Companies are moving email, documents and client data to the cloud at an increasing rate, and law firms have to work harder than ever to mitigate cybersecurity threats. A firm’s security program needs to meet a wide range of capabilities: a modern enterprise security perimeter, good data hygiene, cloud-first identity management capability, micro-segmentation, robust monitoring and alerting that covers cloud environments, and a rigorous patch management process to ensure systems and client data are not put at risk.
This week I had the opportunity to attend LegalSec Summit. The annual event focuses on the information security challenges faced by the legal industry and is designed for technology professionals at every level. The summit kicked off with a keynote reminding the attendees of the Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, which “requires lawyers to keep clients ‘reasonably informed’ about the status of a matter and to explain matters ‘to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.’”
In 2012, the American Bar Association added amendments to address the rising use of technology by lawyers. These provisions—requiring notification when there is a “substantial likelihood” of client information involvement in a breach—have raised the bar for law firms. Increasing security compliance demands, coupled with the rapidly expanding cloud and the IoT universe, have forever changed the way law firms govern, design and operate a security program to meet the needs of their clients.
However, one keynote speaker at the summit referenced a study claiming that law firms spend dramatically less on security (no more than 5% of their total IT budget) than traditional IT departments who allocate between 5%-20% of their IT budget to security. With data and systems spreading from traditional on-premise data centers to the cloud, complexity and risk are increasing. Legacy security perimeters must be extended to include cloud and IoT to create a “modern enterprise security perimeter” to support the “digital lawyer” of tomorrow.
Figure 2 – Modern Enterprise Security Perimeter
What is the Digital Lawyer?
The digital lawyer of the future is one who understands the digital landscape in which their clients conduct business. A successful digital lawyer makes optimal use of technology and knows that they are in the information business as much as the legal business—and information is money. Where there is money there is crime, and law firms are a prime target for hackers seeking to exploit valuable digital assets for financial gain.
Law firms are a target, and the market for exploits is growing less expensive
Hackers place a high value on access to classified information belonging to a law firm or their clients. The Dark Web is full of exploits, or hacks that take advantage of unpatched bugs or vulnerabilities in a system. Most of these are extremely low-cost—with a few exceptions like zero-day exploits, which can range from $5K-$350K per exploit. Very inexpensive ransomware, sold as a kit and offered in an affiliate model, only costs around $66 per user and hackers get a 30% cut of the profits from a successful ransom.
Figure 3 – Cost of attack Services according to Microsoft
The bottom line is that if someone wants to gain access to your systems, they can purchase an exploit to make that happen. It’s important for law firm leadership to employ a powerful monitoring and alerting platform so that zero-day exploits are detected and detained when they strike. With well-designed micro-segmentation, routine systems patching and a robust identity management platform, law firms can feel confident that their systems remain secure.
What should your security program design look like?
There is a great cybersecurity handbook for law firms that was published in 2017 by the ABA Cybersecurity Legal Task Force. It addresses the current overarching threat, describes how the technology works, outlines key legal requirements and ethical issues, and highlights special considerations for lawyers and practitioners of all types. It states that a firm should design their program with the following:
- Governance and Strategy: Asset inventory, protection efforts, regulatory requirements and insurance
- Cyber Preparedness: Security awareness training, employee alerts, testing and friendly attacks
- Administrative, Technical and Physical Measures: Logging and monitoring, patching, and upgrades to user and application controls
- Vendor Management: Risk assessment, contracts, access controls and incident response, and SOC II
- Incident Response and Threat Intelligence: Reporting requirements, notification, remediation and threat sharing
- Data Recovery and Business Continuity: Resilience planning, data backups, and testing and recovery services
- Continual Process Improvement: Firm adaptation, industry observation and continual improvement committees
Firms follow this process to develop the approach to formulating their security program design:
Are you secure or just compliant?
In my travels and discussions with law firm leadership about their security program, I encounter two types of mentalities:
- I will invest to be “Compliant”: Their view is that they will evolve their security programs just enough to meet the minimum demands for client security audits to win or sustain existing business.
- I will invest to be Secure: Their view is that IT security is their firm’s job. They go above compliance to differentiate themselves by being at the forefront of investments in security programs, people, processes and technology.
Unfortunately, most law firm leadership today still falls into the “I will invest to be compliant” category. While these firms usually want to be secure, they tend to be chronically under-resourced, lack engagement from the executive team, and take a reactive approach to investing in security programs for their business.
Reactive IT might meet short-term compliance requirements, but proactively addressing potential threats is the only way to ensure long-term security. Firms with an engaged leadership team, robust end-user security training and programs designed to support the digital lawyer will find that they are the ones to pull ahead of the pack and differentiate in years to come.