Ricci Dipshan, Legaltech News
Cybersecurity at law firms is heavily
dependent on employee awareness and data organization. Just be sure to ask the experts for help.
The digital age is the sharing epoch. No industry is
an island. They're connected to one another through their online businesses.
Each shares common trials and tribulations online, and whether firms,
departments or companies realize it or not, what affects one will certainly
affect the others.
But for the legal
industry, this was a hard truth to learn. Until recently, law firms have
naively believed their age-old businesses had little in common with those
outside their walls.
"I'll tell you that
law firms tend to look at other law firms to see what's going on," says
Avi Solomon, director of information technology at Rumberger, Kirk &
Caldwell. "I realized, not long ago, that it's directly related to that
fact that attorneys live their lives around the concept of precedents. So if a
publicly traded company is attacked [by a data breach], that really doesn't
mean a lot; if an accounting firm is attacked, it also doesn't really mean a
lot. But when a law firm gets attacked, you better believe that means a lot,
and they're going to all start talking about it."
It is a situation
Solomon knows intimately. While Rumberger, Kirk & Caldwell "has not
been the target of direct threats," he says, the firm "had a very
small incident, but we detected it, we stopped it, and we removed it. Only the
slightest amount of damage occurred, but it also gave me the opportunity to
come back to management and say, 'I'm going to show you what's happening, I'm
going to show you the little effect it had on our environment, and now I'm
going to show you the damage it could have done.' "
"The fact that they
tasted just a little bit of it helped... in getting management to appreciate
the potential impact," he adds.
Yet being slow to
implement cybersecurity at a firm can ironically be "a good thing in that
generally, the industry is not trying to reinvent the wheel," says Dean
Leung, who previously worked as the CIO of Holland & Knight and is now
iManage's chief customer success officer.
"When you look at
common technologies such as firewalls, mobile device management, encryption,
multi-factor authentication, complex and frequent password changes, all those
are very standard things out there in the consumer space" that can be
implemented at firms, he adds.
Law firms' reliance on
out-of-the-box cybersecurity tools and approaches, however, can only go so far.
In the legal space, Leung says, cybersecurity has to be more tailored, given
the "relationship between attorney and clients.
"Just the
interchange of information between those two can be a little more unique than
perhaps a more generic organization," he adds.
In addition,
"whereas corporations can typically follow a unique and standard set of
security guidelines, the legal industry is faced with having to comply with a
high watermark in terms of the regulations out there, which include privacy
laws from various governments, HIPAA [Health Insurance Portability and
Accountability Act] requirements, PCI [payment card industry] requirements,
etc. And then on top of that, you also have the outside counsel guideline
requirements coming from various client organizations that you have to
follow," Leung explains.
Safety in Tiers
But what exactly does a
firm's tailored cybersecurity approach require? Given that law firms handle
various degrees of sensitive and privileged information, Leung compares
"security nowadays to where you have to have multiple levels of protection
very similar to a bank. If you breach the perimeters of a bank, you might be
inside a bank, and there might be things that are sensitive. But if you want to
go further, you have to get into the vault. But once you get into the vault,
you have to get into a safe deposit box in order to get more and more granular
information."
Multi-level information
protection, he adds, is fundamental for firm's cybersecurity effort, one that
also should be inherent in the way it protects privileged and sensitive legal
information.
"Once you dive
deeper into a particular case, a particular matter, and a particular work
product, that security needs to be tighter and tighter, and with more controls,
so that people know when the information isn't accessible by the appropriate
person."
This approach speaks to
what Solomon calls "one big defining characteristic difference that you
won't find in most corporate American places, but you will find specifically in
legal": document repositories. Solomon notes that "because law firms
really live, eat and breathe based on the documents they are generating, one
big piece that is important if you were looking at the legal industry is
isolating the document management system.
"A lot of the
ransomware problems and others, when they do affect law firms, it can very
badly affect pre-production areas, it can affect e-discovery areas," and
matter areas, but this risk can be mitigated by employing a multi-tier document
management system, Solomon says.
"If you don't have
a tiered document management system, you're pretty much up the creek."
Managing the Greatest Asset and Biggest Risk
No multi-level
information governance protection, however, can stand long on its own— employee
support is critical to success. So while a firm may have the technology in
place, without a well-trained and aware staff properly protecting and managing
its data front-lines, its cybersecurity efforts will always fall short.
"Technology and
engineering controls can only go so far. Ultimately, people are the weakest
link in cybersecurity," explains Sean Lawless, IT infrastructure &
support manager at Robinson & Cole.
Lawless notes his firm
implements "a well-rounded program geared towards data privacy and
security" that mandates the firm's employees understand their data and
cybersecurity responsibilities.
"We like to say
that our greatest asset is also our biggest risk: our people. All new lawyers
and staff attend mandatory training together to better elevate the
understanding of risk within task assignments. The program includes our CLE-credited
training as well as signage, posters and other daily awareness communications.
Finally, we have convened a data privacy and security committee comprised of
both attorneys and technology professionals to assess and address the firm's
security needs."
Fostering cybersecurity
awareness in-house is vital, but so too is insulating the firm against
persistent risky behavior. At Rumberger, Kirk & Caldwell, Solomon says,
every employee is required to attend a training program, "just as they
have to go through an HR training having to do with sexual harassment or HIPAA
compliancy."
The firm tests each
employee on their cybersecurity education and will create targeted programs to
address "training issues individually for users that need some assistance
in getting better at it," Solomon adds.
But he noted that if the
firm gets to the point where "we've done remediation training and we
continue to repeat remediation training with certain employees who aren't
getting it, that'll just get escalated to HR, because at some point HR and the
firm's management needs to understand the risk associated with having an
employee that doesn't understand what it means to stop acting in a risky
way."
Part of the goal of
education, Solomon adds, is to make sure employees know the limits of their
awareness and knowledge.
"You think you know
what you're doing; you don't know half as much as you think you know," he
explains. "So why don't you, instead of just being click happy, think
before you act?
"I had one pretty
senior attorney go to the training who, after going through the training, wrote
me and said he's afraid to use email now," Solomon says. "And I wrote
back and I said, 'Good. … You should be a little afraid. That's kind of the
point of all this.'"
All (Outside) Eyes on Deck
Solomon's use of an
external cybersecurity firm for training employees speaks to another vital part
of cybersecurity for any firm—the need for outside help.
For example, the
cybersecurity training program his firm requires for attorneys? It was designed
in part by cybersecurity company KnowBe4.
"You want to go to
the experts to look at and solve the problems," Leung says, explaining
that firms, "don't have the bench strength to be hiring the level of
security expertise that you actually need in order to bring that type of
knowledge in-house. The whole concept of the security is that it's not a 9-to-5
thing. It's a 24/7 thing, so going to organizations to have a 24/7 operations
center is really worth driving to."
Leung, however, also
cautions that firms need to be careful to strike the right balance when
bringing in professionals.
"Within a
particular law firm, recognize that security is double-edged in that you have
to have enough security to ensure that information is adequately safeguarded
and protected, yet at the same time you can't disrupt the way attorneys
practice. At the end of the day, we have to be able to get work done."
An example of where
continuous security services can be pivotal is email, the channel usually
targeted by phishing (a practice through which cybercriminals trick users into
downloading malware onto their systems or giving up sensitive information).
Solomon says his firm
relies on an email archiving and security company, Mimecast, that allows him to
track and watch emails come in, and flag ones that are sent from suspicious
newly registered domains or ones not associated with the firm. The firm is also
able to hide its email server behind the company's servers, preventing
"direct denial of services against our email," which can cripple the
firm's websites and online infrastructure.
Perhaps most important,
relying on an outside vendor keeps Rumberger, Kirk & Caldwell at the
forefront of new threats and email protection technologies. "I actually
stay in close contact with the Mimecast's people, because they come up with new
technologies that offer me the ability to create new protective measures and
barriers. I try to implement those as soon as possible," Solomon says.
Of course, picking a
cybersecurity vendor is no easy task. A survey in April by Tech Sentry and IDG
Connect of 211 U.S.-based IT staff found that while 88 percent of U.S.
companies spent at least $100,000, and 48 percent spent at least $500,000, per
year on cybersecurity, that expenditure often did not equate to protection
against breaches or cyberattacks.
The challenge, then, is
in picking the right tools and vendors. So how should a law firm go about such
a task?
Robinson & Cole's
Sean Lawless has a simple answer: Pick the best of the best, and stay close to
home.
"Generally, we
choose our vendors and products based on 'best of breed' rankings by leading
industry research firms like Gartner and Forrester. The other major factor in
technology decision making in the legal vertical is industry adoption. The
legal field is generally a tight-knit industry with many technology-related
resources, like the International Legal Technology Association, that helps
firms connect and discuss what works well, what doesn't, and what vendors or
products firms have found to be the best value."
No comments:
Post a Comment