Somedays it feels like the whole world is getting hacked. China has stolen U.S. military data through cyberspace, first for the Joint Strike Fighter and now for sensitive submarine technologies. Millions of Americans have had their credit card information pilfered as hackers breached retail companies. Even ships at sea are vulnerable, as hackers have learned to manipulate the Automated Information System (AIS) and the Global Positioning System (GPS) to alter a ship’s navigational course without their captains necessarily knowing.
These hacks are alarming in their scope and risk and immediately make headlines. But what about the quiet, subtle hack of a white glove law firm? Law firms base their reputation (and therefore their business) on confidentiality and discretion – for good reason.
The legal business is obviously a sensitive one; lawyers often interact with their clients in vulnerable or transitional states where much is at risk. Client records thus present a treasure trove of juicy data for any hacker: personally identifiable information, banking data, and correspondence. All data that could make or break a case for a client and her firm.
Some law firm breaches have been disastrous for victims. Recall the eye-popping hack of the Panamanian law firm Mossack Fonseca and the release of terabytes of data in the “Panama Papers” disclosure that followed. (Mossack Fonseca shuttered in March 2018 due to the illegal practices the hack revealed.) Plenty of law-abiding corporate firms have been hacked and abused online, and every hack implicates the firm as well as its clients.
Security teams in the emerging security environment
For a security professional in a law firm, you are out to do two things: (1) secure your firm’s data and (2) do so without disrupting the daily work of the firm’s partners and associates. What are you defending yourself against and where should you invest in people, processes, and technology to best succeed?
Data theft and disclosure are obvious concerns for law firms. If the last decade was the decade of data disclosure, however, firms would be wise to worry about data manipulation going forward. Yes, your client’s emails (and yours) could be leaked. But what if a hostile actor could penetrate your firm’s networks, gain access to your cloud environment, and manipulate data to change the facts of the case on paper?
What if a hacker went into a file and changed the date altering the timeline of the crime trajectory in your argument? Such data manipulations could make cyberspace operations into a perfect weapon against a law firm. Lawyers cannot build a case and judges cannot try a case if they cannot trust or verify the information on which the case is based.
So, what are the most important assets for a firm to secure? First are the digital tools that the firm uses to store and track its clients' documents. Lawyers store lots of data about their clients and need intuitive systems with which to do so; a Document Management System (DMS) is the lifeblood of a law firm’s storage and retrieval operations, and the application’s security is vital for confidentiality. Often provided by third-party application developers, some DMS applications are more secure than others and firms will often work with the application developers to get security up to snuff.
Balancing security and ease of doing business
Security teams want strong cybersecurity for the firm, but they also face pressure from partners and others to minimize impacts on the end user. In busy law firms, security teams often face a long uphill battle in selling partners on strong security solutions if the capability could ever slow down the firm’s daily business.Law firms don't want security products to cause friction or latency.
Yet in the age of constant breaches, any effective cybersecurity tool will require some element of change management. Firms need to balance their long-term competitive advantage (including confidentiality and discretion, both of which are hard-won yet easily lost) against the need to win cases for clients.
How should law firms proceed?
Like any enterprise, firms need to understand their most important and data-dependent missions, gain visibility into their assets and behaviors, and invest in systems to secure their data centers and cloud environments beyond application security alone.
The good news is that this spring, security teams all over the world got a big boost through the European Union’s General Data Protection Regulation (GDPR). Security teams can now use GDPR’s breach notification requirements and fees to drive change across their firms. This is especially true for firms that represent or touch European citizens, but the GDPR’s impact is being felt across the world as companies consider their digital future and the world they want to build.
We are in a new era of cyberspace operations and data manipulations. Over the last decade, state and non-state hackers honed their tactics, always seeking new methods to exploit gaps and opportunities to gain an advantage. The world was once focused on preventing intellectual property theft and preventing disruptive attacks on critical infrastructure; now we add preventing manipulative attacks on political organizations, social media, and a nation's electorate, and internet access is increasing rapidly in Asia and further afield.
The Russian attack on the 2016 U.S. presidential election may have marked the end of Act I of our cybersecurity story. We’re now at an inflection point between two futures. In one future, cyberattacks will continue to increase in pace, diversity, and severity. Breaches could have impacts that we cannot yet imagine, but we know that state and non-state groups will seek to use the long tail of digital technology in whatever way they can to get ahead.
In a second future, organizations across the globe invest in cybersecurity and resiliency measures to drive down risk and secure data centers and the cloud from the inside. If the financial and energy sectors led the way in building their cybersecurity capabilities over the last decade, in Act II of our cybersecurity story we will hopefully see a second wave of investments as more and more organizations come to grips with life in the digital age.
Breaches will happen, but it is so much better if you can limit breach to three servers as opposed to 3,000 servers. Firms can invest now in cyber resilient systems to prevent breaches from spreading.
Law firms are full of smart, driven, and strategic thinkers and leaders. Many have served in government roles across the United States. Today firms have an opportunity to build a strong cybersecurity foundation for themselves and for their clients, and to help nudge the world towards that second, more resilient future.