Law Firms Aren't Immune to Cybersecurity Risks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nationallawjournal.com/home/id=1202716120611/Law-Firms-Arent-Immune-to-Cybersecurity-Risks?mcode=1202617074964&curindex=5

Although law firms have managed to remain off the list of the year’s
biggest data breach victims, firms watching cybersecurity trends most
closely are feeling increasingly uneasy about their own security posture.
Astute firms are looking to learn as they watch Target Corp., The Home
Depot Inc., JPMorgan Chase & Co., Sony Corp. and others struggle to manage
an endless stream of news stories that damage their brands, massive
disruptions to everyday business, and a significant strain on resources as
organizations respond to legal claims, comply with requests for information
from regulators and scramble to bolster security systems in efforts to
prevent further incidents.

Because law firms are routinely entrusted with large volumes of highly
sensitive data under attorney-client privilege—private personal
information, trade secrets, mergers and acquisitions details, litigation
strategy, intellectual property research, health care data and more—it’s
only a matter a time before they face the same level of scrutiny of their
security practices as do corporations. The risks firms face from inadequate
information-security policies, procedures and technology are just as
serious and far-reaching as those faced by their corporate clients, and
hackers are likely to perceive firms as an easier target.

Under mounting pressure from both clients and regulators, firms are being
forced to reassess their cybersecurity controls and make investments that
will better equip them to respond to attacks when they inevitably occur.

Recent developments in the financial-services industry are especially
instructive on how law firms can be more active in bolstering security. On
Dec. 10, New York Superintendent of Financial Services Benjamin Lawsky
issued an industry guidance letter to all banks regulated by his
department, detailing how those institutions will be examined on protocols
related to cybersecurity, including their “due diligence process” in
“vetting, selecting and monitoring” the information-security practices of
their third-party vendors. Law firm partners and executives who think this
doesn’t apply to them haven’t been paying attention.

Compliance checklists

As The Wall Street Journal reports—and many firms can wearily attest—many
banks have already begun requiring outside firms to complete compliance
checklists detailing the state of their technology systems and security
policies, and in some cases requiring firms to fulfill specific
requirements regarding their own vendor-security programs. On-site visits
by bank security officials to data centers of outside counsel are
increasingly common, as are mandates that firms periodically hire
independent auditors to test defenses and identify weaknesses.

As the fallout from high-profile data breaches makes abundantly clear,
cybersecurity is not just an information-technology issue. It’s a
business-risk issue that requires active engagement on the part of
stakeholders across the organization. As such, cybersecurity requires a
top-down, strategic approach driven by senior leadership. A narrow focus on
tools and tactics simply is not adequate.

The general consensus among cybersecurity experts is that a purely
defensive posture is likely to fail. Savvy organizations begin with the
assumption that, no matter how good your defenses are, at some point a
breach will occur. Rather than focus all efforts on preventing an attack,
law firm partners should develop an information security program based on
the premise that the firm’s network is already compromised.

This mindset forces the firm to address some uncomfortable but revealing
questions: “How would we know whether we were compromised?” “Who is
responsible for managing the firm’s response to a security breach that
affects client data?” “What information would investigators need to
determine the scope and scale of an incident, and are we equipped to
collect and preserve such information?” The planning process required to
answer those questions should be built on input from stakeholders across
the organization, including information technology, security, compliance
and management. Sound cybersecurity policy needs to start at the top, with
partners setting the tone.

Initial steps

How do firms begin building a solid information security program? Here are
some basic considerations.

Create a team of stakeholders from across the organization to take
responsibility for information security. Their first task should be to
perform a formal risk assessment to understand the sources and kinds of
data they have and the risks associated with it. They should map the data
to make sure they know who has access to them and why.

Determine what data reside with third-party vendors. Do they have direct
access to the firm’s internal network? What due diligence has been
conducted to assess risks and ensure the adequacy of the vendors’ security
controls?

Examine data retention policies. Most organizations hold on to data much
longer than is necessary. Data that you don’t have are data that can’t be
compromised.

Understand and regularly review policies for data access controls,
passwords, encryption, physical security and remote access. Given the
nature of the work they perform, lawyers have a legitimate need for
real-time access to large volumes of sensitive information. However, given
the level of risk present at the “human layer” in any network, it is
critical for firms to strike the right balance between accessibility and
security. For many firms, cultural resistance from attorneys represents the
greatest challenge in implementing necessary security controls.

Develop a detailed incident response plan, with provisions for business
continuity and disaster recovery. A major component of this plan should be
a comprehensive, mandatory training program for every individual in the
organization who has access to sensitive data. Attorneys and staff need to
understand the consequences of a breach and the importance of recognizing
and reporting warning signs to minimize the impact of an incident.

Establishing sound information security practices is not just about
policies and protocols. It requires a cultural transformation, starting at
the top. Smart firms will work hard to build a culture of awareness and
commitment to security. Employees can be your most valuable asset if they
are well-trained and know what to watch for.

For many law firms, cybersecurity is not a do-it-yourself proposition.
Firms that seek outside help from competent, independent professionals are,
in effect, demonstrating to their clients and regulators that they take
information security seriously.

Consultants who provide risk-assessment services should be able to assess
technical data security, privacy policies and security protocols and
provide recommendations for improvement. They should also be able to
perform vulnerability assessments and, if necessary, provide hand-on
services like network monitoring and regular penetration testing.

Having on-call access to expert cyber incident response services, including
network forensics, malware analysis, insider incident investigations and
root-cause analyses, is also helpful. A data breach impact assessment might
help a firm identify, extract and analyze exposed data sets and develop an
incident reporting process that will provide a clear picture of the
progression of a breach and its potential impact.

Response services are available to improve litigation readiness in response
to a breach. Can your firm ensure there will be proper preservation,
collection and analysis of evidence if a breach occurs? Will you be able to
prevent spoliation of data that may be relevant to subsequent litigation?
If a vendor suffers a breach involving data entrusted to your firm, are you
prepared to undertake an investigation? If the answer to any of these
questions is “no” or “we’re not sure,” seeking outside help may be a good
idea.

Finally, independent consultants can collaborate with a firm’s human
resources department to optimize employee training for enhanced awareness
and readiness. Specialized training programs can be customized for your
firm’s risk profile and its likely attack vectors. Programs can be tailored
to specific groups of employees, such as partners and executives,
associates and legal support staff, information technology staff and
incident first-responders.

As law firms invest the time and resources required to develop a solid,
defensible information security program, it’s worth remembering that doing
so not only prepares them for any security audits they may face in the
future, but can also reap big benefits in their relationships with existing
clients and their ability to win new business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!