Most Big Law firms have taken significant steps to diligently focus on security programs, due to the advanced security threats and client demands to improve security, says Sanjay Naik, senior managing consultant at IBM Security Services. Generally, firms are inclined to replicate programs that may be working at other similarly-sized shops. That may save time, but in the end, not deliver expected results, he says.
Naik urges firms to consider three classic elements as they approach a cybersecurity program: people, process and technology. To accomplish a pragmatic approach, firms should follow another three-step methodology: assess, plan and execute. This doesn’t not mean “rip and replace”—or an extensive change to the IT environment—but it may take considerable time and effort.”
Conformance with the ISO 27002 information security standard, CoBIT 5 (control objectives for information and related technology management and governance), or the new NIST Framework for Improving Critical Infrastructure Cybersecurity can help, he said. While data leakage prevention is believed to be Big Law’s panacea, the real challenge is that it takes identification and tagging of client confidential data for a DLP system to work effectively, says Naik. He suggests five controls: data encryption; advanced threat and botnet protection; user activity monitoring and privilege access management; Web and email content management; and digital rights management.
The human factor is crucial, says Seyfarth Shaw senior counsel John Tomaszewski. “A well-staffed IT team can make the choices in vendors, and properly deploy the security tools necessary to maintain an effective and reasonable security posture,” he says. A strong team will be able to properly deploy security tools, he says.
Vertigrate’s president Michael Lombardi concurs: “ There is no substitute for grey matter.” People, equipped with solid security training, can help firms create a holistic view of how to protect client data, he says. By contrast, building a defense around one (or a handful of) security products “can lull firms into a false sense of security, or crush them with an avalanche of log data,” says Lombardi.
Be sure to understand—and actually evaluate—vendors’ security processes and protocols, especially when there is pressure to cut costs, advises Gabriela Baron, senior vice president, Xerox Litigation Services. “I have heard horror stories about firms that hired a ‘local vendor’ to host client data and, months later, when they conducted an onsite visit, realized that their client’s data was being hosted on a server in someone’s garage, next to the dog’s kennel and old paint cans.”
One caveat: Some technology will make it more difficult to interact with clients, so manage client expectations, advises Tomaszewski. “Policies around proper use of email will be necessary to manage the interaction with the client.”
In the end, remember that “the bad actors are real people, not just little bits of malicious code,” says Lombardi. “Depending upon the determination of the attacker, he or she may be able to sneak around the latest firewall, evade the intrusion detection and prevention systems, or obtain a legitimate user’s credentials—but a layered defense approach can slow the attacker down, increase the firm’s chance of detecting the activity, and mitigate any damage if the attacker gets in.”
What will it cost to establish an adequate security program at a typical Big Law firm?
There is no simple answer, says Peter Vogel, a partner at Gardere Wynne Sewell, because firms have different IT and Internet environments. “It could easily cost $200,000 to $500,000, depending on the number of offices number of countries, and count of desktops.”
Mary Mack, enterprise technology counsel at ZyLAB, says a ballpark bottom line is $750,000 to $1 million to start from scratch.
- $200,000 for a security professional.
- $150,000 for external audits/penetration testing—assuming multiple offices and data centers.
- $100,000 to upgrade software that is not secure.
- $250,000 for intrusion detection and encryption.
- $100,000 to modify offices for security (two-factor authentication, doors, cameras, restricted access rooms).
- $25,000 for courses to certify others in security IT, litigation support, technology attorneys, internal expense to redeploy individuals to train others on security.
Judy Selby, partner at Baker & Hostetler, says personnel costs alone will rack up. A typical Big Law firm should expect to spend $500,000 to $1 million.
“This would include retention of a CISO (chief information security officer); CPO (chief privacy officer); a network/systems security architect and a security analyst. In addition, firms are making strong six-figure initial investments and incurring ongoing service and maintenance costs for a number of products and services,” Selby says.
Reed Smith’s John Tomaszewski and Seyfarth Shaw’s Gary Becker both provided lists of tech tools to consider:
• Data protection scanning
• Data loss prevention
• Encryption: email, removable media, full disk
• Incident management reporting
• Intrusion detection/prevention
• Network monitoring tools
• Remote wipe and data destruction
• Secure file transfer and transport layer security certificates
• Virtual private networks
• Virus scanning
• Vulnerability scanning software
Monica Bay is the editor-in-chief of Law Technology News a member of the California bar. Twitter: @LTNMonicaBay.
The cover story from the April 1 issue of Law Technology News: “How to Protect Client Data From Government Spies & Other Miscreants.”