For professionals
Learning from case studies of client loss and loss of confidence. Is your PC locked?
Learning from case studies of client loss and loss of confidence. Is your PC locked?
~What if “OS login authentication” was the biggest security risk?~
~What if “OS login authentication” was the biggest security risk?~
1. New threats which professional services are facing and their background
The work of professional lawyers, tax accountants, certified public accountants, judicial scriveners, social insurance and labor consultants, etc. requires a high level of expertise, and they handle extremely sensitive information, such as their clients’ assets, family composition, health information, labor data, and litigation records.
On the other hand, the business PCs, laptops, and shared servers that store and manage this information are not necessarily under a strong security system. In particular, if OS login authentication is “only ID and password”, there is a risk that all business information will be opened to others like an “unlocked safe” in case that the password is leaked.
In addition, as flexible working styles such as teleworking and outside work become more widespread, the use of devices taken out and VPN connections has increased sharply. As a result, there has been a steady stream of incidents of device loss or theft and information leakage due to remote “impersonation access” even among small and medium-sized businesses, including professional services.
What’s even more problematic is that unauthorized access and data removal are not necessarily “attacks from the outside.” For the industry as a whole, the proportion of incidents caused by internal fraud (e.g. misuse of a former employee’s account) and loss of a computer by an insider cannot be ignored.
Against this background, an increasing number of experts are stating that the biggest factor in the recent spate of data leaks was the lack of implementing multi-factor authentication (MFA).
In other words, the first step in security measures is to introduce a system that can properly authenticate “who is operating the device,” which will be the foundation for protecting information and maintaining trust in the legal profession.
2. What is applippli-key (and thereafter applippli-key)
applippli-Key is a security solution that protects business PCs by enforcing multi-factor authentication (MFA) at the time of OS log-on.
- Supported OS: Windows 10/11, Windows Server 2016 or later
- Authentication method: TOTP (Google/Microsoft Authenticator compatible)
- Features :
・Enforces MFA at OS logon for in-house PCs
・Security in the local environment with or without SaaS implementation
・Simplicity of deployment and flexible support for existing network design
・Cloud virtual machines and local environment virtual machines can also be implementated.
3. Why is OS login MFA necessary for the profession?
◆ Prevention of internal fraud and impersonation by retirees
- Single password authentication makes it easy for retirees to divert accounts.
- Introduction of MFA physically stops “spoofing operations”.
◆ Risk countermeasures for mobile work and going out
- Information leakage occurs immediately if a PC is lost or stolen and logged in.
- MFA realises an “environment where operations cannot be performed even if the PC is physically present”.
◆ Minimum technical defense” to maintain the trust of clients.
- The era in which not only professionalism but also attitude to security is subject to evaluation.
4. actual cases of information leakage in the professional sector (background of unintroduced MFA)
[Case 1] Tax accountant’s office: leakage of client information due to theft of a laptop computer (Tokyo, 2023)
• Cause: MFA not introduced. Unencrypted files.
• Damage: Loss in the order of tens of millions of yen. Customer cancelled the contract.
[Case 2] Labourer: Loss of PC at a visit (2022)
• Cause: 4-digit password, no MFA.
• Damage: Obligation to report to the Labour Standards Office. Three clients terminated their contracts.
[Case 3] Judicial clerk : Cloud ledger hijacking (2020)
• Cause : Password leakage + no MFA.
• Damage: Compensation for damages due to registration errors.
[Case 4] Labourer: Leakage of pension information (2022)
• Cause: No terminal authentication; USB encryption not implemented.
• Damage: Ministry of Health, Labour and Welfare (MHLW) notice, contract cancellations ensued.
[Case 5] Law firm : Impersonation operation by former staff (2021)
• Cause : Retiree account left unattended; no MFA.
• Damage: Falsification of evidence. Impact on legal proceedings.
These are just the tip of the iceberg.
Most of these problems also stem from vulnerabilities in the authentication for login and usage, which allowed the This is precisely what indicates that most of the actual damage could have been prevented if an MFA such as applippli-key had been introduced for OS logins.
5. Effects of the introduction of applippli-key
| Item | Before itroduction | After introduction |
|---|---|---|
| Authentication security | Password alone | Double confirmation with one-time code + password |
| Customer information protection | Unprotected storage on portable devices | MFA inaccessibility to OS login |
| Reliability | Difficult to explain after damage | Explainable to customers as a precautionary measure |
| Legal compliance | Privacy law violation risk | Effective externally as a preventive measure |
※Scroll horizontally
6. suggestions for professionals
Why not start with a small number of terminals and test the introduction of MFA in stages (PoC)?
- Visualise security” with the introduction of applippli-key, even on administrator PCs alone.
- In addition to client and legal compliance, it also contributes to employees’ peace of mind.
Contact us anytime for detailed information, quotation and free trial.
――Protect the trust and safety of your firm from PC log-ins with applippli-key ――
We hope you will consider this as part of your cyber security enhancement plan.