Scrutiny of law firm data security practices is not new. Large law firms have been the targets of major hacking events, putting client information at risk and contributing to insider trading. Add to that the steadily rising pressure from corporate clients, particularly in the financial services and healthcare sectors, and even the more reticent firms have been forced to act.
What Should Law Firms Do?
As more law practices find data security on their list of priorities, the natural first question is "where do we start?"
The simplest answer is:
- Find your firm's vulnerabilities
- Invest in technology that addresses those vulnerabilities
There are more sophisticated tools on the market today than ever before to protect you from all kinds of attacks and to provide an unprecedented degree of visibility into what is happening on your network. The challenge facing firms is recruiting and retaining people with the requisite skills and experience to effectively manage these tools and, more importantly, interpret the volumes of data created by network monitoring systems. Moreover, most technology solutions fail to adequately address the more pressing insider threats and risks caused by negligent behavior by trusted users.
Protecting Against the Greatest Risks
Most organizations have no idea whether they are protecting themselves against the threats that pose the most risk. And that is because they don't truly understand their data security risk profile. Assessing a law firm's data risk profile is a relatively straightforward process (at least in theory), but few firms take this step before making security investments.
A firm looking to define its cyber risk profile should set out to answer three simple questions:
- What data assets should we be trying to protect?
- What are the most realistic threats to those critical assets, including insider threats and accidental loss?
- How vulnerable are we to those specific threats?
Only after answering these three questions can a firm can tackle the all-important final challenge: "How can we best invest our limited security budget to maximize our defenses against the highest priority threats and minimize enterprise risk?"
There is a reason firms have not taken this seemingly common-sense approach to addressing data security. While the above approach is straightforward enough, it requires significant collaboration by multiple stakeholders. In short, it recognizes that data security is more than just an IT problem.
Connecting IT to Law Firm Priorities
Certainly, a firm's IT personnel understand generally that client data must be protected. But how many understand why? Or what types of client data are most sensitive?
Even IT staff with strong security backgrounds might have a difficult time answering these questions. Painting a full picture of data risk therefore necessitates input from lawyers, managers and other professional staff in addition to IT. However, most firms do not have the luxury of dedicating staff to threat intelligence research. Certainly, many subscribe to threat intelligence services or feeds, but most of those services do not provide sufficient contextual information to allow a firm to discern which of the threats pose the most risk to their data.
The key to understanding and assessing threats is to include internal experts who really understand the various types of data in the firms possession and then facilitating a process to identify the most likely threats to each data type. For instance, a law firm that possesses sensitive IP data belonging to major technology manufacturing clients definitely must be concerned about hackers attempting to steal that data. Meanwhile, a firm that handles a lot of large employment matters may not be as concerned about hackers and should instead be more focused on accidental exposures of personally identifiable information.
The final piece in the risk profile puzzle involves identifying vulnerabilities that create risks. Most firms engage in some type of vulnerability testing, but often such assessments are purely technical in nature and are conducted by outside entities without knowing the firm's systems-- or where critical data resides.
To get the most out of a vulnerability assessment, the assessor should focus on what could expose the firm to the specific threats identified. The assessment should go beyond identifying technical vulnerabilities such as unpatched servers or open firewall ports and look more deeply at policies, procedures, and user behavior that can heighten exposure to attacks such as email phishing and other social engineering tactics.
In addition, for many firms, vendor vulnerabilities are the wildcard in defining a risk profile. It is critical for firms to identify vendors that process, store or have access to critical firm and client data.
Designing an Enhanced Security Program
Once these questions have been answered, a firm will have a solid foundation upon which to build an enhanced security program. It is only at this point that firms should go shopping for the right mix of people and technology to go along with the process they have developed.
Many firms will decide that managing all aspects of data security using internal resources is impractical, and will opt to seek outside assistance in managing security. This is a sensible approach-- so long as the firm's risk profile has been properly defined in advance and outsourcing risks properly evaluated.
In the end, the law firm's Executive Committee and CIO should consider whether they are prepared to respond to a hypothetical loss or inadvertent disclosure of confidential client data. The firm would be in a much better position to defend itself and respond to the client (and potentially regulators or law enforcement) if it could establish that it had undertaken a thorough and comprehensive review of the firm's technology systems, policies, and procedures. If those data protection systems have been validated by experienced third party experts, so much the better.
Not only would such a comprehensive cyber risk review and third-party validation be useful in confronting the hypothetical loss of confidential client data, but being proactive about such a review would also gives the law firm a true competitive advantage with the large corporate clients who are similarly grappling with the challenges of cybersecurity.