Cybersecurity In the Legal Space: Is Your Organization Prepared?

Employees and email inboxes are the most common attack vector and the weakest link in most legal organizations' cybersecurity armor. Having clear policies about the use of email in the legal workplace is essential, but that alone isn't enough. As the primary entry point for most breaches, employees at all levels of the organization must be properly trained. They must be educated about the specific threats they face and empowered to act as their organization's first line of defense.

Take Specific Measures to Prevent Attacks

Prevention of cybersecurity breaches in law firms and legal departments can be addressed significantly through the following measures:

• Minimize direct access to client data. That means reducing file share access and making data stores immutable (e., uneditable) wherever practical. If people don't have easy access to data, they can't steal it, leak it or crypto-lock it.
• Reduce endpoint access to the Internet. Client data machines, in particular, should be protected from direct access to the Internet whenever possible.
• Aggressively block botnet, spyware and malware sites.
• Deploy multi-factor authentication (MFA) for remote access.
• Establish an audit policy that grants access only on an as-needed basis, and audit all accounts via continuous monitoring.
• Subscribe to monthly security newsletters focused on security breaches, hacking/phishing exploits and other trends to learn how, where and when incidents have occurred. This is essential information for members of the security team and also helps to build a sense of awareness with employees.

For execution of security policies, organizations should consider using the following tools:

• A Web application firewall (WAF) filter monitors and blocks HTTP traffic, malicious requests to and from web applications.
• FIPS 140-2 validated cipher suites with the latest protocols for protects data in transit with strong encryption.
• DDoS mitigation tools help organizations resist or mitigate the impact of distributed denial-of-service attacks on Internet-connected networks that can hinder service performance or shut down a website entirely.
• Intrusion detection and protection systems (IDPS) for network security are used to strengthen monitoring of network and system activities and detect malicious activity.
• Security information and event management (SIEM) tools combine security information management (SIM) and security event management (SEM) for real-time analysis of security alerts generated by applications and network hardware. In addition to providing SIM and SEM functionality, these tools are used for log management, managed security service (MSS) and security as a service (SECaaS), which include authentication, anti-virus, anti-malware/spyware, intrusion detection, penetration testing, security event management and other tools.

To coordinate organize and coordinate security measures, every legal organization should have a security operations center (SOC) team that focuses on security requirements and incidents, and is responsible for company-wide awareness. I have already touched on the importance of training every employee on the appropriate use of email. But that's only a beginning. Role-based security and awareness training should be mandatory. I emphasize "role-based" because each role in an organization implies a different level of access, a different knowledge base and a different skillset. Security and awareness training must be tailored to each person's role.

Leverage Cloud Computing for Data Security

As recent as a few years ago, many CIOs were wary of the cloud because of security concerns. Today, the opposite is true. Moving to and operating in the cloud actually forces better thought processes about security. The cloud gives organizations greater control around data access and should be among the highest priorities for legal organizations seeking to improve their data security processes and policies. Most cloud providers offer advanced network security monitoring tools, security events logging and intrusion detection and prevention systems. Web application-specific firewalls built into most cloud systems monitor data coming into individual applications and warn users about any specific vulnerabilities related to an application to watch out for. Data encryption at rest and in-transit is a must as well, as are key management services ensuring there is total ownership of data from creation to deletion.

The cloud is well-suited to reducing downtime resulting from a cybersecurity event. It offers high availability and multi-level resiliency to ensure internal connections and service will never go down — if one server goes down, another comes up automatically. The cloud also offers region-wide resiliency, which means you can quickly bring up servers in another region if you have a large outage across, say, the Eastern seaboard.

While public cloud providers like Amazon Web Services (AWS) have a wealth of robust security tools built-in, they are not inherently more secure than private or hybrid clouds.  A number of major incidents over the past few years — including breaches at Uber, Time Warner and, most recently, at Capital One — all occurred within AWS. Some argue that private clouds tend to be safer by virtue of the fact that they offer a higher level of anonymity.

Whatever type of cloud they choose, most legal organizations will find that both the cost of ownership and the level of risk are significantly reduced when they turn to a cloud provider instead of trying to implement all these measures on their own, since most law firms can't cost-effectively dedicate the same level of resources to security. In evaluating a cloud provider or vendor who provides cloud-based services, firms should make sure they vendor has the right mix of compliance and security protocols in place. Operating in the cloud inherently forces organizations to develop well-defined security processes and protocols, and gives them greater control around data access and security.

Embrace Compliance Standards and Frameworks

Legal organizations considering a move to the cloud should look for providers that have earned System and Organization Controls (SOC) 2 Type II certification. SOC-certified organizations have been audited by an independent certified public accountant who has determined the organization has appropriate safeguards and procedures in place.

Law firms and legal departments would do well to embrace compliance exercises like SOC — as well as others standards like SSAE 18, ISO 27001 and FedRAMP, where appropriate — to identify the areas of weakness and lay the foundation for safer protocols across the organization. To complete those multi-step accreditations, organizations are forced to evaluate every part of their technology infrastructure and security protocols in every department.

Finally, effective prevention mandates that legal organizations work only with vendors that can demonstrate they, too, are serious about compliance and have well-documented incident response plans. It is increasingly common for clients to require the firms they hire to thoroughly document security protocols. Firms should expect the same of existing and prospective services and technology providers.

Conclusion

Ensuring compliance with security frameworks is a long-term commitment whose aim should be to improve processes incrementally, year by year. The vast majority of legal services providers will be best served by turning to outside security professionals for help managing the details, which are voluminous and complex, and by participating in industry-standard certification programs to ensure ongoing compliance.

*****

Sundhar Rajan is Chief Information Security Officer for Casepoint. He oversees and is responsible for information security, maintaining security compliances, global infrastructure, all cloud initiatives, and proactive compliance security monitoring. Prior to joining Casepoint, Sundhar spent more than nine years at the AM Law 100 firm, Crowell and Moring LLP, where he was the Manager of Network Operations. Sundhar brings over 18 years of experience working in information security, leading network security teams, and building highly scalable application infrastructure.