Unfortunately, cybercriminals see law departments and firms as enticing targets: They are replete with financial data, personal information (such as the plaintiff registry in a class action), and the kind of confidential information that tips multimillion-dollar cases. As the ABA (PDF) put it:
Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.
“[I]f you’re [a cybercriminal who is] smart, you’ll go after the lawyers,” writes Eric Pesale and Casey C. Sullivan, New York Law Journal (registration required) “Law firms, due to the nature of their business, are swamped with sensitive documents and many have notoriously poor data security, making them tempting, and potentially lucrative, targets.”
The ABA makes clear in a recent opinion (PDF) that competent representation requires protection of sensitive client information. In this climate, we urge you to hold yourself to high security standards. Look for technology such as end-to-end encryption, fine-grained access control, and best-of-breed platforms compliance with standards like HIPAA, HITECH, PCI and ISO 27001. But also invest some effort in accounting for vulnerabilities in third-party legal service providers and in routine employee behavior (even when employees are off the clock).
Many of the world’s most notorious breaches of personal information, though blamed on the principals, originate with third-party service providers. With the average total organizational cost of a security breach in the U.S. pegged at $7.35 million, the third-party breach has become an especially vexing problem.
In fact, more than 1 in 3 three respondents to a recent Ponemon Institute survey (PDF) said their organization had suffered a data breach that resulted in the misuse of sensitive or confidential information resulting from an online attack against one of its vendors. Worse, many respondents (37 percent) didn’t trust their primary vendors to notify them if a breach involved sensitive or confidential information.
By some accounts, vendors are bigger security threats than employees. In its 2017 Data Security Incident Response Report (PDF, registration), BakerHostetler looked at more than 450 security incidents. Vendor wrongdoing was a far bigger cause of successful network attacks than employee wrongdoing with 15 percent attributed to the former versus 9 percent to the latter. Half of the successful attacks (51 percent) resulted from technical security failure. For ideas on security solutions to demand from vendors, see my previous post.
The Human Factor
Even the best technology is useless if people authorized to handle data fail to exercise due care and do not know how to employ security best practices. While many firms focus on internal security, helping employees stay secure at home is an often-overlooked way to reduce the risk that threats will transfer from home to the workplace.
Why focus on the home? People feel more comfortable at home and treat their infrastructure differently there, often at the cost of security. With corporate data in the cloud and an increasingly distributed workforce, more employees are working from within inherently less secure home networks. However, teaching employees how to make their home network more secure minimizes the risk of breach and enhances efficiency for both employees and employers.
Here are some suggestions for teaching employees how to be more secure by taking lessons learned in the workplace into the home:
Security Updates: Ensure employees enable automatic patching from Microsoft or Apple on their PCs and laptops – this may be the single most important step they take.
Endpoint Protection: You are probably already familiar with “antivirus” software – it periodically scans for known bad file signatures on storage media and in memory. However, continuous endpoint protection is faster and can identify previously unknown, “zero-day” attacks as they emerge via behavioral monitoring and advanced machine learning algorithms. Encourage employees to employ modern solutions such as Sophos Home, which is currently free for up to 10 endpoints.
Content Filtering: Solutions such as OpenDNS (also free for home use) provide filtering categories that put parents in control of what websites children visit at home. Even more important for the enterprise, a good content filter will deny access to websites known to host malware and will block phishing websites that try to steal identity login information by pretending to be a legitimate website.
Password managers: Unlike workplace single-sign-on (SSO) systems, which administrators control, consumer-controlled tools like LastPass store and protect employees’ passwords for all of their sites and applications, including the personal ones they access outside work from personal devices.
Encryption: Ensure employees employ encrypted Wi-Fi at home and know how to look for secure networks on the road. Coach them to read icons and URLs to understand the security levels, if any, at the sites they’re visiting.
Multifactor authentication: This extra layer of security requires that users employ at least two of the three elements of authentication: 1) something they know (usually a password), 2) something they are (fingerprint, iris scan, or other biometric), or 3) something they have (an ad hoc code or secure token).
Security Awareness Training: Law firms, legal departments and vendors should continuously train their personnel to protect confidential information. Lunch-and-learns are good forums for such training, whether live or in webinars. Beyond that, vendors such as Wombat offer excellent tools for ongoing security awareness training online
As Matt Kelly writes in Legaltech News, “Information risk is, now more than ever, a problem of people more than of perimeters.” Clearly, home computing is essentially erasing those perimeters. Although some employees and vendors are already tuned in to all of these important considerations, others haven’t been exposed to these information security best practices. Since the chances of being targeted and the cost of breach are greater now than ever before, it pays for law firms and corporate legal departments to invest in safeguarding private client information – both in the corporate network and beyond.