When you think about data loss, your thoughts might not go immediately to law firms. In fact, law firms are some of the most vulnerable business identities. The answer to why comes down to the fact that they’re dealing with highly sensitive (and profitable) information.
Law firms have valuable data and important solutions need to be developed to prevent data loss. In order to find these solutions, we reached out to top cyber security experts in the industry and asked them for a data loss challenge and solution for the law industry.
Meet our Panel of Cyber Security Experts:
|Aaron Vick||Braden Perry|
|Adam Sbeta||Brandon Forrest|
|Kai Pfiester||Judy Selby|
|Robert Siciliano||Karla Reffold|
Aaron Vick was part of the original design and ownership team of CaseLogistix™, the discovery/edisclosure management and research application, and has worked as a law firm consultant and expert witness for nearly 20 yrs. Currently, he is Chief Strategy Officer for Cicayda providing tailored solutions & products within the realm of large scale litigation ediscovery.
Cyber Security Challenge: A major security challenge for law firms as well as their clients is the storage of client data within the firm. We’ve seen numerous breaches of law firms over the years due to the accessibility to many targets at once with one single breach.
Cyber Security Solution: An alternative way to store clients’ discovery ESI is to manage such data in a third party cloud provider and limiting user access to all databases. This transition not only provides the law firm with up to date technology but also allows them to rely on third party security experts, protocols, and monitoring while reducing the risk to exposing all of their clients’ data via a single person phishing breach.
Adam Sbeta is a cyber security analyst tracking down and analysing virus and malware behavior since teenage years in Northern California. Specialized in Cyber Security and Network Assessments for Law Firms and pursuing Masters in Cyber Security at George Washington University.
Cyber Security Challenge: Law firms are focused targets by Cyber Criminals for their clients’ valuable data, while 40% of breached firms are not even aware they are breached
Cyber Security Solution: Since there is no bullet-proof vest that Law Firms can wear when it comes to targeted attacks, layers of cyber security defense is a must in their IT environment audited by non-IT staff. Law firms need to think on the technical side all the way from DNS filtering on the outside all the way down to next generation Endpoint Protection. Human nature can easily be fooled into clicking on things that seem to similar to their day to day operations, so security awareness is part of that layered approach. Finally, disaster recovery plans to get access to their data once compromised is also a must, to avoid paying hackers ransom and giving them more reasons to target you again.
Kai Pfiester is the founding partner of Black Cipher Security, a NJ based cybersecurity consulting firm. As a security consultant with over 10 years of experience, he helps organizations protect themselves against hackers, malware and insider threats.
Cyber Security Challenge: One major challenge for law firms is that they need to make their lawyers easily reachable by potential clients. They do so by placing their email contact information on their websites. The problem with this is cyber criminals can then go to their websites and harvest dozens to hundreds of email addresses. Armed with valid email lists, they can then target the attorneys with email-based attacks.
Cyber Security Solution: A solution to this problem is to use contact forms instead of email addressed laid out in text form.
Robert Siciliano, CSP, the #1 Best Selling Amazon.com author and Security Analyst with Hotspot Shield, is serious about teaching you and your audience fraud prevention and personal security. Robert is a security expert and private investigator.
Cyber Security Challenge: Phishing is a huge issue. Lawyers, or any white collar professional handling sensitive information is likely to be phished.
Cyber Security Solution: The solution involves a multilayer approach involving security software including a VPN and antivirus but also requires phishing simulation and security awareness training. Without these systems in place it’s just a matter of time before uses are hacked.
Clients rely on HORNE Cyber to build their cyber resilience. HORNE Cyber’s offense-oriented approach to cyber security uncovers hidden cyber risk and significantly reduces exposure to security threats, allowing clients to stay compliant with ever-growing regulations and use technology as a lever for growth.
Cyber Security Challenge: In today’s threat landscape, nation-state attacks serve as one of the law industry’s leading security challenges due to the industry’s international footprint and need to stockpile sensitive client information. As threat actors become more sophisticated and aggressive, it is not a matter of if leaders in the law industry will be breached – but rather when.
Cyber Security Solution: The solution to protecting sensitive client information and documentation is in-depth penetration testing that simulates advanced adversaries. In-depth penetration testing finds risks “below the surface” by manually emulating the aggressive actions of nation-state attackers, penetrating an identified network to discover industry-specific vulnerabilities. Organizations are then able to remediate the identified vulnerabilities, strengthening their security posture against nation-state threat actors currently targeting the law industry.
Taylor Toce is President and CEO of Velo Velo IT Group, a world-class managed IT services provider focused on providing businesses with the technology and support they need to achieve maximum velocity in their markets. Taylor has a proven track record leveraging IT solutions in business strategy for small and mid-market businesses to help clients gain efficiency and improve profit margins.
Cyber Security Challenge: The legal industry is a place of constant change and shifting alliances. As a result, firms face a major challenge protecting client data from “insider threats”, it is really simple for someone leaving a firm to leave with loads of proprietary firm and client data, and it might be extremely difficult for the firm to even detect such an event.
Cyber Security Solution: A simple solution to this mounting challenge is to implement a DLP (Data Loss Prevention) solution that tracks and prevents access, movement, deletion, and transfer of this data in a way that protects the interest of the firm and its clients. DLP solutions have become extremely effective in recent years and are more affordable than you might think. Even smaller firms can afford to implement these technologies in a very cost effective manner, in fact, they might not be able to afford NOT to!
Hilltop Consulting is one of top five MSP and IT consultants to the legal industry. Named 2018 Channel E2E top five legal MSP; Corporate Counsel’s 2017 “Best of” IT outsourcing among numerous other awards.
Cyber Security Challenge: Perhaps the biggest security challenge plaguing the legal industry is the lack of user security awareness. If your users still have passwords like ‘Password’ or click random links in unsolicited emails even the best—and expensive—IT security systems can only do so much to protect you.
Cyber Security Solution: Very few law firms proactively provide their partners, lawyers and support staff with regular security awareness training. Security awareness training for users should be ongoing and mandatory as part of every firm’s IT Security Policy. For an hour-per-user and not much cost, firm’s can significantly upgrade their security.
ROB LAMEAR IV
Rob LaMear is the founder and CEO of US Cloud, a private cloud hosting and security services provider based in St. Louis, Missouri. He is a cyber security expert and is regularly asked to speak on the topic. His mission is to help businesses simplify infrastructure, unburden IT, and protect brands.
Cyber Security Challenge: The single largest security challenge faced by law firms in 2018 is an internal mandate to keep sensitive documents in-house (as opposed to cloud) while facing ever increasing demands to securely access their data from any device, anywhere.
Cyber Security Solution: Hyper-converged private cloud infrastructure for high-availability and data encryption at rest. Secure access to sensitive documents via desktop virtualization technology for SSL/TLS wrapped applications and data that displays well across PCs, laptops, tablets and mobile phones.
Braden Perry, is a litigation, regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC.
Law firms are an attractive target, especially large firms with diverse practices that may include sensitive corporate or government information. Overall, most law firms understand the danger and have implemented practices to prevent such intrusions, but the number of attempts keep rising. Clients of lawyers are counseled to be open and honest, as the lawyer-client relationship is one of the oldest and most powerful privileges there is. I don’t think many understand that their sensitive information can be exposed by intrusion and that many law firms have had intrusions at some level. And like most cyber environments, there will be a strong market for security experts to monitor, prevent, detect, and mitigate the increasing numbers of attempted breaches.
Cyber Security Solution: Law firms should understand the risk and have strong policies and procedures in place both for prevention/detection and mitigation of the information. If client information is sensitive, measures should be taken to avoid storage where it is easy to obtain. Similar to the old practice of keeping paper files under lock and key, partitioning of especially sensitive data should be practiced. Law firms should have a data storage policy that only keeps documents on their main systems if necessary, then transferred to a more secure storage vehicle. We practice partitioning and air-gapping with our sensitive data, and utilize a proactive cyber policy to mitigate our exposure.
Brandon Forrest is a Managed IT Specialist at the Gordon Flesch Company with specialization in cloud storage, vCIO services, business continuity, and cyber security.
Cyber Security Challenge: In reference to your query on Law Industry Data Security, I have seen a common issue among law firms – they have legacy computer systems without a refresh plan, disaster recovery plan, or they are using operating systems that are no longer being updated by Microsoft. This poses the challenge for their data security, because the legacy devices and vulnerable OS create pathways for cyber attacks.
Cyber Security Solution: The solution is to leverage a managed IT program that creates a leased refresh program to replace old technology every 2-5 years, assess their network every quarter at a minimum, and develop a strong business continuity plan. This proactive management reduces downtime and vulnerabilities.
After practicing law for 25 years, Judy Selby now provides consulting services in the areas of cyber risk management, cyber insurance, and compliance. Selby founded a former law firm’s ediscovery and technology team, where she was responsible for managing massive data sets of confidential data produced by parties in multiple litigations. She also founded her firm’s information governance practice.
Cyber Security Challenge & Solution: Implementing a cultural change is the most important cyber security challenge for today’s law firms. Firms need to shift from a mindset of “trusted advisor” to the new reality that they are third party service providers when it comes to their handling of confidential data. Law firms are aggregators of important data belonging to their clients and their clients’ adversaries, and firms must accept that protection of that data is a fundamental part of modern legal practice. Firm leaders must publicly embrace this concept and ensure that data security is prioritized as a critical part of the firm’s culture.
Cyber Security Challenge: A key challenge to security within the law industry is that salaries for security professionals have typically been far below those in other sectors. Historically, security roles in law firms have also been hybrid roles, where someone may be responsible for a range of resilience issues. As security is now becoming a revenue generator, law firms are starting to pay more. Their internal people can be used to speak with clients, and vice versa, where their externally facing people can help internally. This will help the industry attract better talent, and introduce better security solutions.