Okta’s 2021 Businesses at Work Report

Each year I look forward to Okta’s Businesses at Work report. Okta anonymizes data from its more than 9,400 customer entities. These are customers which use the Okta Identity Network (OIN) with its over 6,500 integrations with cloud, mobile, and web apps, and with IT infrastructure providers. The report is free, not even a registration is needed. To my knowledge no other public report provides this level of data on cloud application usage.

For data lovers it’s a treasure trove of facts about cloud usage. There are over 28 charts and tables. Download it here. I’ll share a few of my favorite insights from the report.

Most Popular Apps by Number of Customers

Microsoft 365 wins. I attended a legal technology conference in 2014. In a session on SharePoint, hosted by Microsoft, the roadmap showed that Outlook, Exchange, and, yes, SharePoint were all moving to the cloud in the form of Office 365. People exited the room in fury. At that time, most law firms were adamant – No Cloud. While there will always be law firms, especially “Big Law,” which will keep Outlook, SharePoint, and the Office Suite on-premises, the adoption of Office 365 or Microsoft 365 in the legal sector has been swift over the past two years. The Okta data reflects this.

This chart shows that the gap in usage between Microsoft 365 and all other applications, including AWS and Salesforce, has only widened in the past 5 years.

Most Popular Video Conferencing Apps

This graph highlights the steep curve in Zoom usage which we all lived through in 2020. At Mobile Helix, we started using Zoom heavily in 2017. We even perform our LINK system deployments remotely over Zoom in about two hours. When the pandemic hit, we were easily able to deploy LINK with IT staff who were themselves working from home. Customers favor our over-Zoom deployment over an on-site visit as it ends up taking less of their time.

Customers Authenticating With Each Factor

Phishing has been up 220% during the pandemic per F5’s 2020 Phishing and Fraud Report (an excellent report on phishing). The Okta report quotes, “F5 warns that the login page of our most popular app, Microsoft 365 (M365), is one of the most popular targets for generic phishing because attackers know that stealing Office 365 credentials can grant them access not only to email but also corporate documents, finance, HR, and many other critical business functions.”

Strong Multi-Factor Authentication (MFA) should be used with M365. The chart above shows that of Okta customers authenticating with a factor in addition to, or instead of a password, 82% use Okta Verify. The good news here is that weaker factors such as SMS and security questions are on the decline.

One of the positive conclusions from Okta’s 2021 Businesses at Work report has to be that as difficult as 2020 was, with 38M people applying for unemployment, if it had happened even 10 years earlier, how many people would have been unable to work from home? The growth of web-based applications, cloud-based services, and mobile apps resulted in most office jobs successfully transitioning to work-from-home in two or three weeks.

2020 was The Year of the Cloud.

-Maureen

Phishing Never Takes a Holiday

No. I’m not referring to the now infamous GoDaddy employee $650 holiday bonus email. Employees who responded to the email with the requested information were later informed that they had failed the company phishing test. If you have not yet read that dispiriting story, it’s here.

I am referring to this charming email which I received this morning.

Phishing Email and Fish
Phishing Email from “noreply@freeinvoice.it”

It is from: “Mobilehelix passwordexpiration.”

Presumably, that would be warning enough for your employees to hit the “Delete” button posthaste.

If not that, then maybe those over-sized blue bands which overlap the line below would be a tip-off.

(I have obscured the recipient’s email address.)

This is a very good opportunity for me to show you a security feature in our LINK App. When you open an email in LINK you will always see the alias and below it the sender’s email address. You don’t have to tap or do anything else to display the email address. It’s there.

In this case the alias is the aforementioned, “Mobilehelix passwordexpiration.”

And the email address is, “noreply@freeinvoice.it.”

If your employee were uncertain as to whether to hit that “Delete” button, I think that seeing that the email is from “noreply@freeinvoice.it” would be the icing on the cake. This email is definitely not from the company IT department. Delete.

We are serious about security at Mobile Helix. Much of what we build into the LINK system, such as certificate-based device registration in the new user registration process, is behind the scenes. It’s invisible to your employee and works in the background.

But this security feature is a designed to help your employees to be watchdogs for senders with devious intentions. 90% of organizations experienced targeted phishing attacks in 2019. Humans are the weakest link. This is one simple tool to help all of us to be vigilant.

-Maureen

Originally published in LinkedIn on December 28, 2020

LINK App: Send-and-File to DMS

We are receiving more and more requests to Send-and-File to iManage and NetDocuments. Our LINK app has done this for years.

Filing email to DMS is becoming important from a governance perspective. Not only do law firms want emails to be accessible in DMS with the Matter. But some law firms want to reduce the risk of years of email in Outlook. One of our law firm customers deletes all email at the 90-day mark. Truly. Another firm archives all email after 90 days. Retrieving email from the archive is possible but time-consuming. Therefore, filing to DMS becomes more attractive to attorneys.

Even without such law firm email policies, filing email to the Matter is increasing. The key is that is filing to DMS needs to be easy.

But Send-and-File on mobile devices is rare. It requires a tight integration of DMS and Email, as well as comprehensive security to protect confidential client data. LINK provides both the easy workflow and the security. Draft the email, tap Send, then tap a Recommended, Recent, or DMS folder to file.

LINK has predictive filing, too. LINK learns where you file a certain correspondent’s email and will show you Recommended, Recent, and DMS folders. In many cases you can file to one of these folders with a single tap.

New in LINK, the attorney can now go to the LINK email settings to turn Send-and-File on or off by default. The attorney can also toggle Send-and-File off and on, per individual email by tapping the envelope icon in draft email. When the envelope is green, Send-and-File is on.

Send and File Setting in LINK

Watch this brief video to see all of LINK’s Send-and-File features.

If you have questions, just write to us at: contact at mobilehelix.com. We’re ready to help you.

Learn more about LINK’s encryption, authentication, and secure container in this 5-minute video: LINK’s Security and Data Protection.

-Maureen

Who is putting security at risk? It might be your CXOs…

A new report from MobileIron, “Trouble at the Top,” is eye-popping, although perhaps not surprising to IT professionals. In fact, it might provide very helpful data in making your case for security policies within your organization.

Between February and March 2020 Vanson Bourne interviewed 300 enterprise IT decision-makers and 50 C-level executives in Europe, UK, and the US regarding their organizations’ mobile security protocols.

C-Suite executives are highly targeted for cybersecurity attacks, including phishing.

Yet “76% of C-level executives admitted to requesting to bypass one or more of their organization’s security protocols” during the last year, per the findings.

In a note of irony for IT professionals, “Almost three in four (72%) IT decision-makers also claimed the C-suite is the most likely to forget or need help with resetting their passwords,” writes ZDNet, quoting from the MobileIron study.

MobileIron’s overall point is that employees need the right tools to be secure and productive at the same time. Or, as we would say, security measures cannot afford to impair usability or people will conjure up a way around them.

There is much more in the study. You can register for the download of MobileIron’s “Trouble at the Top” report here.

-Maureen

Protect Your Data in a Remote Work Environment – ILTA Educational Webinar

Working remotely became a neccessity almost overnight. But were firm architectures ready? Two common entry points to system hacks, social engineering and network vulnerabilities, threaten the security of remote working. In this session, Mobile Helix CEO and Chief Architect, Seth Hallem, will describe these vulnerabilities and propose practical and actionable ways to address these weaknesses using safe browsing, network proxies, authentication, authorization, and DLP. These mitigations apply to both desktop and mobile devices.

This is an ILTA Educational Webinar. It is free to members as well as to non-members as part of ILTA’s COVID-19 content. Non-members may register for a free login-in.

WATCH THE RECORDED WEBINAR HERE

Outline:

I. Social engineering: Phishing, “Water Hole,” SIM card swaps

   Mitigations including:

    A. Safe browsing

    B. No SMS

    C. Web filtering via proxying

    D. Data Loss Prevention (DLP): printing, recipient checking, metadata filtering

II. Network vulnerabilities

    Mitigations including:

    A. Layered security

    B. Filter – proxy

    C. Authenticate the source – certificates, IP fencing, DoS defense

    D. Authenticate the user – AD credentials, complex passwords, SSO

    E. Authorize – manage email attachments

III. Example of a secure architecture

We welcome you and your questions on June 10th.

Write to us at: contact@mobilehelix dot com.

-Maureen

ILTA LegalSEC Summit 2019 Redux

We are back from a busier than ever ILTA LegalSEC Summit. People attend LegalSEC to genuinely learn how they can keep their law firms protected. This is no easy feat because cybersecurity is a moving target. While Big Law firms participate, there is great value for small and medium sized firms where there might not be a CISO. The Director of IT or network engineer might be the security department. The two or three days at LegalSEC are packed with information.

This year the well-received keynote by William R. Evanina, Director of the National Counterintelligence and Security Center, was recorded. Another popular session was “Leverage These Free Resources to Up Your Security and Governance Game.” Both of these and several other LegalSEC 2019 sessions can be heard at no cost by ILTA members, here.

Heads up, save the date. Next year’s LegalSEC Summit 2020 will be June 1-3 and the location…San Antonio at the Marriott Riverwalk. If you have visited the Riverwalk you know that this is a fantastic location. Hope to see you there.

Mobile Helix LINK at ILTA LegalSEC Summit 2019, June 3-5

We love LegalSEC!

and we are a sponsor again this year. We will be at Table number one showing LINK’s latest mobile DLP features.

Stop by to say hi and to see a LINK demo. Our LINK app’s encryption, containerization, and authentication provide strong security for your documents and data. Now LINK offers key word and metadata filtering, recipient checking, and restriction on emailing files from classified workspaces.

This year’s keynote speaker is William R. Evanina, Director of the National Counterintelligence and Security Center.

Register here

ILTA LegalSEC Summit 2019 Keynote Speaker William R. Evanina

LegalSEC Summit 2019 is designed for technology professionals at every level who manage security, information governance and data privacy tech projects and initiatives in support of the practice of law. This exciting two-day Summit offers premier learning and a connected networking environment to focus on information security challenges faced by the legal industry.

Is Your Email Vulnerable? Ask the Chinese Military

Image: ribkhan, Pixabay

I’m a current events junkie. I’ll admit it. And I work with law firms. Thus, my favorite podcast? “Stay Tuned with Preet.” Yes, this is Preet Bharara, the former U.S. Attorney for the Southern District of New York. Check out an episode. Preet takes a few questions about the law at the beginning of each episode. Then he has a guest. Preet is not only smart, but surprisingly personable. It’s a fast-moving hour.

A recent guest was John P. Carlin, former Assistant Attorney General for the National Security Division at the Department of Justice and Chief of Staff to Robert Mueller at the FBI. He is currently a partner with Morrison & Foerster. Carlin is an international cybersecurity expert.

One of the things which caught my attention in this episode was Carlin’s story of the US subsidiary of a German company whose data was stolen by hackers in the Chinese military. The company, SolarWorld, in Hillsboro, Oregon, made solar energy components.

How was the data stolen? Email. Carlin said, “Email. It is the least protected part of the system, usually. Not like Intellectual Property which is encrypted or where special measures are taken to protect it. They stole email traffic.”

Continue reading

Our CEO in CSO: Ripped from the headlines – are your messages secure in these encrypted apps?

In the investigations of Paul Manafort and Michael Cohen, the FBI has retrieved messages from Signal, Telegram and WhatsApp. While there are weaknesses inherent in all of these apps, the question remains: What does a good data protection scheme look like?

 

A few days ago, the FBI revealed that Michael Cohen’s messages sent with Signal and WhatsApp are now available as evidence in the on-going investigation into his various dealings. While thousands of emails and documents have already been recovered from Cohen’s devices, home, hotel room, and office, the recovery of data from messaging apps that promise end-to-end encryption is surprising. One would presume that end-to-end message encryption should ensure that those messages are unrecoverable without assistance from Mr. Cohen. However, clearly that is not the case.

Continue reading

In the aftermath of yet another Meltdown, no secrets are safe – Seth Hallem

Meltdown and Spectre reveal that perfect information protection comes at an increasingly steep cost.

In the field of data security, 2018 began with a jolt. The revelation of the Meltdown and Spectre security vulnerabilities has taught us that in 2018 (and beyond), nothing is sacred.

Speculative execution, the architectural concept that is exploited in the Spectre vulnerability, has been in use by mainframe processors since the mid-1970s. It is taught in Computer Architecture 101 in universities around the world. And yet, it turns out that the security implications were never fully understood until about seven months ago.

Out-of-order execution, the culprit in the Meltdown vulnerability, is also a ubiquitous concept, although Meltdown is easily avoided with a better implementation of the concept.

Continue reading