The increased threats to the IT infrastructure of legal firms has left the industry scrambling for a robust and effective solution to thwart bad actors. Legal firms’ ethical responsibility to maintain attorney-client privilege is at stake, which cyber criminals know and often use to their advantage when conducting ransomware, phishing, and other attacks that can get them access to the overwhelming amount of sensitive information that is housed within legal firms’ databases.

The post The Partner That Knows: Legal Industry eBook appeared first on Thrive.

To ensure that confidential information is protected, law firms must implement methods that go beyond the basics. Following are five effective strategies for enhanced confidentiality, including managed IT for law firms.

What Are Common Challenges for Law Firms?

Law firms face a unique set of challenges when it comes to confidentiality.  These challenges include:

• Vulnerable Digital Networks: Law firms are at a higher risk of cyber attacks due to the confidential information they possess. A single security breach can lead to severe consequences such as reputational damage and legal liability.
• Human Error: Confidentiality breaches are largely due to human error. Untrained employees may accidentally disclose sensitive information through email or other digital platforms.
• Lack of Encryption: Many businesses do not have strong encryption protocols or managed IT for law firms to protect their data from unauthorized access. This makes it easier for hackers to gain access to confidential information.

How Can Law Firms Improve Confidentiality?

To overcome these challenges and ensure enhanced confidentiality, law firms can implement the following 5 strategies:

1. Enlist an MSP

Replying on managed IT services for law firms means outsourcing the management of a firm’s technology systems to a third-party service provider. These providers have the knowledge and expertise to handle the specific needs of law firms, including sensitive data protection.

By enlisting an MSP (Managed Service Provider), law firms can ensure that their digital networks are protected with advanced security measures, regular updates, and 24/7 monitoring by experts.

2. Make an Incident Response Plan

Having a well-defined incident response plan in place can help law firms handle confidentiality breaches quickly and effectively. This plan should include identifying the breach, containing the damage, and notifying affected parties.

3. Back Up Your System Regularly

Back up the firm’s data regularly to ensure that confidential information is not lost in case of a breach or a technical failure. This backup should be done both onsite and offsite to provide additional protection.

4. Restrict Data Access

Not all employees need access to all confidential information. Implement strict data access controls to limit the number of individuals who have access to sensitive data. This minimizes the risk of human error or unintentional breaches when it comes to managed IT for law firms.

5. Implement Security Software and Training

Invest in advanced security software, such as firewalls and anti-virus programs, to protect against cyber threats. Additionally, provide regular training for employees on best practices for data protection, including how to identify potential phishing emails or other scams. This will ensure the natural element of human error is minimized for the safety of your business.

Thrive: Proactive Managed IT for Law Firms

At Thrive, we understand the importance of confidentiality for law firms. That’s why we offer proactive managed IT for law firms—our services are tailored to meet the specific needs of legal professionals. With our advanced security measures and 24/7 monitoring, you can have peace of mind knowing that your confidential information is in safe hands.

Don’t let vulnerabilities in your digital networks put your firm at risk. Contact Thrive today to learn more.

The post 5 Strategies for Enhanced Confidentiality in Law Firms appeared first on Thrive.

The Allen & Overy Saga: A High-Profile Confrontation

The most high-profile recent victim is Allen & Overy – the UK “magic circle” law firm that fell prey to the notorious Russian ransomware group Lockbit. This London-based legal giant, founded in 1930, is the 7th largest integrated law firm globally, with approximately 5,500 employees and 500 partners across 31 nations. Allen & Overy was in the process of merging with Sherman & Sterling and faced a cyber onslaught that threatened to expose sensitive data. The merger was to create a 4,000-lawyer firm with 800 partners across 48 offices by May 2024. Lockbit added Allen & Overy to its victim list in early November 2023, claiming they had acquired their data and planned to publish it soon.

Prompt action by external cybersecurity experts helped isolate and contain the breach, sparing the firm’s core system data, email, and document management systems. Weeks later, as forensic investigations and remediations unfold, the firm continues to operate with limited disruption, underscoring the importance of swift and well-planned responses to such threats. The speed of response by Allen & Overy and the additional remediation and planning after the attack were critical to avoid catastrophic data loss.

Dire Warnings for Legal Businesses

Lockbit, the group behind the Allen & Overy attack, should be considered a significant threat. The National Cyber Security Centre (NCSC) labelled Lockbit as the most deployed ransomware in 2022, emphasising the devastating impact of their attacks. NCSC Director of Operations Paul Chichester urges organisations to comprehend the severe consequences of ransomware assaults on operations, finances, and reputation: “It is essential for organisations to understand the serious consequences that ransomware attacks can have on their operations, finances, and reputation.”

Since January 2020, entities of various sizes operating within critical infrastructure sectors such as finance, food and agriculture, education, and healthcare have experienced attacks from Lockbit affiliates utilising diverse tactics and methods. The wave of Lockbit’s widespread attacks across these critical infrastructure sectors reinforces the urgency for heightened cybersecurity measures.

Legal Sector in the Crosshairs

Legal firms have long been prime targets due to their safeguarding of sensitive client data. Past incidents, such as the £5 million ransomware attack on Ince in July 2022 and the 2021 assault on Simplify Group, the UK’s largest conveyancing company, highlight the sector’s vulnerability.

Simplify Group’s breach, resulting in a month-long system shutdown, showcasing the significant financial implications and potential fallout for law firms facing cyber threats. Vendors and buyers were left in turmoil for up to a month, unable to finalise any transactions. As for affected data, current and former staff members from conveyancing firms using Simplify were impacted by this breach. However, there is no indication customer data was stolen. Simplify had a class action lawsuit filed against them by other law firms on behalf of outraged clients, resulting in potential financial liability and implications.

Multi-Million Costs and Business Implications

Simplify Group’s annual report reveals the attack’s direct costs amounting to £7.3 million, partially covered by insurance. The incident prompted discussions with capital providers to safeguard the company’s long-term funding and capital structure. Indirect costs, including a reduction in client intake for ten weeks while remediation occurred, profoundly impacted the firm’s financial performance.

This severely affected the results for that financial year, when the company was otherwise on track to complete a record number of cases. Shareholders injected £15 million for post-breach recovery, underscoring businesses’ substantial challenges after cyber incidents.

Regulatory Scrutiny and Urgency for Preparedness

While Simplify immediately engaged a leading cyber response team, being prepared ahead of time is necessary in this dangerous era of cyber threats. In August 2023, the ICO reprimanded Durham law firm Swinburne Snowball & Jackson (SSJ) for not having sufficient protections in place and not being aware it needed to report data breaches to the ICO.

An employee’s Outlook email account was targeted in a spear phishing attack, impacting payments to beneficiaries of a probate case. The first breach was on January 11, 2021, but SSJ only became aware three days later, and the account’s password was changed on January 15. Following the incident, SSJ notified its data insurer, the Solicitors Regulation Authority (SRA), and the ICO after 11 days. SSJ faced repercussions for lacking sufficient protections and delayed reporting of that spear phishing attack.

SSJ did not have multi-factor authentication (MFA) in place for the account, claiming that its IT contractors had not previously recommended doing so despite various bodies, including the National Cyber Security Centre (NCSC), SRA, and Law Society, advocating for strong authentication measures.

The ICO also criticised SSJ for failing to comply with GDPR obligations regarding secure personal data processing to ensure ongoing system security and confidentiality and urged training while providing standard non-compulsory recommendations on governance, identity and access controls, technical control selection, staff training, and supply chain security. They warned, “If further information relating to this matter comes to light, or if any further incidents or complaints are reported to us, further regulatory action may be considered.”

A Call to Action: Strengthening Cyber Defences

The SSJ case is a stark reminder of the repercussions of inadequate cybersecurity measures, while the Allen & Overy incident showcases the imperative of being proactive. At Thrive, we specialise in fortifying businesses against data theft risks. Contact us today to ensure your clients’ data remains secure in the face of evolving cyber threats.

The post UK Legal Firms Facing Unrelenting Cyber Onslaught appeared first on Thrive.

In a recent review, the Solicitors Regulation Authority (SRA) identified that, since 2020, cyber attacks had targeted 75% of law firms, resulting in a devastating loss in 23 out of 30 businesses, having lost more than £4 million. In this blog, Thrive sheds light on the magnitude of this destruction and guides you in effectively safeguarding your sensitive client information against such attacks.

Rising Threat: UK Law Firms Face Surge in Data Breaches Amid Shift to Remote Work

Data breaches are not a new threat for law firms, but they are exploding in prevalence. According to the Equality & Human Rights Commission (CRC), 73 of the UK’s top 100 British law enterprises have been targeted, rising from 45% in 2018-19 to 73% in the most recent financial year.

A substantial shift in the work/life balance in the UK prompted by the Covid-19 pandemic has been the critical factor to this trend. The pandemic forced over 60% of companies to transition to Cloud-based work, a trend that has continued into the post-Covid era. As a result, storing more client information online makes law firms extremely attractive online targets.

UK Law Firms Face 4,000 Daily Cyber Attacks, Costs Surge

90% of the top UK law firms have personally experienced this threat – 55% of which faced viruses and other malware, and 16% of which faced extreme attempts to hack into their company’s network. To put this into context, over 4,000 cyber attacks are launched every day. This equals 170 every hour and almost three every minute. Law firms must protect themselves and their clients against this vastly underestimated but dangerous threat.

The shift to remote online working has also impacted the costs of such a breach. Attacks that previously cost companies £2.8 million now cost £3.57 million due to the sheer quantity of online client data. The overall rise in data breach costs is 10%, with the average weighing around £3.05 million.

These numbers refer to the larger law firms, but what about SMEs in the legal sector?

Cyber Attacks Costing Unprepared Firms an Average of £150,000

SMEs are equally exposed to cyber attacks, as they’re perceived as easier targets by hackers who assume they do not have the measures to handle them. Small or medium law businesses could unwittingly be exposed to these well-orchestrated attacks simply because they are unaware of the costs that other law firms are facing.

The average data breach cost for businesses of this size is £310,000. Still, if the company is unprepared, it can cost additional billable hours to seek help from experts to investigate the cyber breach, notify victims, and take extra preventive measures to avoid future attacks. The SRA has shown that this number can reach around £150,000 for unprepared firms.

Although becoming steadily less commonplace, many SMEs have minimal pre-emptive measures to deal with such an attack. Typical law firm cyber attacks have previously been initiated through an item of hardware with old, unpatched software on it. This is the ‘open window’ that allows attackers to gain entry to systems. The impact on other companies in the field has seen the entirety of a firm’s data locked, resulting in a hefty ransom demand to allow the company to continue working.

These real-life examples of legal businesses did not have an adequate cyber incident response plan in place, which resulted in the companies ultimately floundering and seeking urgent help from their IT support teams and local police. Some situations were so dire that paying the ransom seemed the only option. This cements the need for a standalone cyber insurance policy, disaster recovery plan and employee cyber awareness training.

Magic Circle Attack

A recent case of this occurring is that of London-based Allen & Overy, the latest major ‘magic circle’ corporation attacked by ransomware hackers. They announced this incident following posts on X (formerly Twitter), claiming hacker group Lockbit had targeted the prominent firm, threatening to publicise sensitive files.

Lockbit is a hacking group notorious for locking access to government and corporate networks and demanding payment in return for not publishing private data and correspondence, such as the high-profile Royal Mail hack in January we previously blogged on – blocking its access to data until payment. Thankfully, Allen & Overy had a technical response team in place and an independent cyber security adviser on standby to aid in the containment and isolation of the attack. This resulted in minimal affected client data, not impacting their email or document managing system – all thanks to the preventive measures they had taken.

In another similar case, Gateley, a UK Top 50 firm whose cyber team quickly identified an intrusion and acted immediately, securing all systems. The firm did state that it was confident that its IT support had successfully limited the impact of the cyber attack and did not foresee any evidence of a material effect on the company’s financial performance, with just 0.2% of its data affected.

NCSC Best Practices for Cybersecurity

Published advice from the NCSC is that companies should ensure they back up important data regularly and use offline storage facilities, which render a degree of protection against ransomware and other cyber threats. Multifactor authentication is, as ever, recommended, as well as ensuring the least privileged access to safeguard against potential attacks.

However, to ensure that the best measures are put in place for your business, a thorough risk assessment should be performed – identifying weak points in your business and prioritising cybersecurity investments. Employees should be comprehensively versed on your firm’s threats and the best action when dealing with them.

Best practice includes enforcing user access controls and ensuring that businesses and their employees have strong password policies, significantly minimising the risk of unauthorised access. A significant risk to SMEs that fail to safeguard their clients’ data in these ways is that of legal challenge – with consequences ranging from client lawsuits to fines from the ICO.

If this blog has caused you to reflect upon the readiness of your firm when tackling this genuine threat, don’t hesitate to contact Thrive.

We are highly experienced in working alongside SMEs in your sector to reach absolute security in the face of data breaches and similar recent threats. We can help you guarantee your business’s and its employees’ safety by staying ready against these ever-growing risks.

The post Guardians of Justice: Navigating the Cyber Storm Threatening UK Law Firms appeared first on Thrive.

This new law prohibits the Superior Court of Connecticut from assessing punitive damages against an organization that implements reasonable cybersecurity controls, such as the NIST Cybersecurity Framework or CIS Critical Security Controls.

Essentially, as long as the cybersecurity approach utilized by a business is up to industry standards and considered reasonable in its capacity as a security platform, then neither the cybersecurity firm nor the businesses utilizing their services can be held legally liable in the case of a damaging cyberattack that exposes PII or other sensitive information.

This law, along with federal laws under discussion, highlight that C-Level Executives and Boards of Directors need to be as concerned with cyber risk as they are traditionally with fiscal risk. The stakes are just as high and proper approaches to risk mitigation are required to maintain business solvency.

So if your business is located in Connecticut, Ohio, or Utah (or if you want to proactively follow best practices to help protect personal data and shield your company from legal harm), what steps should you be taking?

1. Assess Your Current Cybersecurity Security Posture Against the NIST or CIS Frameworks

Both the NIST and CIS frameworks provide valuable direction to an organization’s overall approach to assessing and improving its cybersecurity posture. Beginning with the identification of vital assets in need of robust protection, these frameworks serve as actionable guides to enhancing the defense of that data & continually evolving protocols as more information becomes available. These frameworks lay the ground for organizations to begin by implementing essential security services and further implement more full-spectrum advanced engineering coverage.

2. Prioritize Solutions and Services that Help Comply with the Framework

The CIS framework takes a priority-based approach with regards to security protocol, whereas NIST is considered to focus more heavily on assessing and reducing overall risk. Whichever framework you choose for your organization, prioritizing and protecting your most valuable assets first is the goal. Complying with your chosen framework may include implementing a NextGen firewall, end-user workstation security, or advanced patching services. Thrive offers these services unbundled to enable the creation of a custom solution tailored to the needs of each client.

3. Create a Plan to Stay Up to Date as Frameworks Evolve

To help keep organizations protected, the CIS and NIST frameworks are continually updated, which is reflected in HB 6607. Organizations have six months from when the changes are published to re-comply with the frameworks to maintain compliance under the law.

Perhaps one of the biggest benefits of working with a security-first MSP is that their team of Certified Information Systems Security Professionals (CISSPs) can focus on staying up-to-date on the latest threats and breaches while you focus on your organization’s operations. In an ever-changing technology landscape, keeping up with best practices can be a headache. But no matter what approach you take, ongoing testing, validation, management, and reporting are key to its effectiveness.

Conclusion

By financially incentivizing adherence to well-established frameworks, these laws make cybersecurity a C-level, and even board-level, area of concern. They help establish clear targets for companies, which is critical in an era of non-stop marketing hype around new technologies and the constant news cycle around the latest attacks and bad actors. Plus, these laws should ultimately help safeguard all of our data, making criminal actions less of a moneymaker.

If you’d like to talk with a Thrive cybersecurity expert about how to navigate laws like Connecticut HB 6607, please contact us today and request a free assessment.

The post What Do Cybersecurity Laws like Connecticut HB 6607 Mean For Your Business? appeared first on Thrive.

What Is SEC 38a-2?

The SEC’s proposal would promote improved cybersecurity resiliency for investment companies and advisers and hold them responsible for the federal reporting of successful attacks and maintaining a strong cybersecurity posture. The proposal looks to establish 3 key areas of compliance: policies and procedures, reporting, and disclosure practices.

Policies and Procedures

1. Risk Assessment

   Periodic risk assessments would be required for compliance. Documentation outlining findings and prioritization of mitigation tactics would also need to be maintained by for potential future audits
   

2. Maintenance and Monitoring of User Security and Access
   

   Regulated investor and advisors would be responsible for minimizing user-based risk by ensuring that unauthorized access to information systems is blocked. This includes authentication techniques like MFA and 2FA as well as periodic password resets.

3. Information Protection

   Organizations would be required to periodically assess user access to the information contained on their systems to ensure that sensitive data is being adequately protected. Logged information such as where and how information is stored, accessed, or transmitted are included in this required review.

4. Threat and Vulnerability Management
   

   A plan for threat detection, mitigation, and remediation, as well as vulnerability monitoring, would need to be outlined and executed.

5. Incident Response and Recovery
   

   Investment companies would be required to have procedures in place to detect, respond to, and recover from attacks. SEC reporting procedures would also be required as part of this plan.

Reporting

Under the new proposal, investment companies must report “significant adviser cybersecurity incidents” to the SEC on new Form ADV-C within 48 hours of detection. This Form would gather information regarding the scope and nature of each incident, including information such as what information was compromised, how the firm plans to recover from the incident, were clients or law enforcement were notified, and if the incident is covered under a cybersecurity insurance policy. These reports would not be publicly available after filing.

Disclosure

Documentation would be required to be available to investors and clients outlining the ’s cyber readiness plans, along with any incidents that had occurred within the previous 2 years. This information is believed to enable investors to make more informed decisions when choosing to remain with or begin engaging with an adviser.

Improving Infrastructure Resiliency

The SEC’s new proposed rules are grounded in section 206 of the Advisers Act. Learning from past malware attacks, the intent of this new proposal would be to bolster investor confidence and protect them from advisers and investment companies not doing their part to protect and recover sensitive information. With the intention to hold all regulated entities accountable for cybersecurity compliance, under Rule 38a-2, these entities could no longer put security measures on the back burner, and jeopardize the stability of our financial infrastructure.

Internal IT is Not the Only Option

The measures proposed above do not need to be fully planned or executed internally to the investor or adviser required to maintain compliance. Thrive’s experienced cybersecurity and compliance teams are experienced in providing NextGen technology services to the financial services industry. From private equity to investment banking institutions and everything in between, Thrive is here to help our clients achieve and maintain superior protection from the known – and the unknown.

The post SEC Proposal Could Bolster US Financial Infrastructure appeared first on Thrive.

At Thrive, we leverage advanced technology to help bring law firms into the 21st century, moving critical applications to the Cloud Workspace and modernizing their IT infrastructure without complicated employee retraining or upscaling. The Cloud also gives law firms the agility and flexibility to not only easily modernize technology, but gain a competitive advantage, because they can seamlessly transition to new practice management software or add cutting-edge collaboration tools that boost efficiency and improve service.

For law firms, the time is now to go all-in on Cloud computing.

Leveraging Thrive’s Robust Cloud Platform

In our experience, most law firms are operating with an IT infrastructure that requires better redundancy, higher levels of security, and remote access. On-premise servers, which require maintenance, a proactive approach, and backups, can lead to IT headaches.

On-premise servers also limit employee productivity to a single desktop or laptop. Without Cloud-enabled virtual desktops, firms can’t empower their teams to succeed in the fast-paced legal world, which largely requires courthouse trips, off-premise meetings, and on-the-go communication.

Deploying a Cloud environment also means debunking some myths perpetuated about access and security.

Myth #1: If I’m in court and the internet is lagging, I can’t get to data.

Reality: Access to applications is available 24/7 from compatible devices. Anyone can work from anywhere.

Myth #2: I don’t trust the cloud.

Reality: The Cloud is highly reputable. Thrive Cloud, our private Cloud service, is hosted in a SOC 2 Type II-certified data center. Building a Cloud platform from the ground up protects valuable client information, going well beyond the entry-level office firewall and providing the ability to encrypt data in transit or at rest.

Reducing Complexities While Gaining Workplace Flexibility

For firms with just one office or a small team, an on-premise server, while outdated, may get the job done. However, an on-premise server is not compatible when satellite offices or remote computing are introduced into the equation. Perhaps a firm has two locations and each has its own server – suddenly, the IT team must manage a disjointed environment, which acts as two separate firms. A clunky, legacy VPN only adds to the frustration.

With remote workforces increasing in prevalence, security is another critical topic of conversation. Recently, a client learned their insurance provider would not renew their cyber policy unless they upgraded endpoint detection and response solutions on each of the firm’s computers. Thrive’s Endpoint Detection and Response protects firms by offering real-time, automated security across all devices – in the office, at home, and on the move.

Thrive’s Cloud Desktop as a Service (DaaS) platform optimizes performance and cost, while providing access to multiple Hybrid Cloud platforms, all managed by our experienced team of engineers. Moving both SaaS-based and legacy applications to the Cloud keeps everything aligned, even when legacy applications aren’t yet ready for that next level of performance. When legacy applications do evolve or become SaaS-based, they can be removed, making way for the newest SaaS-based option.

Law firms can control costs while improving security and resiliency with a Cloud solution, and gain peace of mind knowing important legal applications will be available when they need them most. The knowledgeable team at Thrive is here to help your firm make the move to the Cloud.

The post The Push to Evolve: Why Law Firms Need Cloud Computing to Compete appeared first on Thrive.

Benefits of Mobile Devices for Government and Law Enforcement

By utilizing their smartphone or other handheld technologies, police officers and law enforcement officials can stay connected, even after leaving the confines of their office or vehicle. They’re able to maintain access to critical information, in addition to being able to engage with the general public and solve challenges much more effectively. Some of the ways that mobile devices improve law enforcement effectiveness and efficiency include:

• Capturing photos, video, or audio
• Access to Computer-Aided Dispatch (CAD) applications
• Access to departmental policies and resources
• Issuing electronic citations
• Identifying individuals through biometrics (facial recognition, fingerprinting, or iris scanning)
• Language translation
• Drug identification
• License plate scanning and identification
• Driver’s license scanning and verification
• Breathalyzing suspects (no need for a separate unit)
• Two-way communication with fellow officers

That’s not all. Mobile devices can also improve situational awareness through location services, improving officer safety (it can also be used for officer in duress alerts, i.e. SOS messaging).

Tips for Implementing a Law Enforcement Mobile Program

When accessed in the cloud through a mobile device, criminal justice information needs to be properly secured to ensure your agency is CJIS compliant while mobile. While some smaller agencies may have a “bring your own device” (BYOD) policy, it can often be a recipe for disaster. BYOD may be acceptable for the most basic phone functions, but it simply is not secure enough to meet most CJIS compliance regulations regarding the access of sensitive government information. Instead, law enforcement agencies should provide agency-issued phones connected to a strong enterprise mobility management (EMM) infrastructure that operates through a secure virtual private cloud (VPC). This requires a few steps:

1. Software Assessment. A review of existing software components and their compatibility with mobile devices.
2. Mobile Carrier. “No service” is not acceptable! Agencies need to find a carrier that offers the “three C’s”—coverage, customer support, and cost benefits.
3. Cloud Provider. Agencies will want to find a provider offering high levels of security and complete CJIS compliance.

Once these steps have been taken, agencies can begin their rollout (possibly utilizing a test group before deploying mobile technology department-wide). Devices will need to be properly configured, and PINs, passwords, and biometrics will need to be installed to unlock certain functions in compliance with CJIS regulations. A written policy explaining the benefits of the mobile program and expectations (what is and what is not allowed) should also be provided to each user. Training to provide an understanding of cybersecurity and data breaches is also a must, as individual’s understanding of these potential threats may vary.

What is CJIS Compliance?

Criminal Justice Information Services, or CJIS, is a division of the FBI that monitors criminal activities in local and international communities using analytics and statistics provided by law enforcement. The CJIS databases provide a centralized source of criminal justice information (CJI) to agencies nationwide. The mission of CJIS is, “To equip our law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties.” CJIS policies cover best practices in wireless networking, remote access, data encryption, and multiple authentication.

How Do CJIS Compliance Regulations Impact Mobile Device Programs for Government and Law Enforcement?

CJIS regulations affect almost every aspect of data management within law enforcement agencies; and compliance is mandatory when accessing CJIS-controlled databases. Despite its relative newness, strict protocols are already in place regarding the use of mobile devices. This is to protect the criminal justice database systems and the sensitive data associated with personal information, such as an individual’s criminal and identity history, biometrics, and property possession.

Understanding CJIS Policy Section 5.13

To ensure your agency is CJIS compliant while mobile, when rolling out your program and selecting software, mobile carrier, and cloud provider, agency administrators should pay close attention to CJIS Policy Section 5.13, which specifically covers mobile cellular devices. Within this section, the following minimum standard requirements are detailed. Mobile devices must have the following capabilities:

• Remote wiping of device
• Remote locking of device
• Setting and locking device configuration
• Detection of “rooted” and “jailbroken” devices
• Enforcement of folder- or disk-level encryption
• Application of mandatory policy settings on the device
• Detection of unauthorized configurations
• Detection of unauthorized software or applications
• Ability to determine the location of agency-controlled devices
• Prevention of unpatched devices from accessing CJIS systems
• Automatic device wiping after a specified number of failed access attempts

CJIS Compliance for Cloud Usage in Government Agencies and Law Enforcement

CJIS compliance also gets specific when it comes to the use of the cloud and cloud storage within CJIS Security Policy Section 5.10. Despite the abundance of cloud providers out there, law enforcement organizations taking advantage of the cloud’s storage capacity benefits will want to find a provider that meets CJIS requirements. Be wary of providers claiming they are “CJIS certified,” as no central certification or accreditation exists for CJIS. A good rule of thumb is to find a provider that has services available for purchase through a General Services Administration (GSA) contract. The GSA was established in 1949 and helps support the basic functions of federal agencies.

Today’s smartphones and mobile devices offer a wealth of benefits for police officers and other law enforcement officials, but it’s important to remain CJIS compliant to protect yourself, the agency, and the public at large. By working with carriers and cloud providers that meet CJIS requirements, and remaining on top of their ever-changing regulations, government agencies and law enforcement organizations can take advantage of the benefits and avoid negative consequences.

Ensure Your Government or Law Enforcement Agency is CJIS Compliant While Mobile With Thrive!

Considering a mobile program rollout within your organization? Then consider Thrive. We ensure strict security protocols, 99.99%+ uptime, and a complete compliance package, meeting the requirements for CJIS. Learn more about the Thrive difference here, or contact one of our IT experts today for a free consultation.

The post How Government and Law Enforcement Can Be CJIS Compliant While Mobile appeared first on Thrive.

Police Body-Worn Camera Usage Soars

Today, 34 states and the District of Columbia have created police camera laws, and they continue to be a focus of state lawmakers who are increasing funding through state and federal grants. That’s not all. Lawmakers now want recordings to be on high-definition video to enhance clarity, and protect officers from false accusations of misconduct. They also want to implement minimum retention time for BWC, dash cam, and static surveillance video (in Texas, for example, police camera video must be retained for at least 90 days). That’s a lot of video, requiring a lot of storage space. Think about it: with dash cams alone, police were dealing with terabytes of data; add BWC footage into the mix, and now they’re forced to manage petabytes.

Cloud Computing in Law Enforcement

Along with the influx of new video footage, agencies also need to store police reports, photographs, crime mapping, analytics, fingerprints, and other classified and sensitive information. To manage all this data, law enforcement agencies are increasingly turning to cloud computing. Most clouds are highly scalable, and able to increase storage capacity with the flip of a switch to accommodate increasing data needs. But when moving to the cloud, organizations need to keep in mind security and compliance laws and regulations that they are bound to.

Cloud Computing Laws and Regulations

The International Association of Chiefs of Police (IACP) has set up some Guiding Principles on Cloud Computing in Law Enforcement. Think of them as a CJIS checklist; most are pretty straightforward, and we’ve simplified many below (you can view the IACP’s more in-depth guidelines here).

1. FBI CJIS cloud compliance must be met.

Cloud providers must comply with the requirements of the Criminal Justice Information Service (CJIS) Security Policy and acknowledge that the policy places restrictions and limitations on the access, use, storage, and dissemination of CJI and must comply with them.

2. All data storage systems must meet the highest common denominator of security.

With the increase of locally-collected data such as body-worn cameras, law enforcement agencies should store all collected data at the highest level of security (often the FBI CJIS standard).

3. Data ownership and data mining.

Almost all cloud service providers specify that the client owns the data, but the IACP requires it in writing—along with the procedure for migrating data to another service, or back to in-house servers (this is known as cloud repatriation). The IACO also advises agencies to make it clear that data is off limits for any data mining or ancillary operations of that cloud provider.

4. Auditing.

Cloud service providers must allow law enforcement agencies to conduct audits of performance, use, access, and compliance.

5. Integrity.

Providers must maintain physical or logical integrity of CJI by separating law enforcement agency storage and services from other customers.

6. Availability, Reliability, and Performance.

The degree to which the cloud service provider is required to ensure availability and the performance of data and services is dependent on the criticality of the service provided. For some services, such as the retrieval of archived data or email, lower levels of availability may be acceptable, but for more critical services like Computer-Aided Dispatch, levels of 99.9% or greater are required.

Security and CJIS Compliance on the Cloud

The cloud offers a whole new way for law enforcement agencies to securely store valuable footage and files while remaining CJIS compliant and following IACP guidelines. Thrive works with state and local organizations and can help you make a seamless move to the cloud. Our Cloud service is a virtual private cloud solution designed for national, state, regional, and local government agencies. We ensure strict security protocols, 99.99%+ uptime, and a complete compliance package; meeting the requirements of CJIS, HIPAA, PCI, SOC, and SSAE16. Contact Thrive today to learn more about our Cloud services.

The post How the Cloud is Helping to Solve Law Enforcement Challenges appeared first on Thrive.