Cyber Threats to Law Firms
June 15, 2016
By Hubert Klein and Jerry Ravi
The word "cybersecurity" is a buzzword that invokes fear in many people responsible for managing law firms these days. However, the proper reaction should be one of concern and action, not fear. Your organization has an opportunity to better protect itself from cybersecurity threats with proper planning, and in return reduce the threat of a data breach or, even worse, a lawsuit related to a data breach. Not being properly prepared for a data breach can lead to an economic loss, as well as reputational damage to a firm.
Many news reports and trade magazines indicate that hackers are increasingly targeting the legal profession for its data. Why? Because law firms' data files, both electronic and hard copy, contain a goldmine of sensitive and confidential information on both clients and firm assets. That information is valuable to criminals who traffic in stolen data files and personal information. In today's environment, cybercriminals are increasingly incentivized to secure content in order to make a profit. Like all crimes of opportunity, they look to the less risky and most vulnerable sources first. Those tend to be organizations that do not have secure, up-to-date data protection protocols. The cost to a law firm as a result of a data breach can run into the millions of dollars.
As technology has changed over the past decade, lawyers have been consistently using more electronic documents than they did in the past. Instead of FedEx and UPS packages containing hard copies of documents, they now use electronic data systems such as email, mobile devices, and other electronic communications to send 'soft copy' documents such as Word, Excel, Access and PDF data files, to communicate with clients and third parties. Many of those files are generated within the firm and are emailed out to various non-firm recipients. The reverse is also true: Many electronic data files containing sensitive information are received by law firms from clients and third parties as attachments. This happens on a regular basis these days. (Not much "send me a fax" anymore; it's much more frequently "email me the file or information, and I will put my electronic signature on it.") Regardless of the source or destination of data transmission, the raw data is generally stored on a firm server or with a cloud storage provider, as well as in backup files either on-site or off-site.
As a result, law firm IT and administrative professionals are increasingly under pressure to focus more resources in an effort to ensure that up-to-date cybersecurity and privacy standards are applied to their systems in order to control and manage information. At the same time, they are attempting to minimize their firms' risk and exposure to lawsuits for not properly protecting sensitive client and employee information.
Law firms are basically the same as any other company when it comes to countering cyber attacks and protecting their confidential and proprietary data. In today's environment, any organization in possession of sensitive data must have a security program that aligns with accepted best practices and standards. The typical response in many firms used to be "call IT," and then just hand off the responsibility to them and go back to work. However, time and the increasing pace of cybersecurity breaches have shown that this is not the best way to ensure against a cyber-threat. Cybersecurity is an enterprise business risk for all law firms, and includes everyone in the organization. That means professional staff, attorneys, firm management and support personnel need to be involved in understanding the risks, both reputational and business, from a liability standpoint. They must also buy in and be proactively involved in the establishment and enforcement procedures and protocols, and adhere to them.
How does the planning and development start? First and foremost, taking a risk-based approach will allow you to be the most effective at combatting cybersecurity risk. Begin by performing an overall cybersecurity risk assessment. Establish a cross-organizational team comprised of professional staff, procurement staff, finance, human resources, communications, office management, and IT personnel. Make sure there is a "tone from the top" – firm leaders have to be on-board. The key areas to build out your security program area as follows:
- Identify the real risks:
- Develop a security strategy focused on business drivers and protecting high-value data.
- Define the organization's overall risk appetite.
- Identify the most important information and applications, where they reside, and who has/needs access.
- Assess the threat landscape and your security program maturity – model your real exposures.
- Protect what matters most:
- Balance the fundamentals with emerging threat and vulnerability management.
- Establish and rationalize access control models for applications and information.
- Protect key identities and roles that have access to the "crown jewels." Utilize 2-factor authentication methods for access to critical data.
- Sustain your security program:
- Get governance right – security is a board-level priority.
- Allow good security to drive compliance – not vice versa.
- Measure leading indicators to catch problems while they are still small.
- Accept manageable risks that improve performance.
- Know your weaknesses – and address them!
- Embed security in the business:
- Make security everyone's responsibility – it's a business problem, not just an IT problem.
- Align all aspects of security (information, privacy, physical and business continuity) with the business.
- Spend wisely in controls and technology – invest more in people and processes.
- Selectively consider outsourcing or co-sourcing operational security program areas.
After considering the above areas and performing a risk assessment, now is the time to ensure that you create and reinforce cybersecurity governance, policies and procedures, which ultimately translates to a continuous monitoring program.
- Develop a cybersecurity strategic plan (a 2- to 5-year plan) to include remediation protocols for activities identified in scans and penetration testing.
- Invest the resources necessary in cybersecurity technologies for data encryption, detection and monitoring.
- Identify and document cybersecurity controls – they need to be in writing.
- Establish policies and procedures for security configuration settings, access controls and logging.
- Conduct continuous training – without proper training, all your efforts will be in vain.
- Develop incident response, business continuity, and disaster recovery plans. Test those plans on an ongoing basis, at least once per year, to ensure you can respond and recover from a cybersecurity incident.
- Develop contractual cybersecurity requirements for outsourcing vendors, cloud providers, or other entities that connect to the firm's network.
- Conduct regular reviews of the security program, provide ongoing training, and update as necessary.
In the end, the best place for a cybercriminal to troll for data and content is on an unsecured or minimally secured system. While antivirus software is essential, it detects only a small percentage of system threats. New (and constantly emerging) malware programs and other cybersoftware can penetrate poorly secured systems with relative ease. Specialized services that detect sophisticated attacks are generally required to properly protect an organization. Take a risk-based approach and continue to evaluate your people, processes/controls, and technology to ensure that your cybersecurity program is the most effective at your firm.
To determine if your systems are vulnerable to an attack or if your related policies and procedures are up to date, you should contact a cybersecurity specialist for assistance. Proper planning and implementation today can help your firm minimize its exposure and related legal liability in the event of a breach. As with everything else in running a practice, a cost/benefit analysis of the exposure to a cybersecurity breach is needed. However, while cost and resource allocation may be an issue, understanding and assessing any potential threat is needed in order to properly prioritize and allocate resources.
EisnerAmper Trends & Developments - June 2016