem is the Mobile Helix CEO, Co-founder, and Chief Architect

Mobile Helix makes the LINK App which is used by attorneys and knowledge professionals to review, edit, annotate, compare, and email documents from a single, secure app.

Cybersecurity: The Workforce Gap & the Career Opportunity

Posted on by
Reply

Recently, I came across a LinkedIn post from a friend who was #Hiring for a cybersecurity role. It got me thinking – just how challenging is it to find and crucially, to retain, experienced cybersecurity staff? According to my friend, it is very challenging. Intrigued, I decided to take a dive into the numbers.

World Economic Forum

71% of organizations are currently unable to fill cybersecurity positions, leading to a concerning skills gap in the workforce. This issue has been highlighted by The World Economic Forum, which warns of the potential impact on infrastructure and society as a whole.

2023 Global Cybersecurity Workforce Gap – ISC2

Globally, there is an estimated 4 million person cybersecurity workforce gap. According to ISC2, the shortfall in the United States alone amounts to half a million roles.

Per Fortinet’s 2023 Cybersecurity Skills Gap Report, 68% of leaders agree that cybersecurity skills shortages create cyber risks for their organization.

An overwhelming 90% of leaders show a strong preference for hiring individuals with technology-focused certifications per the Fortinet report. Their study also brings encouraging news that 90% of leaders are willing to invest in their employees by covering the costs of certification. In alignment with this, the World Economic Forum advocates for the crucial processes of “reskilling and upskilling,” emphasizing the importance of narrowing the cybersecurity skills gap.

So, the next question is, what does it take to obtain an affordable cybersecurity certificate? This option seems promising: Google offers a Cybersecurity Certificate through Coursera suitable for these roles:

  • Cybersecurity analyst
  • Security analyst
  • SOC analyst
  • Information security analyst
  • IT security analyst
  • Cyber defense analyst

According to Google, this course can be finished in six months with less than 10 hours of part-time study per week. After a free 7-day trial, Coursera charges a monthly fee of $49, resulting in a total cost of just under $300 for the certificate.

If you’re considering a career change, be encouraged by the fact that the demand for cybersecurity professionals is high. There are even relatively low cost ways to achieve a Cybersecurity Certificate.

Good luck!

-Maureen

P.S. – Google says that the median salary in cybersecurity (with 0-5 years of experience) is $115,000 per year. 🙌

Okta Businesses at Work 2024 – Legal Applications are the Growth Leader

Posted on by
Reply

Okta has application usage data which you simply will not find anywhere else. This year’s report draws data from their anonymized 18,800 global customer base. Okta is a leader in identity and access management products. You may download the full “Okta Businesses at Work 2024” report here.

Growth in app categories: Legal software is the leader in customer growth

Source: Okta (My Annotations) – Growth in App Categories

Okta kicks off this year’s report with a spotlight on Legal applications, which was the leading app category in growth of number of customers.

“There’s no time for deals or
contracts to get hung up in legal. So, as we look
across the most popular app categories, it’s no
surprise that legal tools have locked up a win,
claiming by far the highest growth by number
of customers (35% YoY) and substantial 34%
YoY growth by number of unique users. Apps
including Ironclad, LexisNexis, and LegalZoom
drive this remarkable growth story. (Fun fact:
Ironclad contract management software was
our eighth-fastest-growing app in 2022.)”

-Okta (my bold type)

Let’s look at those three applications:

Ironclad – Offers Contract Management software, which includes moving sales contracts through the processes of review and sign-off to speed the business process.

LexisNexis – Provides legal, regulatory, and business information and analytics, now including Generative AI. LexisNexis is a premier product in legal research.

LegalZoom – Its online platform for business formation helps entrepreneurs by providing legal, tax and compliance products and expertise.

With that promising look at the growth in Legal applications, let’s take a look at four more charts in the Okta report.

Growth of the 50 most popular apps

Source: Okta

There are two leaders here. 1Password is the fastest growing application by number of customers at 39% YoY. Amazon Business with the fastest growing by number of unique users at 89% YoY growth. Law firms are ramping up usage of password managers like 1Password as one of the essential tools to prevent phishing and social engineering exploits.

Not to be missed by law firms is the growth of KnowBe4 at over 20%. KnowBe4 is a Security Awareness Training product, with a focus on phishing awareness. In 2022 I cited that KnowBe4 was the leading Security Awareness solution used by 62% of law firms surveyed in the International Legal Technology Association’s 2022 Technology Survey.

Most popular apps

Source: Okta

It’s easy to see the trend of law firms in the “Overall” ranking. Microsoft 365 is rapidly being adopted, as firms migrate from other Microsoft on-prem products. Number five, Zoom, and number eight, DocuSign, are nearly ubiquitous at law firms. Number ten is KnowBe4, the Security Awareness training SaaS application.

Fastest-growing apps by number of customers

Source: Okta

Data compliance applications make a first time appearance in the fastest growing app ranking by number of customers. Vanta holds the number one position with 338% YoY growth. Drata ranks number six, with 91% YoY growth. Data compliance software is growing at law firms as firms are subject to regulatory and client requirements.

Most popular security tool categories

Source: Okta

Okta entitles this section: “The perimeter shifts.”

They observe that VPN/firewall continues to lead the security tool category, as it has since 2020. However, deployment of VPN/firewall grew 12% last year versus 31% in the prior year. 57% of customers have deployed VPN/firewall tools.

The second fastest growing category in security tools is Endpoint Management and Security, deployed by 43% of customers. This category has grown consistently since the emergence of work-from-home.

For those interested in legal or enterprise technology there is much more in the Okta report worth looking at in detail. You may find the report here.

– Maureen

My Four Favorite Charts from the ILTA 2022 Technology Survey

Posted on by
1

The International Legal Technology Association’s 2022 survey is a broad treasure trove of data reported from 541 law firms.

There are 11 major topics including Infrastructure, Document Management, Practice Management, and Business Continuity.

My focus is on four of the twenty-seven questions surveyed in the Security section.

  1. Password Management
ILTA 2022 Technology Survey

Password managers are one of the most highly recommended solutions for security. They help with: using complex passwords, deterring repeat usage of passwords, and providing secure storage for passwords. There is a learning curve to using a password manager, but once I got up to speed, I wondered how I would live without it. We have so many passwords to juggle these days. I am surprised that 50% of respondents are not providing a password manager.

2. Multi-factor Authentication

ILTA 2022 Technology Survey

Perhaps the single most recommended security mitigation is multi-factor authentication (MFA). Here we see Duo Security (a Cisco company) is the leader at 45%. There are three Microsoft solutions listed which total 27%.

In legal tech, it’s notable when a third-party solution is more widely adopted than a Microsoft solution as most law firms operate on the Microsoft stack.

3. What do You Secure with MFA?

ILTA 2022 Technology Survey

The largest response is VPN/Remote Access. Then Office 365. It’s very good to see high adoption of MFA for these widely used applications.

4. Which Phishing, Vishing, Social Engineering, or Security Awareness Program?

ILTA 2022 Technology Survey

KnowBe4 is the stand-out at 62%. Others used are Mimecast, Traveling Coaches, Proofpoint, managed service providers, and solutions developed in-house. Only 7% reported “None.” As phishing and social engineering are the cause of about 90% of exploits, law firms are wise to have these programs in place.

You may access the full data-rich report or the executive report from ILTA. Here is the download page.

-Maureen

Your Network Has Been Locked: What I Learned at ILTACON 2022

Posted on by
Reply

It was wonderful to meet with you all! Last week was the first fully in-person annual educational conference of the International Legal Technology Association (ILTA) since 2019. ILTACON is truly an event of peer-to-peer sharing. Many of the members have relationships dating back decades. Having an in-person event again was fantastic.

Security was one of the most in-demand topics. There were sessions on phishing, ransomware, breaches, and solutions. Here are three takeaways from sessions which I attended on what to do when a breach occurs. Note: I am not a cybersecurity expert. These are commonsense points which anyone can learn from.

Darkside Ransomware Email – Source: Acronis
  1. First Call

At 10 PM on Saturday night, Asher in Support gets a call from an attorney who says, “I’m looking at a screen which says, ‘Your network has been locked!'” Asher was educated to escalate any such messages immediately. Let’s assume that this message gets to the CIO within minutes.

Who does the CIO call first?

  • Is it a contracted or pre-vetted cybersecurity services provider?
  • Is it the cybersecurity insurance carrier?

In a session which included both a panelist from a top cybersecurity services provider and a panelist from a major cybersecurity insurance carrier, each argued that they should be the first call. Each may have distinct objectives.

The cybersecurity insurance carrier will immediately send in their SWAT team. This expertise may be quite welcome at the law firm. A good carrier will bring great expertise to bear. At the same time, law firms report that when the insurance carrier team arrives, they lose control of the process. The firm IT team may be sidelined, by contract. The insurance company may have as its top priority forensics. One of their objectives is to discover if the law firm were out of compliance with the policy.

The cybersecurity services company will also send in their SWAT team and bring great expertise and experience to bear. If the firm has vetted the services company their objectives should be aligned with the law firm’s.

Objectives include stopping exfiltration of firm data and business continuity. Law firms will want to safely get back to business-as-usual as quickly as possible.

2. Breach Counsel

One of the first things that the cybersecurity insurance carrier will do is to get their breach counsel engaged in the process so that communications are privileged. Law firms are uniquely positioned to get their own attorneys involved. Whether it is the insurance carrier’s attorney or a firm attorney, involve an attorney on all communications immediately. There will be public communications following the breach and perhaps legal action. Need I say more?

3. CIO Fiat to Shut Down Systems

When there is a breach, time is of the essence. Data may still be exfiltrating. While no law firm wants to do so, the best action may be to shut down all systems immediately. The moment when the firm’s data is flowing out to the hackers is not a good time to educate and negotiate with the firm’s executive team regarding shutting down systems. The CIO should have clear authority in advance to shut down systems.

Bonus: Have a Plan

Your firm is a target. Services, like Dark Utilities, make it easy for hackers to to set up a command center (C2) for malicious operations. Prices for C2-as-a-Service start at EUR 9.99. Easy, inexpensive tools mean that firms of any size are a target for “drive-by” attacks.

Even while your full incident recovery program is in development, it’s time well-spent to have a plan for the three points above in order to respond quickly.

One of the benefits of ILTACON is that we learn what has worked for other law firms in real world settings. Each firm should assess their own response plan.

See you in Orlando at #ILTACON23!

-Maureen

Okta 2022 Businesses at Work Report

Posted on by
Reply

The 8th annual Okta Businesses at Work report is a treasure trove of data. It’s fantastic that Okta shares this data. Moreover, the report is very visual, full of graphs and charts. Here are four which illustrate enterprise web application usage in 2022.

While the gap between Microsoft 365 and the rest of the pack widens, Google Workspace moves into third place.

Of Okta’s customers who use Microsoft 365, what are the most popular “best-of-breed” apps which those customers also use? One of the stories here is growing use of Google Workspace. Zoom is still growing. Reminder: this is only a picture of Okta’s customers.

Phenomenal growth by these up-and-comers, although you may not be familiar with a few of these applications. Netskope provides cloud-native security products and services. Notion is for collaboration. TripActions covers travel, credit card, and expense. Postman is a platform for building and using APIs.

You can see the steep growth in remote work here. Amongst Okta users, Palo Alto Networks Global Protect and Cisco AnyConnect are the leaders in remote access.

There is much more:

  • Popular applications by region and sector
  • HR and Workplace management applications
  • Security apps, including Okta Verify
  • Developer apps

I hope that you discovered something new.

You can download the report here.

-Maureen

Okta’s 2021 Businesses at Work Report

Posted on by
1

Each year I look forward to Okta’s Businesses at Work report. Okta anonymizes data from its more than 9,400 customer entities. These are customers which use the Okta Identity Network (OIN) with its over 6,500 integrations with cloud, mobile, and web apps, and with IT infrastructure providers. The report is free, not even a registration is needed. To my knowledge no other public report provides this level of data on cloud application usage.

For data lovers it’s a treasure trove of facts about cloud usage. There are over 28 charts and tables. Download it here. I’ll share a few of my favorite insights from the report.

Most Popular Apps by Number of Customers

Microsoft 365 wins. I attended a legal technology conference in 2014. In a session on SharePoint, hosted by Microsoft, the roadmap showed that Outlook, Exchange, and, yes, SharePoint were all moving to the cloud in the form of Office 365. People exited the room in fury. At that time, most law firms were adamant – No Cloud. While there will always be law firms, especially “Big Law,” which will keep Outlook, SharePoint, and the Office Suite on-premises, the adoption of Office 365 or Microsoft 365 in the legal sector has been swift over the past two years. The Okta data reflects this.

This chart shows that the gap in usage between Microsoft 365 and all other applications, including AWS and Salesforce, has only widened in the past 5 years.

Most Popular Video Conferencing Apps

This graph highlights the steep curve in Zoom usage which we all lived through in 2020. At Mobile Helix, we started using Zoom heavily in 2017. We even perform our LINK system deployments remotely over Zoom in about two hours. When the pandemic hit, we were easily able to deploy LINK with IT staff who were themselves working from home. Customers favor our over-Zoom deployment over an on-site visit as it ends up taking less of their time.

Customers Authenticating With Each Factor

Phishing has been up 220% during the pandemic per F5’s 2020 Phishing and Fraud Report (an excellent report on phishing). The Okta report quotes, “F5 warns that the login page of our most popular app, Microsoft 365 (M365), is one of the most popular targets for generic phishing because attackers know that stealing Office 365 credentials can grant them access not only to email but also corporate documents, finance, HR, and many other critical business functions.”

Strong Multi-Factor Authentication (MFA) should be used with M365. The chart above shows that of Okta customers authenticating with a factor in addition to, or instead of a password, 82% use Okta Verify. The good news here is that weaker factors such as SMS and security questions are on the decline.

One of the positive conclusions from Okta’s 2021 Businesses at Work report has to be that as difficult as 2020 was, with 38M people applying for unemployment, if it had happened even 10 years earlier, how many people would have been unable to work from home? The growth of web-based applications, cloud-based services, and mobile apps resulted in most office jobs successfully transitioning to work-from-home in two or three weeks.

2020 was The Year of the Cloud.

-Maureen

Phishing Never Takes a Holiday

Posted on by
Reply

No. I’m not referring to the now infamous GoDaddy employee $650 holiday bonus email. Employees who responded to the email with the requested information were later informed that they had failed the company phishing test. If you have not yet read that dispiriting story, it’s here.

I am referring to this charming email which I received this morning.

Phishing Email and Fish
Phishing Email from “[email protected]

It is from: “Mobilehelix passwordexpiration.”

Presumably, that would be warning enough for your employees to hit the “Delete” button posthaste.

If not that, then maybe those over-sized blue bands which overlap the line below would be a tip-off.

(I have obscured the recipient’s email address.)

This is a very good opportunity for me to show you a security feature in our LINK App. When you open an email in LINK you will always see the alias and below it the sender’s email address. You don’t have to tap or do anything else to display the email address. It’s there.

In this case the alias is the aforementioned, “Mobilehelix passwordexpiration.”

And the email address is, “[email protected].”

If your employee were uncertain as to whether to hit that “Delete” button, I think that seeing that the email is from “[email protected]” would be the icing on the cake. This email is definitely not from the company IT department. Delete.

We are serious about security at Mobile Helix. Much of what we build into the LINK system, such as certificate-based device registration in the new user registration process, is behind the scenes. It’s invisible to your employee and works in the background.

But this security feature is a designed to help your employees to be watchdogs for senders with devious intentions. 90% of organizations experienced targeted phishing attacks in 2019. Humans are the weakest link. This is one simple tool to help all of us to be vigilant.

-Maureen

Originally published in LinkedIn on December 28, 2020