Sensitive Data Loss is Not Inevitable

According to the New York Times, global banking institutions are increasingly pressing outside law firms to demonstrate they are employing top-tier technologies to defend against cyber hackers. See, “Citigroup Report Chides Law Firms for Silence on Hackings.” In some cases, firms are being asked to fill out 60-page questionnaires detailing their cybersecurity measures in minute detail, while others must consent to on-site inspections.

Although perhaps extreme, the above examples demonstrate just how seriously banks are taking the threat of cyber crime and why the firms they work with must do the same. Below are five recommendations that will help your firm meet the stringent requirements coming from the banks, while also ensuring all client data stays out of the wrong hands.

1. Identify Where Sensitive Data Is At Risk

Your clients will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential client data, including information contained on mobile devices, could be at risk. You don't have to conduct this risk assessment yourself. Proven services on the market can quickly help you understand all locations where client sensitive data lives within your firm and how it's being used.

2. Don't Rely on the Traditional Network Security Focus

Almost all large law firms have security programs that start and end “on the network.” Why? Because it's easier. Racking a security device on the network causes very little organizational friction. Yet the IT teams in these firms then spend almost every day purposely plugging holes in the network. VPNs are a common example; their widespread use makes them popular targets for hackers due to the high number of potential entry points and often lax attitude toward security from users.

These inevitable holes mean the network will always be vulnerable to attackers. Add to this the fact that many lawyers operate in a mobile environment and demand access to sensitive information on their phones and tablets, devices that traditional network security measures don't protect. A layered approach to security is becoming increasingly important for law firms, with device-focused technologies such as mobile device management (MDM) playing a pivotal role.

3. Focus on Data Protection Solutions

According to Forrester: “In this new reality, traditional perimeter-based approaches to security are insufficient. Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model.” The Future of Data Security: A Zero Trust Approach, John Kindervag, Heidi Shey, and Kelley Mak (June 5, 2014).

Several proven data protection solutions on the market ensure security travels with the data. Called Data Loss Prevention (DLP), these types of solutions help classify data, put a usage policy against it and strictly enforce it. DLP is no longer optional for any firm wanting to protect sensitive client data. This is the reality of the hacking environment in which we now live and work.

If you make it fractionally harder to steal sensitive client information, or render the data useless once outside the network, hackers will move to another law firm that presents an easier target.'Several leading analyst firms, including the above mentioned Forrester, are changing the conversation when it comes to data protection.'As data remains the target and its being accessed through more devices than ever before, protecting that data must be at the core of any law firm's security approach.

4. Consider Using a Managed Security Provider

A way around challenges associated with implementing advanced data protection strategies is to hire a Managed Security Provider. These companies have deep DLP expertise and proven infrastructure, meaning you can concentrate on your business while they keep your data secure. They can also improve your security posture much faster than if you implement data protection solutions yourself. Especially for already stretched IT teams, Managed Security Providers allow firms to be confident that its clients' data is being protected without taking valuable staff time.

5. Go Beyond Traditional Security Training

Employee security awareness is a critical step to protect client data. The key to effective employee security training is to go beyond slideware and annual refreshers. Innovative companies are using the prompting functionality in technologies to help employees self-correct data use issues. For example, a customer recently reported an 85% decrease in data use policy violations after six months of using real-time, pop-up dialogue box prompts. Sometimes employees need a simple reminder of corporate policy, and how they can adhere to it.

Conclusion

Corporations will increasingly demand that law firms show proof of ongoing security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realizing that the weakest link in their security posture may not be within their walls but inside the walls of those with whom they choose to do business. If you follow these steps, not only will you be able to demonstrate how you're protecting their data, you'll also be in a position to use your advanced security posture as a differentiator with new clients.

Mark Stevens is the vice president of Global Services at Digital Guardian, a Waltham, MA-based cybersecurity firm. In his role, Stevens and his team implement and manage sophisticated data protection programs for clients ranging from regional law firms to Fortune 500 corporations.

According to the New York Times, global banking institutions are increasingly pressing outside law firms to demonstrate they are employing top-tier technologies to defend against cyber hackers. See, “Citigroup Report Chides Law Firms for Silence on Hackings.” In some cases, firms are being asked to fill out 60-page questionnaires detailing their cybersecurity measures in minute detail, while others must consent to on-site inspections.

Although perhaps extreme, the above examples demonstrate just how seriously banks are taking the threat of cyber crime and why the firms they work with must do the same. Below are five recommendations that will help your firm meet the stringent requirements coming from the banks, while also ensuring all client data stays out of the wrong hands.

1. Identify Where Sensitive Data Is At Risk

Your clients will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential client data, including information contained on mobile devices, could be at risk. You don't have to conduct this risk assessment yourself. Proven services on the market can quickly help you understand all locations where client sensitive data lives within your firm and how it's being used.

2. Don't Rely on the Traditional Network Security Focus

Almost all large law firms have security programs that start and end “on the network.” Why? Because it's easier. Racking a security device on the network causes very little organizational friction. Yet the IT teams in these firms then spend almost every day purposely plugging holes in the network. VPNs are a common example; their widespread use makes them popular targets for hackers due to the high number of potential entry points and often lax attitude toward security from users.

These inevitable holes mean the network will always be vulnerable to attackers. Add to this the fact that many lawyers operate in a mobile environment and demand access to sensitive information on their phones and tablets, devices that traditional network security measures don't protect. A layered approach to security is becoming increasingly important for law firms, with device-focused technologies such as mobile device management (MDM) playing a pivotal role.

3. Focus on Data Protection Solutions

According to Forrester: “In this new reality, traditional perimeter-based approaches to security are insufficient. Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model.” The Future of Data Security: A Zero Trust Approach, John Kindervag, Heidi Shey, and Kelley Mak (June 5, 2014).

Several proven data protection solutions on the market ensure security travels with the data. Called Data Loss Prevention (DLP), these types of solutions help classify data, put a usage policy against it and strictly enforce it. DLP is no longer optional for any firm wanting to protect sensitive client data. This is the reality of the hacking environment in which we now live and work.

If you make it fractionally harder to steal sensitive client information, or render the data useless once outside the network, hackers will move to another law firm that presents an easier target.'Several leading analyst firms, including the above mentioned Forrester, are changing the conversation when it comes to data protection.'As data remains the target and its being accessed through more devices than ever before, protecting that data must be at the core of any law firm's security approach.

4. Consider Using a Managed Security Provider

A way around challenges associated with implementing advanced data protection strategies is to hire a Managed Security Provider. These companies have deep DLP expertise and proven infrastructure, meaning you can concentrate on your business while they keep your data secure. They can also improve your security posture much faster than if you implement data protection solutions yourself. Especially for already stretched IT teams, Managed Security Providers allow firms to be confident that its clients' data is being protected without taking valuable staff time.

5. Go Beyond Traditional Security Training

Employee security awareness is a critical step to protect client data. The key to effective employee security training is to go beyond slideware and annual refreshers. Innovative companies are using the prompting functionality in technologies to help employees self-correct data use issues. For example, a customer recently reported an 85% decrease in data use policy violations after six months of using real-time, pop-up dialogue box prompts. Sometimes employees need a simple reminder of corporate policy, and how they can adhere to it.

Conclusion

Corporations will increasingly demand that law firms show proof of ongoing security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realizing that the weakest link in their security posture may not be within their walls but inside the walls of those with whom they choose to do business. If you follow these steps, not only will you be able to demonstrate how you're protecting their data, you'll also be in a position to use your advanced security posture as a differentiator with new clients.

Mark Stevens is the vice president of Global Services at Digital Guardian, a Waltham, MA-based cybersecurity firm. In his role, Stevens and his team implement and manage sophisticated data protection programs for clients ranging from regional law firms to Fortune 500 corporations.