With more South Africans working from home, security has become a top concern for many businesses – especially those which deal with sensitive data.
Law firms require their employees to engage with confidential and sensitive information on a daily basis while working from home.
This opens up the risk of unsecured personal hardware or networks causing potential security vulnerabilities.
MyBroadband spoke to Webber Wentzel chief information officer Warren Hero about the law firm’s strategy for addressing this risk.
Hero outlined the interventions the law firm has implemented to reduce the risk of security issues, as well as the procedure followed by its lawyers to ensure the security of their devices.
Technology and people interventions
Hero said there were two sets of interventions which the firm had implemented to reduce the risk of employee hardware being compromised.
These are “people interventions” and “technology interventions”.
According to Hero, the former involves “ongoing user training and simulations, guidelines on how to secure your home network, incident response plans, and exposure to the acceptable usage policy”.
“There are three levels of technology interventions: Identity, devices and data,” he added.
“Our approach centres around identity as our perspective is that it is the new security perimeter – implementing least privileged, roles-based access.”
“This includes multi-factor authentication, firewalls, and virtual private networks,” he said.
Smartphone and laptop security
When it comes to lawyers at Webber Wentzel keeping their smartphones and laptops secure, Hero said that the firm installs security software on employees’ devices.
“We have several end-point security capabilities that monitor and respond to known viruses and endpoint detection and response capability,” he said.
“Our posture starts with assuming break and detection is therefore key to invoking our incident response processes. With most approaches, it is about understanding the kill chain and then activating the appropriate responses.”
He also added that there are restrictions on which devices the firm’s employees are allowed to use.
Hero did not elaborate on which brands specifically were barred from employee use, but said certain devices are not suitable for use based on their lack of compatibility with the abovementioned security software and various client-driven restrictions.
“There are restrictions,” Hero said. “The restrictions apply in so far as the devices are able to run the mobile device management capability.”
“There are some client driven restrictions being muted on certain mobile devices.”
He noted that in the current context of employees working from home, governance, disaster recovery, and recoverability are key metrics to ensure organizational resilience.