Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity In the Legal Space: Is Your Organization Prepared?

By Sundhar Rajan
September 01, 2019

Despite numerous reports of data breaches at law firms over the past decade, a warning from the FBI that hackers are specifically targeting international law firms, and increasing pressure from clients to address cybersecurity concerns, legal services providers on the whole have so far failed to respond adequately to the scope and urgency of the problem. The ABA's 2018 Legal Technology Survey Report reveals that only about half (53%) of lawyers say their firms have a policy to manage the retention of information/data held by the firm, only 25% of respondents report having an incident response plan, and an astonishing 29% report having no security policies at all.

As a measure of basic cybersecurity preparedness by legal professionals, these numbers are alarming. Organizations that continue to be complacent about data security ignore the considerable risks posed by a breach: extended downtime, loss of billable hours, destruction or loss of sensitive data and work product, and the potentially catastrophic costs associated with repairing the damage — both to their technology infrastructure and to their reputation and brand.

|

Getting Serious About Cybersecurity

It is commonplace in security circles to say it's not a matter of if your organization will experience a breach — it's a matter of when. So how should law firms and legal departments prepare in a way that's commensurate with the risk? First, they need to understand that an effective cybersecurity program can't focus exclusively on preventing attacks or other forms of data loss; having a detailed incident response plan for the mitigation of breaches once they happen is equally, if not more, important. A purely defensive posture is almost certain to fail.

Developing an incident response plan forces organizations to establish policies documenting security-related roles and responsibilities, and identify tools required for the quickest possible response to a triggering event. Plans need to specify what kinds of events trigger a response and the initial steps the organization will take when that happens, such as isolating workstations and servers and making forensic copies of the affected data. Plans also need to spell out exactly how the organization will handle internal and external communications, documentation and reporting. The National Institute of Standards and Technology (NIST) has developed a Computer Security Incident Handling Guide that serves as a good starting point for legal organizations serious about preparing for the inevitable.

|

Understand How Most Breaches Happen

Hackers are aware that law firms are soft targets. Because law firms are focused on the business of law, they may not have top-notch security technology in place and their employees typically lack awareness of specific risk scenarios. Firms also handle data that can be extremely valuable to bad actors seeking, for example, to pursue insider trading schemes or gain access to intellectual property.

Employees and email inboxes are the most common attack vector and the weakest link in most legal organizations' cybersecurity armor. Having clear policies about the use of email in the legal workplace is essential, but that alone isn't enough. As the primary entry point for most breaches, employees at all levels of the organization must be properly trained. They must be educated about the specific threats they face and empowered to act as their organization's first line of defense.

|

Take Specific Measures to Prevent Attacks

Prevention of cybersecurity breaches in law firms and legal departments can be addressed significantly through the following measures:

  • Minimize direct access to client data. That means reducing file share access and making data stores immutable (e., uneditable) wherever practical. If people don't have easy access to data, they can't steal it, leak it or crypto-lock it.
  • Reduce endpoint access to the Internet. Client data machines, in particular, should be protected from direct access to the Internet whenever possible.
  • Aggressively block botnet, spyware and malware sites.
  • Deploy multi-factor authentication (MFA) for remote access.
  • Establish an audit policy that grants access only on an as-needed basis, and audit all accounts via continuous monitoring.
  • Subscribe to monthly security newsletters focused on security breaches, hacking/phishing exploits and other trends to learn how, where and when incidents have occurred. This is essential information for members of the security team and also helps to build a sense of awareness with employees.

For execution of security policies, organizations should consider using the following tools:

  • A Web application firewall (WAF) filter monitors and blocks HTTP traffic, malicious requests to and from web applications.
  • FIPS 140-2 validated cipher suites with the latest protocols for protects data in transit with strong encryption.
  • DDoS mitigation tools help organizations resist or mitigate the impact of distributed denial-of-service attacks on Internet-connected networks that can hinder service performance or shut down a website entirely.
  • Intrusion detection and protection systems (IDPS) for network security are used to strengthen monitoring of network and system activities and detect malicious activity.
  • Security information and event management (SIEM) tools combine security information management (SIM) and security event management (SEM) for real-time analysis of security alerts generated by applications and network hardware. In addition to providing SIM and SEM functionality, these tools are used for log management, managed security service (MSS) and security as a service (SECaaS), which include authentication, anti-virus, anti-malware/spyware, intrusion detection, penetration testing, security event management and other tools.

To coordinate organize and coordinate security measures, every legal organization should have a security operations center (SOC) team that focuses on security requirements and incidents, and is responsible for company-wide awareness. I have already touched on the importance of training every employee on the appropriate use of email. But that's only a beginning. Role-based security and awareness training should be mandatory. I emphasize "role-based" because each role in an organization implies a different level of access, a different knowledge base and a different skillset. Security and awareness training must be tailored to each person's role.

|

Leverage Cloud Computing for Data Security

As recent as a few years ago, many CIOs were wary of the cloud because of security concerns. Today, the opposite is true. Moving to and operating in the cloud actually forces better thought processes about security. The cloud gives organizations greater control around data access and should be among the highest priorities for legal organizations seeking to improve their data security processes and policies. Most cloud providers offer advanced network security monitoring tools, security events logging and intrusion detection and prevention systems. Web application-specific firewalls built into most cloud systems monitor data coming into individual applications and warn users about any specific vulnerabilities related to an application to watch out for. Data encryption at rest and in-transit is a must as well, as are key management services ensuring there is total ownership of data from creation to deletion.

The cloud is well-suited to reducing downtime resulting from a cybersecurity event. It offers high availability and multi-level resiliency to ensure internal connections and service will never go down — if one server goes down, another comes up automatically. The cloud also offers region-wide resiliency, which means you can quickly bring up servers in another region if you have a large outage across, say, the Eastern seaboard.

While public cloud providers like Amazon Web Services (AWS) have a wealth of robust security tools built-in, they are not inherently more secure than private or hybrid clouds.  A number of major incidents over the past few years — including breaches at Uber, Time Warner and, most recently, at Capital One — all occurred within AWS. Some argue that private clouds tend to be safer by virtue of the fact that they offer a higher level of anonymity.

Whatever type of cloud they choose, most legal organizations will find that both the cost of ownership and the level of risk are significantly reduced when they turn to a cloud provider instead of trying to implement all these measures on their own, since most law firms can't cost-effectively dedicate the same level of resources to security. In evaluating a cloud provider or vendor who provides cloud-based services, firms should make sure they vendor has the right mix of compliance and security protocols in place. Operating in the cloud inherently forces organizations to develop well-defined security processes and protocols, and gives them greater control around data access and security.

|

Embrace Compliance Standards and Frameworks

Legal organizations considering a move to the cloud should look for providers that have earned System and Organization Controls (SOC) 2 Type II certification. SOC-certified organizations have been audited by an independent certified public accountant who has determined the organization has appropriate safeguards and procedures in place.

Law firms and legal departments would do well to embrace compliance exercises like SOC — as well as others standards like SSAE 18, ISO 27001 and FedRAMP, where appropriate — to identify the areas of weakness and lay the foundation for safer protocols across the organization. To complete those multi-step accreditations, organizations are forced to evaluate every part of their technology infrastructure and security protocols in every department.

Finally, effective prevention mandates that legal organizations work only with vendors that can demonstrate they, too, are serious about compliance and have well-documented incident response plans. It is increasingly common for clients to require the firms they hire to thoroughly document security protocols. Firms should expect the same of existing and prospective services and technology providers.

|

Conclusion

Ensuring compliance with security frameworks is a long-term commitment whose aim should be to improve processes incrementally, year by year. The vast majority of legal services providers will be best served by turning to outside security professionals for help managing the details, which are voluminous and complex, and by participating in industry-standard certification programs to ensure ongoing compliance.

*****

Sundhar Rajan is Chief Information Security Officer for Casepoint. He oversees and is responsible for information security, maintaining security compliances, global infrastructure, all cloud initiatives, and proactive compliance security monitoring. Prior to joining Casepoint, Sundhar spent more than nine years at the AM Law 100 firm, Crowell and Moring LLP, where he was the Manager of Network Operations. Sundhar brings over 18 years of experience working in information security, leading network security teams, and building highly scalable application infrastructure.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.