With its recent article entitled "Law Firms are Pressed on Security for Data," the New York Times has once again put cyber security on the front page. The article's primary point is that after years of grousing about law firm security, corporate clients are threatening to withhold legal work from firms that fail to adequately address data security risks.
Scrutiny of law firm data security practices is not new. Indeed, the article cites well-publicized briefings the FBI conducted with major New York law firms beginning in 2011. It is also true, however, that steadily rising pressure over the past several years from corporate clients, particularly in the financial services and healthcare sectors, has reached unprecedented levels. As a result, even the more reticent firms have been forced to act.
What Should Law Firms Do?
The real question left unanswered by the NYT article is what should a law firm do to effectively manage data security risks? The simplistic (which is not to say easy) answer is to just conduct some basic vulnerability scans and then invest in technology that purports to provide protection from the bad guys lurking just outside your firewall. To be sure, there are more sophisticated tools on the market today than ever before to protect you from all kinds of attacks and to provide you with an unprecedented degree of visibility into what is happening on your network. The challenge facing firms implementing new security technology is recruiting and retaining people with the requisite skills and experience to effectively manage these tools and, more importantly, interpret the volumes of data created by network monitoring systems. Moreover, most technology solutions fail to adequately address the more pressing insider threats and risks caused by negligent behavior by trusted users.
Protecting Against the Greatest Risk
Most organizations have no idea whether they are protecting themselves against the threats that pose the most risk. And that is because they don't truly understand their data security risk profile and therefore cannot develop a sound data security risk management program.
Assessing a law firm's data risk profile is a relatively straightforward process (at least in theory), but is one that few firms engage in before making security investments. A firm looking to define its cyber risk profile should set out to answer three simple questions:
- What data assets should we be trying to protect?
- What are the most realistic threats to those critical assets (including insider threats and accidental loss)?
- How vulnerable are we to those specific threats?
It is only after answering these three questions, can a firm can tackle the all-important final question: "How can we best invest our limited security budget to maximize our defenses against the highest priority threats and minimize enterprise risk?"
There is a reason that firms have not taken this seemingly common-sense approach to addressing data security. While the approach is straightforward enough, it requires significant collaboration by multiple stakeholder groups within the firm. In short, the approach recognizes that data security is more than just an IT problem. For instance, IT resources even at the CIO level would not have the domain expertise or insight into data content needed to identify the critical assets sought in question 1 above.
Certainly firm IT personnel understand generally that "client data" must be protected. But how many understand why? Or what types of client data are most sensitive? Painting a full picture of data risk therefore necessitates input from lawyers, managers and other professional staff in addition to IT.
Answering the second question posed above is often not within the realm of expertise for most IT staff-- even those with strong security backgrounds. Most firms do not have the luxury of dedicating staff to threat intelligence research. Certainly many subscribe to threat intelligence services or feeds but most of them do not provide sufficient contextual information to allow a firm to discern which of the threats pose the most risk to their data.
The key to understanding and assessing threats is to include internal experts who really understand the various types of data in the firms possession and then facilitating a process (possibly with an outside threat intelligence expert) to identify the most likely threats to each data type. For instance, a law firm that possesses sensitive IP data belonging to major technology manufacturing clients definitely must be concerned about Chinese attackers attempting to steal that data. While a firm that handles a lot of large employment matters may not be as concerned about the Chinese and should instead be more focused on accidental exposures of personally identifiable information.
The final piece in the risk profile puzzle involves identifying vulnerabilities that create risks. Most firms today engage in some type of vulnerability testing but often such assessments are purely technical in nature and are conducted by outside firms without any foreknowledge of the firm's system-- or where critical data resides. To get the most of a vulnerability assessment, the assessor should focus on vulnerabilities that could expose the firms to the specific threats identified in the preceding step. Also, the assessment should go beyond identifying technical vulnerabilities such as unpatched servers or open firewall ports and look more deeply at policies, procedures and user behavior that can heighten exposure to attack vectors such as spear phishing and other social engineering tactics. In addition, for many firms, vendor vulnerabilities are the wildcard in defining a risk profile. It is critical for firms to identify vendors that process, store or have access to critical firm and client data. What you don't know can definitely hurt you.
Designing an Enhanced Security Program
Once these questions have been answered, a firm will have a solid foundation upon which to design an enhanced security program that will remediate vulnerabilities that create the most risk and ensure that ongoing security spending on monitoring and maintenance is focused where it's needed most. It is only at this point that firms should go shopping for the right mix of people and technology to go along with the process they have developed. Many firms will decide that managing all aspects of data security using internal resources is impractical and will opt to seek outside assistance in managing security. This is a sensible approach-- so long as the firm's risk profile has been properly defined in advance so outsourcing risks may be properly evaluated.
In the end, the law firm's Executive Committee and CIO should consider whether they are prepared to respond to a hypothetical loss or inadvertent disclosure of confidential client data. In such a hypothetical situation, the law firm would be in a much better position to defend itself and respond to the client (and potentially regulators or law enforcement) if the law firm could establish that it had undertaken a thorough and comprehensive review of the firm's technology systems and all of its policies and procedures related to data protection and handling of confidential client data, and that the design of its data protection systems and processes had been validated by experienced third party experts. Not only would such a comprehensive cyber risk review and third party validation be useful in confronting the hypothetical loss of confidential client data, being proactive about such a review would also give the law firm a true competitive advantage with the large corporate clients who are similarly grappling with the challenges of cyber security.