Click to tweet
Understanding #Cybersecurity Threats in Law Practice via @SpecialCounsel http://spclcn.sl/1Oq4hUs
Organized, financially motivated hackers have turned their attention on the latest soft target: law firms. Even before the Panama Papers leak, a number of high-profile breaches put the legal profession on notice.
Why do hackers target law offices in cybersecurity attacks? Because they house some of the most sensitive information in the world. Although some savvy companies have established honey pots full of false data to mislead and misdirect cyber hackers, law offices typically lack such decoys. In fact, the honesty fostered by attorney-client privilege means law offices frequently guard information that is both very sensitive and quite authentic. “Hackers know they are probably getting the real deal,” says Vincent Polley, president of KnowConnect PLLC and co-editor of the ABA Cybersecurity Handbook.“That means the information hackers do find [in law firm systems] is going to be even higher value than they might otherwise get.”
It’s the 21st century equivalent of raiding Fort Knox. “What is a law firm’s wealth? Proprietary information. Its clients’ secrets,” says Christopher F. Smith, director, cybersecurity strategy at SAS. “To a hacker, information is money. That’s why law firms make such alluring targets.”
Below are some guidelines to better understand cybersecurity threats and attacks and coping with the situation.
Remember that no one has solved the problem. “Even Big Law has problems here,” Polley says. Because size dictates both the kind of threat and the type of countermeasures available to practitioners, the ABA Cybersecurity Handbook structures many of its recommendations along the lines of small, medium, and large firms.
Accept responsibility and commit resources. It’s long past time for the profession to accept that cybersecurity should be a priority. Polley proposes that ultimate responsibility for a firm’s cybersecurity should reside with a sole partner, who is capable of coordinating efforts among in-house IT and external experts. “This is not just an IT question. We recommend that a senior lawyer in any law firm become responsible for managing the cybersecurity practices of the firm,” he says. “If a committee of three or four people share responsibility, then nobody really has it.”
Understand that the threats are growing. The ABA Cybersecurity Handbook was published in 2013 to help law firms protect themselves and their clients, but threats continue to mount. “There’s reason to expect than many firms, if not most or all, have been attacked, and that many, most, or all have been compromised,” Polley says. “The threat environment has just gotten worse over the last three years.”
The ABA Cybersecurity Legal Task Force maintains a handy portal summarizing ABA guidelines and resolutions which inform and enforce ABA policy for the profession. The ABA House of Delegates now routinely considers and passes resolutions on cybersecurity policy, but the five key principles originally established in 2012 set the framework for what practitioners should observe as a bare minimum. The Principles articulate that the legal profession has a “deep responsibility” in the ongoing security struggle. “Among other things, lawyers need to stay abreast of technology, and ignoring cybersecurity could be a violation of professional responsibility rules,” Polley says.
Accept that cybersecurity is imperfect. “Even the best enterprise security won’t keep the bad guys out 100% of the time,” Smith says. The only approach that is both financially viable and will keep you sane is to prioritize. Highly sensitive information, such as corporate mergers and acquisitions, needs the tightest locks. But not all client communications can or will receive the same level of protection.
“You want to do what’s competitively reasonable. You don’t want to spend 20 percent of your management time pursuing unattainably perfect cybersecurity when your peers are spending five percent,” Polley says.
Use physical controls. In the face of cybersecurity attacks, remember that threats come from person-to-person contact as well. Social engineering tactics to trick insiders out of information and credentials are as old as fraud itself, but take on new faces with phishing attacks. “Attackers will always take the path of least resistance. That can mean getting a job at a janitorial service and rifling through files that are not locked up, or it can mean going after insider employees, or your laptops,” says Thomas Dye, partner with Feldman Gale.
Make sure your staff understands that all information is on a need-to-know basis only. Consider the practice of auto-locking computers, laptops, and even smartphones after periods of inactivity and security all computers every evening.
Find outside counsel with relevant experience. Whether it’s for a compliance audit or for damage control, look for outside counsel that understands cybersecurity from both a legal and technical point of view. “You want the outside lawyer to be familiar with breach notification statutes and have handled that work in the past, but more particularly, you want that lawyer to be conversant with technology,” Polley says.
Outside counsel should have a deep understanding encryption and security practices, and to be comfortable exchanging information with IT professionals. Specialists can dedicate time to continuing education that a generalist can’t. “Attorneys who do not practice in this area are not aware of the new statutes and regulations being passed around the country at both a federal and state level,” Dye says.
Do you need help assessing your cybersecurity threats in your law office? Contact one of our locations today to discuss how we can help you combat and prepare for any potential cybersecurity attacks.
Subscribe to our blog
Our law blog keeps you on top of the latest industry insights and provides jobseeker tips for the legal community.SUBSCRIBE VIA EMAIL SUBSCRIBE VIA RSS