More and more law firms in the United States and around the world are being hacked by cybercriminals, who seek to secure sensitive emails, documents and other legal work.
In many cases, the cybersecurity weak spot for many law firms is not their perimeter security system, but their internal data security and governance systems. Cybercriminals can use phishing or other methods to get through strong perimeter security defenses, and once inside can access all of a firm’s emails and documents.
Without strong document and monitoring systems in place the cybercriminal can continue to access these documents for days, weeks or even months without the law firm realizing. Firms can address these weaknesses by deploying technologies that restrict access to sensitive content to only those employees who need this information, and that quickly identify potential attacks.
Rafiq Mohammadi, Chief Scientist and Co-founder, iManage, recently sat down with Inside Counsel to discuss how stopping attacks is only one part of a strong legal data security strategy.
Today, law firms are trusted advisors and work on the most sensitive corporate transactions—mergers and acquisitions, SEC filings, corporate restructuring, litigation, patent applications and employee contracts are common examples.
“It is fair to say that nothing important takes place without the interaction of the corporate general counsel and law firms,” he said. “The most sophisticated cyber criminals and state actors are now fully aware that breaching a law firm yields highly sensitive information across multiple businesses.”
Unfortunately, today stopping attacks is only one part of a strong legal data security strategy. Law firms have invested significantly in both perimeter defense and employee training. According to Mohammadi, the critical next steps are:
1) Assume that defenses have been breached and invest in rapid detection of breaches and quick effective action. There are numerous case studies that demonstrate that once breached, the threat stays persistent for months on the average. It is imperative to identify and seal breaches quickly—in the best case quickly elimination translates into effective automated near real time counter measures
2) Protect client confidentiality by ensuring that access is on a need to know basis rather than broad public rights.
3) Pro-active continuous auditing to demonstrate that the implemented defenses are working as planned.
4) Routine employee oriented exercises that test and demonstrate the value of information security hygiene – there are many specialized companies in this area.
5) Insistence on rigorous standards compliance for both on premise and hosted software—vendors must effectively demonstrate how they code, test and deploy software.
6) Expert outside assistance that objectively ranks the effectiveness of security measures.
“In a nutshell, good security is based on layered or in-depth defense. This is a highly-specialized domain and whenever possible law firms should invest in a Chief Security Officer,” he said.
So, why is the cybersecurity weak spot for many law their internal data security and governance systems?
“It took a while to understand that the most sophisticated attacks are carried out using automated tools that probe for any weak spot. The industry is during realizing that severity of threats has increased exponentially over the last five years and consequently the response must be far more sophisticated,” he explained. “The biggest single realization has been the inability of perimeter defense to neutralize threats – in other words the industry has had to understand that breaches are a certainty and consequently companies must plan and deal with it.”
Mohammadi advises that law firms address these weaknesses using CERT - very valuable resource on the nature of phishing and effective counter measures.