Prioritizing e-Mail Security in the Legal Sector

A Client Concern

More and more law firms are investing in e-mail security services, but they're not doing so spontaneously; the push is often coming from their clients. In the American Bar Association's (ABA) recently released Legal Technology Survey, 34% of law firms with 100 or more employees said that they were being requested by clients to have cybersecurity audits performed on their systems.

When you consider what's at risk in the client-attorney relationship, it's easy to see why. Say your firm practices patent law, and one of your clients is filing a patent on a brand-new smartphone design to rival Apple's iPhone. If a hacker were to breach that firm's security and obtain the client's patent application and product design, he could then shop it around to other phone manufacturers. Suddenly your client is out of a multimillion-dollar idea, and your reputation has taken an irreparable hit in the process.

Or, imagine if the details of a case were compromised and leaked to the opposition. Now the other side has your entire legal playbook in advance. Half of any trial case is being able to blindside your opponent; without that element of surprise as to your evidence or witnesses, the other side can easily anticipate how you plan to defend your client and build a counter-strategy around it.

In these situations, while the client may be the ultimate target, it's the legal firm that the hackers work through. The firm is effectively a subcontractor to the client so hacking into the firm's systems can give access to its clients' valuable information.

Consequently, it's the clients who are now pushing for legal firms to have the utmost e-mail and cybersecurity protection in place before giving them their case ' not just the typical virus scanning software, but more adept content control services, firewalls and encryption protocols.

The Firm's Reputation

The other principal driver behind the legal sector's shift to more sophisticated cybersecurity is, frankly, concern for their own reputations. For instance, when major household names like Target are breached, customer traffic or trust in that brand drops off for a short period, though eventually the incident is forgotten or forgiven if it's handled appropriately by the company that's been breached. See, “Target Data Breach Has Lingering Effect on Customer Service, Reputation Scores,” Marketwatch. Law firms don't have that same luxury. If a firm suffers a data breach and client information ' information that is expected to be held in complete confidence ' is exposed, the client is unlikely to forget or forgive that but rather moves on to a different firm for representation.

When a firm tries to attract a new client or land a new case, they do so by promising a guaranteed element of trust and confidentiality. A data breach forces a firm to break that promise, which not only potentially loses the client who was affected, but can also deter future potential clients from seeking out that firm's services. The reputational and financial ripple effects of a data breach stretch far too wide for legal firms to ignore.

Traditional Cybersecurity Isn't Enough

It may be tempting to think that if your IT department already has cybersecurity in place, then there's no cause for concern. But traditional security protocols don't cut it anymore ' cyber criminals have become increasingly sophisticated in how they breach systems and are using new attack methods with which traditional approaches were not designed to cope.

Spear-phishing has changed the game for cybercrime, and has made it easier than ever for hackers to trick employees ' not just at law firms, but virtually any company ' into giving up sensitive information. It's not as obvious as the classic “please help me get money out of my country” scam, where the contents of the e-mail and the request to click on a link or download an attachment are very clearly bait. Now, hackers will concoct fake e-mail domains with fake websites behind them to circumvent typical e-mail safeguards. These will often look and sound legitimate (how many people can spot a fake e-mail domain name anyway?), and the hacker may even tailor the e-mail to the victim using personalized information.

For instance, imagine if a hacker looked up your firm's LinkedIn page, found the name of a paralegal or associate who used to work there and then put together a fake e-mail address for that person. They might then e-mail someone in the firm under that person's name, looking to catch up, grab lunch sometime and, innocently tucked into the message, ask for a job reference that requires clicking on a link. It's one thing to completely ignore suspicious e-mails from strangers, but when it's from someone that ostensibly you know and used to work at your firm, it's not as obvious.

In typical cases, if a malware-infected link was coming to you in an e-mail, then your system should be flagging it as harmful. But in the age of spear-phishing, the link coming to you at first may redirect users to a completely harmless website ' and once the e-mail has cleared your system (requiring the hackers to only wait an hour or two, or maybe even just a few minutes), they'll replace the website to which the link redirects. This Trojan horse method ensures that innocent e-mails that make it to your Inbox, sent by a name you might recognize, can be retooled into anything-but-innocent ones after the fact. This is all done to fool someone in your firm into clicking on what he thought was a legitimate link but ends up setting off a chain reaction of malware infections and, ultimately, results in a data breach.

Lawyers may be aware of how important cybersecurity is, but there's an alarming disconnect between that awareness and knowledge of how protected their own firms are. More than 80% of the 100+ employee firms polled by the ABA said they weren't sure if they had cyber liability insurance, and 52% said they didn't know if their clients had ever asked for a cybersecurity audit. Additionally, 77% of firms with at least 500 employees said they didn't know if they had ever had their cybersecurity inspected in a third-party assessment, and 57.6% of firms with 100 to 499 employees said the same. See, “ABA Survey: Data Breaches Rising at Large Firms,” Bloomberg BNA.

Why the Cloud Still Needs A Back-Up Security Layer

More businesses are migrating to cloud platforms like Microsoft Office 365 and Google Apps, which offer the convenience of consolidating files, contacts and other important information into a single, easy-to-access storage space. But this move to the cloud presents some new security considerations ' concerns that have made a number of firms wary of making the transition.

If everyone is using the same security stack, everyone gets the same protection. So relying solely on Office 365 or Google, for that matter, means you are putting all of your data and security eggs into one basket, along with thousands of other firms. And the hackers know this too, making these cloud e-mail services irresistible to them. Nothing is more attractive to cyber criminals than the idea that they only have “one-lock-to-pick” to gain entry to the information of many different attorneys and clients. After all, it's so much more efficient than trying them one at a time. But, this means that in the event of a virus attack or spear-phishing attempt, it's not just one user that's affected, it's an entire community of businesses in that environment that are being infected.

Cloud e-mail services may offer great advantages, cost benefits and convenience, but failing to complement the primary e-mail server with additional security and data storage makes law firms dangerously susceptible to the real-world consequences that a cyberattack or system failure can have on their ability to represent their clients' interests or take on new clients. To avoid these risks, it's crucial to start thinking about adding secondary protection to ensure backdoor entry points and potential vulnerabilities are being covered.

The threat isn't just limited to data security, either. If you rely on a single vendor e-mail service, and a cyberattack disrupts that for an extended period of time, your firm may suddenly become deprived of e-mail access. For attorneys, working without e-mail isn't just a worst-case scenario, it's virtually impossible. An e-mail outage ' caused by a phishing attack, malware embedded in an e-mail or otherwise ' would bring cases grinding to a halt. That's why e-mail provider downtimes are becoming growing concerns with popular platforms like Office 365 and need to be addressed.

Planning for Cybersecurity Risks Today to Avoid Disasters Tomorrow

As often as data breaches and spear-phishing attacks occur today, some law firms still think it will never happen to them. But unfortunately, you have no control over whether or not a hacker may target your firm someday; what you can control is what happens next. And when you consider that nearly one in four law firms suffer a data breach, and 47% of all firms don't have a response plan in place for dealing with a security breach (see, http://tinyurl.com/q4k6og9 (registration required)), the prospect of going forward without an added layer of e-mail security protection to complement your infrastructure may be too much like tempting fate.

Mounil Patel is vice president, strategic field engagement for Mimecast, where he's responsible for program and practice management of global field sales and pre-sales organizations. Mounil previously was global practice director for EMC's telco, media and entertainment division, and held management positions at Iron Mountain, Endeca Technologies and Phase Forward Incorporated.

Data breaches and cyberattacks aren't new occurrences, but it can sometimes feel like they are. It's only in the last few years that we've seen these attacks make headlines more and more, increasing in both quantity and impact.

Even more disconcerting is how routine these incidents have become: hackers gain access to a company or government agency's database; they procure the personal and sensitive business information of thousands, if not millions, of people; and they either turn around that information onto the black market or keep it for their own use, putting millions of victims at risk of identity fraud or, in the case of businesses, competitive risk. And now, unsurprisingly, cybersecurity has shot up the priority list for many organizations.

We've seen such a shift occur in the legal market. Up until about three years ago, the chief IT issue that law firms struggled with was an overabundance of e-mail. It's not an exaggeration to say that e-mail is the lifeblood for law firms and many other service industries; it's what enables attorneys to remain in quick and constant contact with their clients and paralegal teams, whether in the office, on the road or in court. With that comes bloated e-mail inboxes that need streamlining and proper archiving in order for more efficient use. But more recently, law firms have been gradually shifting their emphasis from e-mail volume to e-mail security as their top IT priority, largely for two reasons.

A Client Concern

More and more law firms are investing in e-mail security services, but they're not doing so spontaneously; the push is often coming from their clients. In the American Bar Association's (ABA) recently released Legal Technology Survey, 34% of law firms with 100 or more employees said that they were being requested by clients to have cybersecurity audits performed on their systems.

When you consider what's at risk in the client-attorney relationship, it's easy to see why. Say your firm practices patent law, and one of your clients is filing a patent on a brand-new smartphone design to rival Apple's iPhone. If a hacker were to breach that firm's security and obtain the client's patent application and product design, he could then shop it around to other phone manufacturers. Suddenly your client is out of a multimillion-dollar idea, and your reputation has taken an irreparable hit in the process.

Or, imagine if the details of a case were compromised and leaked to the opposition. Now the other side has your entire legal playbook in advance. Half of any trial case is being able to blindside your opponent; without that element of surprise as to your evidence or witnesses, the other side can easily anticipate how you plan to defend your client and build a counter-strategy around it.

In these situations, while the client may be the ultimate target, it's the legal firm that the hackers work through. The firm is effectively a subcontractor to the client so hacking into the firm's systems can give access to its clients' valuable information.

Consequently, it's the clients who are now pushing for legal firms to have the utmost e-mail and cybersecurity protection in place before giving them their case ' not just the typical virus scanning software, but more adept content control services, firewalls and encryption protocols.

The Firm's Reputation

The other principal driver behind the legal sector's shift to more sophisticated cybersecurity is, frankly, concern for their own reputations. For instance, when major household names like Target are breached, customer traffic or trust in that brand drops off for a short period, though eventually the incident is forgotten or forgiven if it's handled appropriately by the company that's been breached. See, “Target Data Breach Has Lingering Effect on Customer Service, Reputation Scores,” Marketwatch. Law firms don't have that same luxury. If a firm suffers a data breach and client information ' information that is expected to be held in complete confidence ' is exposed, the client is unlikely to forget or forgive that but rather moves on to a different firm for representation.

When a firm tries to attract a new client or land a new case, they do so by promising a guaranteed element of trust and confidentiality. A data breach forces a firm to break that promise, which not only potentially loses the client who was affected, but can also deter future potential clients from seeking out that firm's services. The reputational and financial ripple effects of a data breach stretch far too wide for legal firms to ignore.

Traditional Cybersecurity Isn't Enough

It may be tempting to think that if your IT department already has cybersecurity in place, then there's no cause for concern. But traditional security protocols don't cut it anymore ' cyber criminals have become increasingly sophisticated in how they breach systems and are using new attack methods with which traditional approaches were not designed to cope.

Spear-phishing has changed the game for cybercrime, and has made it easier than ever for hackers to trick employees ' not just at law firms, but virtually any company ' into giving up sensitive information. It's not as obvious as the classic “please help me get money out of my country” scam, where the contents of the e-mail and the request to click on a link or download an attachment are very clearly bait. Now, hackers will concoct fake e-mail domains with fake websites behind them to circumvent typical e-mail safeguards. These will often look and sound legitimate (how many people can spot a fake e-mail domain name anyway?), and the hacker may even tailor the e-mail to the victim using personalized information.

For instance, imagine if a hacker looked up your firm's LinkedIn page, found the name of a paralegal or associate who used to work there and then put together a fake e-mail address for that person. They might then e-mail someone in the firm under that person's name, looking to catch up, grab lunch sometime and, innocently tucked into the message, ask for a job reference that requires clicking on a link. It's one thing to completely ignore suspicious e-mails from strangers, but when it's from someone that ostensibly you know and used to work at your firm, it's not as obvious.

In typical cases, if a malware-infected link was coming to you in an e-mail, then your system should be flagging it as harmful. But in the age of spear-phishing, the link coming to you at first may redirect users to a completely harmless website ' and once the e-mail has cleared your system (requiring the hackers to only wait an hour or two, or maybe even just a few minutes), they'll replace the website to which the link redirects. This Trojan horse method ensures that innocent e-mails that make it to your Inbox, sent by a name you might recognize, can be retooled into anything-but-innocent ones after the fact. This is all done to fool someone in your firm into clicking on what he thought was a legitimate link but ends up setting off a chain reaction of malware infections and, ultimately, results in a data breach.

Lawyers may be aware of how important cybersecurity is, but there's an alarming disconnect between that awareness and knowledge of how protected their own firms are. More than 80% of the 100+ employee firms polled by the ABA said they weren't sure if they had cyber liability insurance, and 52% said they didn't know if their clients had ever asked for a cybersecurity audit. Additionally, 77% of firms with at least 500 employees said they didn't know if they had ever had their cybersecurity inspected in a third-party assessment, and 57.6% of firms with 100 to 499 employees said the same. See, “ABA Survey: Data Breaches Rising at Large Firms,” Bloomberg BNA.

Why the Cloud Still Needs A Back-Up Security Layer

More businesses are migrating to cloud platforms like Microsoft Office 365 and Google Apps, which offer the convenience of consolidating files, contacts and other important information into a single, easy-to-access storage space. But this move to the cloud presents some new security considerations ' concerns that have made a number of firms wary of making the transition.

If everyone is using the same security stack, everyone gets the same protection. So relying solely on Office 365 or Google, for that matter, means you are putting all of your data and security eggs into one basket, along with thousands of other firms. And the hackers know this too, making these cloud e-mail services irresistible to them. Nothing is more attractive to cyber criminals than the idea that they only have “one-lock-to-pick” to gain entry to the information of many different attorneys and clients. After all, it's so much more efficient than trying them one at a time. But, this means that in the event of a virus attack or spear-phishing attempt, it's not just one user that's affected, it's an entire community of businesses in that environment that are being infected.

Cloud e-mail services may offer great advantages, cost benefits and convenience, but failing to complement the primary e-mail server with additional security and data storage makes law firms dangerously susceptible to the real-world consequences that a cyberattack or system failure can have on their ability to represent their clients' interests or take on new clients. To avoid these risks, it's crucial to start thinking about adding secondary protection to ensure backdoor entry points and potential vulnerabilities are being covered.

The threat isn't just limited to data security, either. If you rely on a single vendor e-mail service, and a cyberattack disrupts that for an extended period of time, your firm may suddenly become deprived of e-mail access. For attorneys, working without e-mail isn't just a worst-case scenario, it's virtually impossible. An e-mail outage ' caused by a phishing attack, malware embedded in an e-mail or otherwise ' would bring cases grinding to a halt. That's why e-mail provider downtimes are becoming growing concerns with popular platforms like Office 365 and need to be addressed.

Planning for Cybersecurity Risks Today to Avoid Disasters Tomorrow

As often as data breaches and spear-phishing attacks occur today, some law firms still think it will never happen to them. But unfortunately, you have no control over whether or not a hacker may target your firm someday; what you can control is what happens next. And when you consider that nearly one in four law firms suffer a data breach, and 47% of all firms don't have a response plan in place for dealing with a security breach (see, http://tinyurl.com/q4k6og9 (registration required)), the prospect of going forward without an added layer of e-mail security protection to complement your infrastructure may be too much like tempting fate.

Mounil Patel is vice president, strategic field engagement for Mimecast, where he's responsible for program and practice management of global field sales and pre-sales organizations. Mounil previously was global practice director for EMC's telco, media and entertainment division, and held management positions at Iron Mountain, Endeca Technologies and Phase Forward Incorporated.