Protect the Client, Defend the Law Firm
Your Law Firm is a Target
If you think cases like the Panama Papers are yesterday’s news, think again.
Malicious actors of all stripes recognize the value in attacking a law firm. While hacking a bank yields actual cash, a law firm stores a variety of data for many different clients that can be monetized in numerous ways.
In 2015, Mossack-Fonseca – the firm victimized in the Panama Papers case – was hacked and had millions of their internal records stolen. Client names and sensitive legal documents made their way to the International Consortium of Investigative Journalists (ICIJ) exposing their global clientele who counted on the anonymity the firm was supposed to supply.
In 2016, Chinese hackers breached various law firms in order to obtain information on pending corporate mergers. The hackers used that non-public information to buy stock prior to the mergers, making over $4 million dollars. The New York U.S. Attorney’s Office noted that “between March and September 2015, the Defendants attempted to cause unauthorized access to the networks and servers of five other law firms on more than 100,000 occasions.”
Law firm security breaches are on the rise. Between 2014 and 2015, Big Law (500+ attorneys) saw a 15% increase in breaches (10% to 25%). The 2016 ABA Legal Technology Survey Report states breaches have been reported by firms of all sizes, and that “14% of respondents overall and one in four respondents from firms with 10-49 attorneys and 500+ attorneys reported that their firm had experienced a data breach at some time.”
How prepared is the average firm to deal with this a cyber threat? Not very.
Law firms are not in the security business. Spending money on things outside of the core business, especially something as technical and complex as cybersecurity, can seem risky. An hour on the Internet researching cybersecurity technologies is enough to either put you to sleep or drive you insane.
We’ve seen the legal industry gravitate towards ethical duties surrounding the handling of eDiscovery. It will only be a matter of time before there will be similar opinions related to client data as more firms get breached.
Simple Attacks, Straightforward Solutions
Contrary to popular opinion, most successful hacks are not “sophisticated” nor do they use advanced techniques. The vast majority of successful attacks are the result of an employee being phished, or falling for some other form of social engineering. A well-crafted phishing email or sufficiently convincing story over the phone plays on human nature: the one system for which there is no firewall.
The good news is that taking steps to defend your firm, and your clients by extension, does not have to be complicated or expensive. You can effectively deal with the vast majority of threats and reduce the risk of data loss by focusing on fundamentals.
Practical, effective, and inexpensive ways to reduce risks associated with cyber threats
1) Implement two-factor authentication. You’re already familiar with one-factor authentication: your password. As the name implies, two-factor authentication (2FA) uses a token of some type – usually generated on your smart phone – as a second factor. Someone can steal your login ID and password through various means, but they’re not going to get your phone too (if they do you’ve got other problems). 2FA radically increases the effort required to break into a system.
2) Employ full disk encryption. Full disk encryption (FDE) allows you to use the data on your system, but if that system is lost or stolen the data on it cannot be accessed without a passphrase. Both modern Windows and Mac systems come with some type of FDE capability built in.
3) Conduct regular phishing training. It doesn’t take much to create a well-crafted phishing email, but there are numerous ways to identify a phish if you know where and how to look. This is a practice that needs to be ingrained, and the best way to do that is through repetition.
4) Use a virtual private network for remote access. Work from home? Travel a lot and use airport or hotel Wi-Fi? Connect to the office network with a VPN to avoid unauthorized third parties from eavesdropping in on your connection.
5) Make backups of your data frequently and store them offline. Ransomware is becoming the scourge of the Internet. It is only a matter of time before a firm is hit and a very cold, hard business decision has to be made: pay the ransom, or lose all the encrypted data. Could you restore data by asking clients to resend copies? Sure, but how long will it take to re-create your lost work product? How happy is the client going to be about any of this?
6) Move to the cloud. Putting client data in the cloud seems like a risk, but you could never replicate the level of protection a company like Google implements on your own systems, nor would you want to. Putting data on the cloud outsources a great deal of your security solution to people who think about this stuff 24/7, and eliminates the need to buy and maintain your own IT infrastructure.
7) Delete anything you don’t need. In an ABA survey, 27% of respondents reported having no policy or are not aware of any policy regarding document retention and deletion. In an age where computer storage is so cheap, it’s easy to not care how much data you hold on to or for how long. Here is the thing about data: hackers can’t steal what you don’t have. If you don’t need it, send it back to its owner and/or delete it.
None of these solutions are expensive. Several of them are free.
What’s the difference between free or cheap compared to “enterprise” products in this space? Generally speaking, it is the lack of external support. Your IT manager or system administrator will need to spend some time to get familiar with and implement the aforementioned solutions, but none of them are onerous.
Think about the data your clients entrust to you. Think about how devastating it would be if that data were in the hands of a malicious actor of any sort, or simply out in the open.
Not taking any steps to secure your data is equivalent to not protecting your client, and can lead to needing a lawyer of your own. Making an effort to defend yourself against cyber threats is a proactive step that reduces risk, and serves as a discriminator from firms that are simply waiting to become victims.
What steps have you taken?