Due to the frequency and severity of high-profile data breaches and hacks, most law firms are aware of the risks and challenges they face in securing their IT infrastructure and safeguarding client information. Law firms respond to this threat by offering advice to their clients on data privacy and cybersecurity, with some even branding it as a core offering. Internally, they often employ a team of technical experts who help in securing their valuable assets (data) such as client information, sensitive case files, etc.
Despite this response, the challenges that firms deal with are not common technical issues or shortages of IT security personnel. After considering their business environment, most firms’ primary problem is figuring out how to effectively weave cybersecurity and risk mitigation practices into the fabric of their IT infrastructure. In short, the tools and practices attorneys depend on to protect and safeguard information often stand in the way of business, making them difficult to implement and use.
Over the last few years, cybersecurity as a topic itself has gained tremendous momentum and gone mainstream, with stories like the recent Marriott breach (where more than 500 million customer records containing sensitive data, were leaked since 2014) becoming more and more commonplace. Just one week after the disastrous and high-profile Marriot breach, we learned that the website Quora had a security breach affecting 100 million users or more.
Although law firm data breaches are not reported as frequently in the media as other industries (or even publicly disclosed for various reasons), they remain a significant and growing threat: a recent survey identified over 10,000 network intrusion attempts per day across just 200 law firms, and another report estimated that 80 percent of the 100 largest law firms had a malicious computer breach. Unsurprisingly, another report revealed that most of these intrusions (43%) occurred due to phishing/hacking/malware, and another 32% of cyber incidents occurred due to employee action or mistakes.
On a typical day, law firms operate in a complex and constantly shifting environment, balancing multiple projects for clients and staffing attorneys who will work on numerous clients matters simultaneously. Attorneys also conduct most of their business over emails, receiving and sharing a variety of documents with their clients. In response, it is common for firms to establish a file transfer protocol to secure these communications, facilitating the transfer and sharing of files with clients on their network.
Sadly, this complexity leads to vulnerability when hackers are aware of these dynamics within law firms and leverage them in their attack methods; exemplifying this are the frequent attempts to embed malicious code in everyday business documents, masking them as normal communication. The innate trust relationship between an attorney and client makes the likelihood of someone clicking or accessing the infected document increase exponentially.
Laying the groundwork for these issues is the rapid pace with which technology is not only changing the way we do business but impacting our day-to-day lifestyle. Because most of the intrusions occur due to a lack of personal responsibility (phishing, etc.), the burden rests with each one of us to educate ourselves and help others rise to the challenges posed by the explosion of technological advancement in the workplace.
Taking lessons from prior mistakes is incredibly important, as past breaches and hacks have demonstrated that a few very simple measures can go a long way in prevention and network security. These lessons include basic cyber-hygiene practices such as:
1. Ensuring the passwords used are complex and frequently changed.
2. Using two-factor authentication before providing access.
3. Restricting physical and online access to critical databases and systems to the staff on a ‘need to know’ basis (known as the ‘principle of least-privilege’).
4. Applying the required security patches promptly, and without hesitation.
5. Keeping software used by law firms updated and current – hackers are constantly developing new ways to penetrate your network, so you must be equally as diligent in building up your defenses.
Failing to adopt these easy practices and policies will only increase the probability of getting breached and risk regulatory and reputational harm to your firm. While such security measures are good cyber-hygiene practices, unfortunately, they will not deter a determined or sophisticated attacker.
In some cases, the consequences for neglecting your firm’s cyber-safety could be much greater than the loss of data and trust, and attorneys need to think broadly about their statutory obligations to safeguard client information. While some federal, state and local laws are directly applicable to firms, many still dictate their own obligations and risk mitigation strategies, which means attorneys must be mindful of requirements being passed through onto them by servicing clients in regulated sectors. If your client is a hospital or a medical clinic, for example, your firm could be considered a ‘covered entity’ under the Health Insurance Portability and Accountability Act (HIPAA) and privacy requirements under the statute may be applicable and pass through to you and your firm.
To complicate matters even more, the Federal Trade Commission (FTC) studied and documented the increased demand on law firms to deliver cost-effective and efficient services, and how legal service providers are increasingly leveraging software and computer technologies to provide their services at a safer level – attorneys took some comfort knowing that a federal agency at least was aware of the burdens placed upon them. On the other hand, however, the FTC is also looking into how law firms are transmitting and retaining client information over the internet, and whether firms have ‘reasonable and necessary measures’ to safeguard client information (which could lead to harsher requirements).
At ColorTokens Inc., we have been working with several large and small law firms to adequately protect their IT environment and safeguard client information. Some of the methods that have worked well at law firms include:
- Make your network visible: IT teams get unprecedented visibility and thus a clear understanding of how the different servers, applications, networks are interconnected, what applications and resources your users access on the network and how is the data flowing between them.
- Understand your risk posture: Understand how your critical applications, such as your DMS application are exposed to risk – both from external and internal network participants. Out of box network probe capability coupled with vulnerability assessment, arm security teams with unparalleled analysis of the risk posture of the network and assets. They can use this to prepare a risk mitigation plan along with measurable outcomes.
- Simplify Audits and Compliance: Meet client and regulatory requirements and simplify audits by providing granular visibility and enforcement controls across your firm’s IT environments. Drastically reduce audit complexity thereby reducing both time, resource and operational costs for reporting and remediating audits.
- Reduce your application risk surface: Applications have a clearly defined ecosystem. Ensure that they are accessible only from the necessary networks and participants, and nothing more.
- Solve your freedom challenge: Provide senior partners the freedom to work on their projects, while ensuring that their liability from a compromise is kept as low as possible. Enforce “need to know” security with ease.
- Protect against insider attacks: Enable process-level visibility and granular control of critical servers and endpoints. With fully customizable lockdown features, transactional servers and endpoints like laptops and desktops can be made tamper-resistant to known and unknown threats like malware, ransomware, and sophisticated APT lateral threats.
Without a strong zero-trust system such as ColorTokens, it is very difficult for law firms to demonstrate to their clients that they have the most comprehensive cybersecurity plan in place. While it may be incredibly difficult to prevent a sophisticated and determined bad actor, implementing the above measures and weaving them into a law firm’s IT infrastructure fabric will undoubtedly limit the exposure, strengthen protection and significantly mitigate enforcement action from regulatory authorities and clients. The internet has become a hostile place, and anything connected to the internet cannot be trusted and must be verified, every time – or your network, your assets and the very well-being of your firm is at risk.