Data breach, unauthorized access, a hack. As of late, these words have constantly been in the headlines of news outlets. What do they actually mean for you and your firm? How are your clients impacted? Are there steps that you can take to protect your firm? Here, we will dive into these important questions to provide you with valuable insight to gain a better understanding of the threats your firm is facing and how to prevent them.
Before we begin, we need to define two key terms: hacking and cyberattack. Hacking is the method by which one bypasses or modifies the normal operation of a system through either exploits or vulnerabilities. There are good hackers (white hat hackers), and bad hackers (black hat hackers). A cyberattack is an attack that is primarily carried out through the internet to disrupt, destroy or steal data, or take control of a computer.
Understanding the motives and incentives behind cyberattacks is important to properly combat them. Why do these things happen? There was a time when hacking into a system was done for fun and sport. The ability to have bragging rights and to share the story about what you did to infiltrate a supposedly “impenetrable” system was enough to satisfy most hackers. Unfortunately, those reasons are no longer the motivators that they once were. Present day hacking is used to steal data, leak secretive and proprietary information, create chaos, for political agendas, hacktivism and, most importantly, financial gain.
Your firm has a target on its back. This may be something you don’t realize, but think about the information your firm has in its possession right now. What am I talking about? Think about the actual data of which your firm is currently the steward. What type of data have you collected from outside sources and stored into your document management system (DMS)? What information have you e-mailed between a client or adversary? What information have you used to create a production set?
For example, if your firm practices mergers and acquisitions (M&A), you have information about potential deals involving private companies that may be thinking about an initial public offering (IPO). If you are working on an acquisition of two publicly traded companies, you have sensitive information before the rest of the public, which is likewise extremely valuable. What will the offer price per share be? How much will company A pay for company B’s shares? This information is invaluable to someone either looking to step in on the deal and make a better offer, or trade on this insider information. Corporate attorneys will have customer/vendor agreements, corporate structures, private shareholder information, proprietary, intellectual property and trade secrets. Personal injury and family law practices are a treasure trove of information about individuals. Social security numbers, insurance information, health records and plenty of other personally identifiable information (PII) is readily available for hackers to access. If the wrong people got their hands on this information, your clients would be easily exposed to identity theft.
Unfortunately, as breaches become commonplace, we are becoming desensitized to their repercussions. It is up to you to take these threats seriously, as your firm’s reputation is on the line. Will a potential client will want to conduct business with your firm if they find out that you had a data breach? Some corporate clients are requiring the firms they work with to meet some of their cybersecurity requirements as well.
According to the American Bar Association, 22 percent of more than 4,000 respondents in the 2017 ABA TECHREPORT had experienced a data breach, in comparison to 14 percent in 2016. That’s an 8 percent increase over the previous year.
Further, the ABA has stated that:
The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients. (ABA Model Rules 1.1 and 1.6 and Comments.) Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information.
Cybersecurity is composed of layers. There is no magic bullet that will cure all. Security is often seen as an inconvenience—and it can be—but the price that your firm will pay without it will be much higher. Let’s discuss some of the layers that you can implement to secure your firm’s data.
1. User security awareness training and education
The importance of this cannot be stated enough. Your end-users can be the strongest or weakest link when defending your firm against cybersecurity threats. Many attacks are socially engineered to target your users. We’ve seen everything from an e-mail from outside the firm disguised as an e-mail from one of the partners, to a phone call from a hacker pretending to be a member of Microsoft seeking to “fix an urgent issue.” You want to accomplish a few things with security awareness training. You want to reinforce to users exactly who will or will not contact them regarding technical support needs. You need to also educate users on the proper policies and procedures relative to day-to-day activities around the firm. By way of analogy, they say that bank tellers are not trained to spot fake money by being given fake money; they just handle real money so often that they can immediately identify a fake once confronted with it. Drill your policies and procedures into your users so much that they have no choice but to be able to realize when something isn’t right.
2. Multi-factor authentication
This includes everything from logging into a computer while in the office, to checking your e-mails from home. Multi-factor authentication is a combination of something that you know and something that you have or are. Something that you know is your username and password combination. Something that you have is typically a mobile authentication key of some sort. It is done by using your mobile device to either send you a key via text message or through an authentication app, and you use that to complete your sign-in. Something that you are is a biometric feature, such as a fingerprint or retinal scan. You can add more layers on top of this when more security is necessary.
3. Unified threat management (UTM) or next generation firewalls (NGFW)
Your firewalls are your first line of defense. The proper firewall has multiple layers of defenses built into it. Some of these features include, but are not limited to: anti-virus, malware protection, content filtering and intrusion detection/prevention systems. If you can prevent potential attackers from making their way into your network from the onset, that is a win. As this technology matures, developments are being made toward incorporating artificial intelligence into firewalls.
4. Email spam filtering
Every email that goes in or out of the firm should be run through a scanner. This will help catch phishing, conversation hijacking, and malware filled e-mails before they reach the firm’s end-users. In the event that a user internally has been compromised, the scanner can pick up an uptick in e-mail and block outgoing emails from them.
5. Data encryption
All data must be encrypted. All of the latest operating systems have built-in mechanisms to do this. Mobile devices that access firm resources must also be encrypted. Lastly, any sensitive or confidential information that is sent outside the firm needs to be encrypted as well, whether it’s email or production data.
6. Backup and business continuity
You must plan for the worst-case scenario and hope it never happens. If all else fails, and things do go wrong, you will be relieved if you have a backup and business continuity solution in place. A proper backup strategy will incorporate business continuity. Before you go scratching your head, let me fill you in on what business continuity is. It is the ability for you to still successfully run your firm with computing access in the event of a catastrophic event. When such an event happens, it is not only about having the data, but also knowing how fast you can get back to operational status. Every minute that you are offline, your firm is undoubtedly losing revenue. A business continuity solution will reduce that downtime.
7. Third-party vendor security requirements
If you have other vendors who access the firm’s systems, they need to follow protocols set forth by you. Plenty of breaches have occurred due to a third-party vendor’s system being compromised. With this in mind, make sure you limit access to only those resources or data that the third-party absolutely needs. By doing this, you will have properly limited your attack vector in the event of a breach..
To summarize, there are many things to take into account while you are thinking of your firm’s cybersecurity strategy. The firm’s end-users can be the biggest liability in the network, therefore, deploying solutions to protect them from themselves is an absolute necessity. However, the firm should be empowering its users through education. Users need to be trained on the latest threats, as well as the proper policies and procedures to handle different situations, should they arise. The data in your possession has value, and your firm has a duty to protect it. Finally, your cybersecurity strategy should be constantly reviewed for gaps; you cannot set it and forget it.
Stanley Louissaint is principal and founder of Fluid Designs in Union. Fluid Designs offers comprehensive computer, server and network support services for law firms.