This article was originally published on legalitprofessionals.com.
Law firms face constant threats in cyberspace. They hold a treasure trove of sensitive data that’s attractive to everyone from homegrown hackers to hostile nation-state actors, and according to the American Bar Association 2017 Legal Technology Survey, 22 percent of law firms experienced a cyberattack in 2017 (up from 14 percent in 2016). Following a breach the global average “dwell time” for an intruder to remain inside an organization is 191 days. The most infamous law firm hack to date was the breach of the Panamanian law firm Mossack Fonseca, which ultimately led to the firm’s closure.
Some firms are taking proactive measures to secure themselves and their clients’ data, but many need to improve their approach. The goals of a cybersecurity strategy are broadly understood – prevent data loss and disclosure. But where do you start, how will it impact you at the organizational level, and what technology investments need to be made?
Regulatory environments are changing quickly to keep pace
Firms should begin by looking at the threat and regulatory environment. The cybersecurity landscape changed over the last decade: law firms and other organizations are more prone to cyberattacks, from insider threats to phishing attacks to denial of service attacks. In response, the cybersecurity and privacy regulations increased in both the United States and Europe, most recently with Europe’s General Data Protection Regulation (GDPR) as well as Colorado and California’s strict state cybersecurity laws. Also in 2018, New York’s Department of Financial Services (DFS) enacted strict cybersecurity regulations on the banking sector, insurance companies, and other institutions that fall under its jurisdiction.
Increased sector regulations have brought a trickle-down effect on firms, and cybersecurity audits have increased in both depth and frequency. Ten years ago, clients in regulated sectors would send a checklist of cybersecurity items to a law firm to ensure compliance with standards, and the law firm would then send the questionnaire back. Today clients engage firms with more nuanced questions, often with follow-up calls, and sometimes site visits. Firms are starting to hire outside cybersecurity service providers to scan their networks to ensure they have closed vulnerabilities and rate the firm’s overall cybersecurity posture. The strength of that score can impact whether a firm wins or loses new clients – and that’s huge.
So, what are the four things that the best law firms are doing to combat cyberattacks and protect client information?
1) Establish a dedicated security leader and team to identify goals and develop strategies.
This practice mirrors what the U.S. Defense Department did in 2010 when it created U.S. Cyber Command and elevated the military’s command and control of cyberspace operations from a three-star to a four-star general. With the organization established and four-star in place, the Defense Department developed its first cyberstrategy to drive change and govern operations. By analogy, firms can set clear, strategic cybersecurity goals and objectives (that often have eclipsed an IT department’s capabilities and core focus) and appoint a dedicated chief security officer (CSO) or chief information security officer (CISO) to run a security team.
A good cyberstrategy starts by taking stock of the network and how data is used and stored. A strategy needs to account for federal and industry compliance (i.e., HIPAA, GDPR) as well as the regulations (i.e., breach notification requirements) of all the states in which the firm operates. Strategies should factor in the amount of resources needed to implement changes and account for next steps. Mapping it all out and implementing the strategy is crucial; security experts need to be at the helm, not the IT department.
2) Invest in technology and resiliency measures like micro-segmentation.
Gone are the days of putting your trust in anti-virus software alone and assuming that some systems can’t be hacked. Cyberspace is vulnerable, period. Firms require a layered set of security technologies to protect their enterprise at every point of vulnerability.
What does that mean in practice? In 2018, the new security stack includes multi-factor authentication to secure user access, best-in-class firewalls (including phishing protection) to protect the network perimeter, intrusion detection systems to monitor network behavior, and encryption technologies to encrypt data at rest and in motion. Finally, firms should invest in resiliency measures like micro-segmentation to prevent malicious actors from moving laterally through a cloud environment. Micro-segmentation increases application visibility and flags anomalous behavior so that firms can stop intrusions quickly. An intruder may be able to gain initial access to three or four servers, but with micro-segmentation they won’t be able to move across a data center and touch every other server. Stopping the intruder in their tracks drives down impact.
3) Partner with outside app developers to improve app security.
Firms can make significant progress by building their own internal defenses. Yet in today’s world, firms also depend on outside software-as-a-service (SaaS) applications and need to partner with contractors to secure the applications they provide. For example, firms often depend on SaaS data management systems (DMS) to store data about their clients. Today the best CISOs work proactively with DMS app developers to meet the firm’s security needs. As the regulatory environment grows more stringent over time, developers may be compelled to meet regulations, but today firms should take the lead and engage developers themselves.
4) Build strong communication and information sharing networks.
Cyberspace crosses organizations through applications and data, and attackers seek to exploit security vulnerabilities and find the weakest links wherever they can. It is impossible for any one organization to see or respond to cyberthreats on their own – particularly when threats escalate to the level of an advanced criminal organization or nation-state. As a start, firms should join the Legal Services Information Sharing and Analysis Organization (LS-ISAO) to develop cooperative partnerships to counter threats. The LS-ISAO fosters solid relationships with key cybersecurity players and facilitates threat announcements, alerts, and updates from the U.S. Computer Emergency Response Team and other agencies. It has ties to the U.S. Department of Homeland Security and other federal agencies, which helps when firms need federal support to counter attacks from nation-states like Russia, North Korea, Iran, or China.
Don’t forget we’re all in this together – knowledge sharing is crucial
The cyberthreat picture has grown darker over the past decade and the regulatory environment has evolved to keep pace. Law firms face tighter demands from clients and from the market to defend their data. These four steps have made a difference for the best firms. There’s no need to boil the ocean to succeed – but with small, important steps, you can change your approach, enhance your organization, and take advantage of affordable security resources. Remember, firms are not alone in the fight to defend data and you shouldn’t forget to look outward to tap external networks, organizations, and security experts to help. Cybersecurity is fundamentally about sharing information and building partnerships to combat the common challenges we all face.