More and more law firms in the United States and around the world are being hacked by cybercriminals, who seek to secure sensitive emails, documents and other legal work.
In many cases, the cybersecurity weak spot for many law firms is not their perimeter security system, but their internal data security and governance systems. Cyber criminals can use phishing or other methods to get through a strong perimeter security defense, and once inside, can access all of a firm’s emails and documents.
Without strong document and monitoring systems in place, cyber criminals can continue to access these documents for days, weeks or even months without the law firm realizing. Firms can address these weaknesses by deploying technologies that restrict access to sensitive content to only those employees who need this information. This help quickly identify potential attacks.
Rafiq Mohammadi, Chief Scientist and Co-founder, iManage, recently sat down with Inside Counsel to discuss how stopping attacks is only one part of a strong legal data security strategy.
Today, law firms are trusted advisors and work on the most sensitive corporate transactions—mergers and acquisitions, SEC filings, corporate restructuring, litigation, patent applications and employee contracts.
“It is fair to say that nothing important takes place without the interaction of the corporate general counsel and law firms,” said Mohammadi. “The most sophisticated cyber criminals and state actors are now fully aware that breaching a law firm yields highly sensitive information across multiple businesses.”
Unfortunately, in today’s landscape, stopping attacks is only one part of a strong legal data security strategy. Law firms have invested significantly in both perimeter defense and employee training. According to Mohammadi, the critical next steps are:
1) Assume that defenses have been breached and invest in rapid detection of breaches and quick effective action. There are numerous case studies that demonstrate that once breached, the threat stays persistent for months. It is imperative to identify and seal breaches quickly—in the best case scenario, quick elimination translates into effective automated near real-time counter measures.
2) Protect client confidentiality by ensuring that access is on a need-to-know basis rather than broad public rights.
3) Proactive continuous auditing to demonstrate that the implemented defenses are working as planned.
4) Routine employee oriented exercises that test and demonstrate the value of information security hygiene – there are many specialized companies in this area.
5) Insistence on rigorous standards compliance for both on premise and hosted software—vendors must effectively demonstrate how they code, test and deploy software.
6) Expert outside assistance that objectively ranks the effectiveness of security measures.
“In a nutshell, good security is based on layered or in-depth defense. This is a highly-specialized domain and whenever possible law firms should invest in a Chief Security Officer,” said Mohammadi.
So, why is cybersecurity a weak spot for many law firms and their internal data security and governance systems?
“It took a while to understand that the most sophisticated attacks are carried out using automated tools that probe for any weak spot. The industry is in the midst of realizing that severity of threats has increased exponentially over the last five years and consequently the response must be far more sophisticated,” explained Mohammadi. “The biggest single realization has been the inability of perimeter defense to neutralize threats – in other words the industry has had to understand that breaches are a certainty and consequently companies must plan and deal with it.”
Mohammadi advises that law firms address these weaknesses using CERT – a very valuable resource on the nature of phishing and effective counter measures.