Law Firm Data Security: Experts on How to Protect Legal Clients' Confidential Data
Data security is a critical part of doing business for law firms. We asked a group of lawyers what technology and processes they have in place to protect clients' sensitive information.
For companies that provide services to clients, data security is always an important part of business. With lawyers and law firms, however, who are constantly entrusted with highly sensitive information about their clients as a course of business, the need for effective data security is of even more critical importance.
We wanted to help lawyers and law firms of today ensure that their clients' confidential data and intellectual property are secure: what issues do they face, what requirements need to be in place, what aspects of legal data security are commonly overlooked, and what are the implications of some common decisions around storing and sharing legal data? To do that, we asked several practicing lawyers and data security experts this question:
"What technologies and/or processes are in place to protect your clients' sensitive information?"
See what our experts had to say below:
Meet Our Panel of Experts:
Jared Staver is Attorney at Law and Managing Partner at the Chicago-based Staver Law Group.What technologies and or processes are in place (or should be in place) to protect your clients' sensitive information?
First, let me start off by stating that the warnings issued regarding hackers and law firms are entirely accurate. If big-name brands that often dedicate millions of dollars per year to data protection are capable of being hacked, surely any law firm is as well. The legal industry needs to be smart about data protection, and unfortunately it's my belief that law firms don't always take the appropriate precautions.
Here is my outlook. It's simple.
I am not a data expert. I am not a tech expert. I am not a security expert. Given this information, I refuse to keep client data on premises, in our systems, etc.. I practice law. But that in no way makes me suitable to make decisions about my clients' data. Perhaps the easiest thing law firms can do is to put data in the hands of experts (and understanding that those experts are not attorneys). Offsite servers that are encrypted, protected and have teams of people ensuring their security are any law firm's best friend. In my opinion, they are underutilized in the industry.
There are dozens of offerings with various price points and plans. My suggestion is that the proper research be conducted before selecting a service, and then work with that service to migrate client data into a secure, safe environment.
Jeff Stollman is a polymath who works in a wide range of disciplines including sensors, robotics, financial services, force protection, weapons demilitarization, non-lethal weapons systems, information technology, information security, and privacy. He currently holds patents in artificial intelligence, privacy, and financial services and has patents pending in financial services, information security, and non-lethal weapons. He currently serves as a technical expert to the International Telecommunications Union - Technology (ITU-T) organization and supports the United Nations Commission on International Trade Law (UNCITRAL). He is also a member of Mentors Guild, a company that connects businesses to top domain experts, executive coaches and thought leaders across the nation.
There are four important steps to controlling data loss for a law firm:
First, unless a law firm is uniquely large, it is unlikely that the IT department is large enough to have a Security Operations Center capable of (1) inspecting all traffic, (2) classifying it as benign, malicious, or questionable, (3) analyzing questionable traffic rapidly to determine whether it is malicious, (4) curtailing malicious traffic (which can require reverse engineering the malicious code), and (5) taking the necessary steps to remediate any damage.
It is for this reason that I recommend to most SMBs that they outsource SOC services. There are good products to accomplish items 1 and 2. Some of them include service contracts to accomplish item 3. But developing the project plan and having up-to-date skills necessary for items 4 and 5 are always problematic for smaller enterprises. The enterprise will still serve as the arms and legs to implement controls and defensive tactics. But keeping current with new attack strategies requires more time than most small and medium enterprises can give their security staff. There is just too much other work to be done. SOC services are not all equal and different levels of protection are offered by different firms.
Second, there are now some good products available for tagging and controlling the data themselves, rather than merely providing network defense. These programs help classify information assets and then provide various levels of protection. This is a new area, but products are maturing rapidly.
Third, a good solution for privileged account management needs to be implemented and enforced. Even if threats do not come from insiders, a good privilege management system will make it harder for outside attackers to obtain the enhanced privileges that are usually necessary to exfiltrate important data.
Fourth, because the biggest security hole in every organization is its people, it is important to provide end-user training. Classes don't work. They are costly and the information is not retained for very long. A better program is the irregular use of internal phishing emails (sent from outside addresses designed to catch users off guard). These are then followed up with emails that then teach users how to avoid falling victim to such attacks. Multiple services are available to provide this. Additionally, there are now some good services that license short (<3 minutes), humorous videos to train users. These are available on a subscription basis. They can be sent out at somewhat regular intervals to both entertain and teach users.
Robert Ellis Smith
Robert Ellis Smith is an attorney who has published "Privacy Journal," a monthly newsletter for professionals and individuals, since 1976. He is the author of "Compilation of State and Federal Privacy Laws" and other books on the subject.
I am a writer and specialist on the right to privacy, and I am also an attorney. From that perspective, I recommend, first...
A secure email account that the attorney is assured protects the content of correspondence.
No attorney should use gmail or other free services that in fact admit that they use personal information from email content. They should encrypt their client correspondence. Before sending sensitive correspondence, they should check by phone or text with the client to see what method of delivery is preferred.
They should have a lock and key on their fax machines (these are available) and allow access to incoming faxes only to a few authorized employees. The fax machine does not belong in the office lobby or a hallway. Attorneys should put paper records under lock and key at all times. Computers with client personal data in them should be secured at all times by passwords that are frequently changed because employees in a law firm frequently change.
If filing electronically, attorneys should first delete personal information that will be stored digitally. Social Security numbers should never be included in documents, even if "required" by the court system. Dates of birth, addresses, and organizational FEINs are much less sensitive.
Jason Straight, Esq., Senior Vice President and Chief Privacy Officer with UnitedLex, a Global leader in providing technology powered legal and data solutions.
What technologies and or processes are in place to protect your clients' sensitive information?
First of all, it would be important to convey that the firm's security posture is not static but is perpetually evolving to address new threats as they emerge.
A firm should be able to demonstrate that it has a true information security program that addresses all three elements of cyber security risk: threats, vulnerabilities and impact. Not only should a firm be able to present how it is addressing each risk component, it should be able to present a security roadmap that shows how the firm will continue to advance the maturity of its cyber risk program from where it is today. To paraphrase an old maxim: whatever was good enough to achieve a defensible security program today is not enough to keep you at that level. Some of the key components of a security program that a client would likely want to see are the following:
- Culture - demonstrate the that firm has an institutional commitment to protect client data reflected by involvement and engagement by senior firm leaders - not just IT. Also show that the firm has a strong and customized security awareness training program for all staff with access to client data.
- Sound Basic Security Practices - show that the firm has a mature process for the blocking and tackling aspects of information security such as patch management, virus protection, firewall configuration, web and email gateway monitoring, etc.
- Access Controls - Show that the firm can identify and classify client data within its environment and that it restricts access to client data according to a need to know policy.
- Vendor Management - Describe the process the firm uses for assessing vendor security on an ongoing basis.
- Incident Response - Demonstrate that the firm has a robust - AND TESTED - incident response plan.
- Intrusion Detection and Log Aggregation - Show how the firm is actively hunting for indications of compromise and is retaining sufficient system logs to recreate attacker behavior and determine the scope of exposure in the event of a breach incident.
- Use of Encryption and Two-Factor Authentication - Demonstrate extensive use of encryption of data in transit and at rest and show that the firm employs two-factor authentication to secure remote connections to the firm's infrastructure.
- Threat Intelligence - Describe how the firm creates and consumes internal and external threat intelligence. If the firm participates in information sharing, describe how the firm derives benefit from such arrangements.
Anne P. Mitchell
Anne P. Mitchell, attorney at law, has been involved in the intersection of email technology and practices and the law for nearly 20 years. Originally in-house counsel for Mail Abuse Prevention Systems, the first anti-spam blacklist, Mitchell has authored part of our Federal anti-spam law, and is the founder and CEO of the ISIPP SuretyMail email reputation certification service.
What technologies and or processes are in place to protect your clients' sensitive information?
One of the most critical processes to have in place and *follow*, without exception, is one of the simplest, but most oft-overlooked. That is having a written email retention policy, and following it.
I have been involved in the email policy, practices, and security area for nearly 20 years, and have counselled many, many organizations, and I am consistently surprised to find that, more often than not, an organization will not have taken this simple, but crucial, step. Law firms should not only have their own written email retention policy, but they should be counselling their own business clients to be sure to do the same.
From a legal perspective, if an organization is on the receiving end of a legal demand to produce evidence which includes email, they have to be able to either provide the email requested, or be able to point to a sound policy that explains why the email is no longer available.
Now, the email that is received at and sent from law firms may (or may not, depending on the nature of the email) be subject to the attorney-client privilege. However, a strong email retention policy will also protect email from intrusion such as if the firm's mail server is hacked. This is because a good email retention policy spells out for how long email will be retained, after which point it is deleted. Once deleted, it cannot be compromised during a security breach event. So if the email retention policy is followed as it should be, then email will be deleted from the firm's servers within an appropriate time period, making it no longer vulnerable to an attack or other security breach.
For these reasons it is critical that a law firm have a written email retention policy, and that the policy be scrupulously followed. From a legal discovery perspective, what that policy is matters far less than that it be carried out consistently. For example, the email retention policy may be that all email is to be archived for three years, and then deleted, or it may be that all email is to be deleted as soon as it's opened and responded to. It really doesn't matter so long as it is carried out and applied consistently to all email.
However, from a security standpoint, the shorter the time that the email is retained, the greater the degree of protection against it being compromised during a security breach. The retention of no longer needed data - be it email or other documents or data - is one of the most easily avoided ways that data can fall into the hands of hackers or other wrong persons.
Randolph Kahn is the President of Kahn Consulting, an Information Governance advisory firm, and is recognized across the globe as a leader in Information Governance. He is a highly sought after speaker, having spoken hundreds of times around the globe. He is an award winning author of numerous published works, including; "Chucking Daisies", "Email Rules", "Information Nation: Seven Keys to Information Management Compliance", "Information Nation Warrior" and "Privacy Nation". He is a two time recipient of the Britt Literary Award. Mr. Kahn has been an expert witness in major court cases, and has been an advisor to corporations and US governmental agencies and foreign governments. He is a co-founder of the Council for Information Auto-Classification and has been involved in many industry organizations.
What technologies and or processes are in place to protect your clients' sensitive information?
There is no shortage of bad people intent on gaining access to information for profit. If law firms security is the weak link to gain access to clients' information, vigilance, best of breed technology and good processes will help minimize the exposure, but perfect security is not possible.
Jonathan Dambrot is the CEO and Co-Founder of Prevalent, a cybersecurity and vendor threat intelligence innovator, and brings many years of entrepreneurial and management experience to the company. He has worked with both large and medium enterprises to create solutions to better comply with government regulations and mitigate infosec risks. Prior to working in the technology industry, Jonathan launched a highly successful, consumer products company where he won several collegiate entrepreneurial awards. Jonathan is a graduate of Fairleigh Dickinson University, received his MBA from The Pennsylvania State University, and is a Certified Information Systems Security Professional (CISSP). Jonathan is currently the Vice-Chair of the Shared Assessments Steering Committee, Chair of the Shared Assessments SIG Committee, and sits on the Penn State Outreach Advisory Board.
To answer the question, "What technologies and/or processes are (or should be) in place to protect law firms' clients' sensitive information?", I would offer the following two pieces of advice...
- Third-party risk should be part of any law firm's cybersecurity plan. Third-party risk management is a security function as well as a compliance requirement. When you have a cybersecurity plan that only focuses on internal security, you risk missing 50% of the problem. Numerous studies have shown that third parties represent between 40% to 80% of the risks associated with data breaches. Ensuring broad cybersecurity coverage means understanding the risks posed by both your third-party providers and their providers (fourth parties). It is important to also note that understanding where your data is, both internally and externally, helps you to better isolate your risks and understand where you must focus your efforts.
- Single, point-in-time assessment is no longer sufficient. Most third-party risk management programs begin as a compliance effort, with point-in-time assessments completed during or immediately after the contracting process. In many cases, this was the one and only time an assessment was performed. The pace of technological innovation is staggering. Organizations of all sizes are moving more data to the cloud and mobile applications. While this may increase efficiency and reduce costs, wouldn't you want to know if a compromise happened at a service provider, prior to a breach notification? Performing on-going assessments and threat monitoring exercises is now required to better understand the constantly evolving risks posed to your data by third-party vendors.
Michael Gumprecht is a personal injury lawyer in the Atlanta, GA area. Prior to becoming an attorney he was a data center facility engineer for LexisNexis at their headquarters in Ohio. Learn more about Michael and his work at The Gumprecht Law Firm.
To protect client data, our records are...
Stored inside an encrypted volume that can only be mounted for access on our local system with the correct password.
We have cloud access to this data, but only through remote desktop access or a file vault that requires two-factor authentication to get in. I surprised by some firms that will scan sensitive client data, such as medical records, and simply save it to a regular desktop in an unprotected local file system.
Sloane Perras is the Chief Legal Officer for The Krystal Company, an American fast food restaurant chain headquartered in Atlanta, Georgia. In her current capacity, Ms. Perras oversees the Legal and Risk departments for the Krystal brand and is involved in oversight of risk management, company litigation, compliance and employment law. Her expertise includes team leadership, business advisory, mergers & acquisitions, vendor management and employment relations.What technologies and or processes are in place to protect your clients' sensitive information?
As a client, when searching for a reputable data protection firm, I look for a few key attributes, including deep knowledge of the latest industry best practices, full transparency as a partner, and a comprehensive crisis management protocol.
First, the firm must comply with not only our own industry standard in the hospitality field, but they must follow the highest standards within the data protection and regulatory fields. Next, they need to be transparent with us, which means going above and beyond to be open about actual and potential risks and any associated exposure.
Lastly, any firm I look to hire for data protection must have a clear crisis management protocol in place. If a data breach occurs, we need them to respond appropriately and urgently to protect our data. In short, we're looking for a partner who can help us navigate through an incident that could easily cripple our brand.
Marco Maggio is the Director of U.S. Legal Practice at All Covered, a Konica-Minolta Company.Firms are recently getting requests from their clients asking to see their security framework and policies. In that vain, I would make sure that they...
Have up to date policies such as acceptable use or computer use policies, breach response policies and plans, and robust security policies. As a component of these policies I would suggest regularly scheduled third party penetration tests and vulnerability assessments performed to understand gaps or potential threat areas. Some firms may even require ethical hacking to test end user behavior and your potential exposure. Encryption of sensitive and confidential data is paramount to preventing security leaks.
The level of encryption may vary based on practice areas or, more importantly, the firms' clients. At a minimum, emails and attachments that contain confidential data should be encrypted or sent through collaboration tools that send encrypted links rather than plain text data. Although compliance is not the same as security, mapping to a relevant regulatory compliance measure based on your clients is highly advised. Many firms map to a framework such as ISO27002, NIST or FISMA. This is merely a component of taking best reasonable efforts to protect the firms' and clients' data, but is simply a step.
End user education becomes paramount to the success of any security endeavor. The firm's end users must be educated on a regular basis so that they understand appropriate behavior and steps they should take in case they come across something suspicious or feel as though an event has occurred. At the end of the day, it's no longer about just being secure, it's about being secure in a provable way. Recommended tips to begin to secure your environment would be to:
- Align yourself with a recognizable standard - ISO or NIST (or a variant NCSF)
- Develop an attestation strategy
- Determine how to prove security to stakeholders
- Take a risk based iterative approach
- Start moving *before* you need to move
- Information Security Management Systems aren't developed in a day
- Slow & steady wins the race
- The challenge is that ISMS development is important but not urgent, until its real urgent
Christopher R. Blazejewski
Christopher R. Blazejewski is a partner at Sherin and Lodgen LLP, with offices in Boston and Providence, concentrating on commercial litigation, professional ethics, and business law.
With the changing landscapes of law and technology, what can a law firm do to protect confidential client information in the digital age? Firms should create and implement the following policies:
- An information security policy that covers all information systems, including e-mail, voicemail, text messages, the Internet, computers, work stations, laptops, cell phones, software, passwords, remote access, and cloud computing.
- A social networking policy that covers firm hardware, software, and Internet sites, including Facebook, Twitter, LinkedIn, Google+, and other social networking sites, and prohibits transmitting unauthorized information relating to clients or the firm.
- According to the needs of each client, document management policies that cover the collection, transmission, maintenance, and storage of client information, including documents stored in hard copy, electronically, or remotely, or covered by a confidentiality agreement or court order.
Ross W. Albers
Ross W. Albers is a criminal, DUI/DWI, personal injury and traffic attorney in Maryland. He litigates cases in the circuit, district and federal courts of Maryland. The Law Offices of Ross W. Albers are based in Westminster, MD.
What processes are in place to protect your clients' sensitive information?
As a sole practitioner, I'm often faced with protecting clients' personal confidential information such as their social security numbers. Insurance companies constantly call asking for my clients' SSN so they can run my clients' information through their giant databases and collect information for future claims my clients may make. I advise my clients that I will not distribute their SSN without their consent.
Kevin Kay is the Chief Innovation Officer at Red Sky Solutions, an IT engineering firm focused on reducing operational burden and cost for their clients, and has over 30 years in the networking field directly supporting all networked systems. He is responsible for architecting and engineering custom IT for individual clients and ensuring Red Sky's team is on top of ever-changing trends and technologies.
Most industries have a common set of best-practice security measures to protect sensitive data. Law firms and the law industry in general are no different. It can be broken up into several segments:
Perimeter security is the place most firms will start. Selecting a quality next generation firewall is a must, detecting and blocking sophisticated attacks at the application, port and protocol levels. Traffic coming into a firewall using http is not always standard web traffic. A quality next generation firewall ensures the traffic is what is indicated.
A solid subscription service looking at malware, virus and URL filters is commonplace. A service that dovetails with other security devices/software reduces management overhead and condenses support contracts. Many services are layered on top of existing security measures and become a burden for the users and network infrastructure. A successful model integrates with perimeter firewalls and endpoint security alike. When a virus or malware is detected somewhere else, your systems are updated automatically to guard against an attack before it can hit your business.
Cloud computing is a great way to extend a data center economically and quickly. The resources provided by the adoption of cloud computing are called "Shadow IT." Forensic data collection is involved in using outside cloud resources. This ensures visibility and policy around using "unsanctioned" resources. Dropbox-type services are convenient and easily shared, but any firm with compliance and regulations to adhere to can't use many of these. Using forensic data collection software brings visibility to the use of unsanctioned storage and provides a mechanism to prove compliance.
Many of today's savvy hackers exploit known vulnerabilities in the software we use to conduct daily business. Staying current on patch levels has never been more relevant. Access control is the process that confirms a user is who they say they are and gives that user access to the resources they need to do their job function. It's the foundation where policy is defined and enforced. While authenticating a user, a process runs to ensure they're up-to-date on patch levels. Another process sends traffic to/from a non-company device (i.e., smartphone, tablet) to a safe network even though internal credentials are used. This allows the user to get email and sync calendar events on non-company provided devices, without access to encrypted company resources where sensitive data lives.
Virtual Desktop Infrastructure (VDI) is becoming more common. With the proper policies in place and a solid VDI deployment, the devices accessing data become immaterial. For example, if a laptop is stolen from a user with a lot of access and data, it's a serious vulnerability. By keeping data in a VDI container, that laptop is nothing more than an access device. If the laptop gets stolen, it's simply cut off from accessing the VDI environment. A new access device is issued and that user goes back to work.
Jane Muir is an "AV" rated commercial litigator with Gersten & Muir, P.A., a certified Women-Owned Business.
Maintaining client confidentiality is our first priority. To keep client files confidential, and well-organized, we...
Still maintain physical client files.
For the most sensitive information we receive, we might keep it in paper form, or maybe even not write it down at all. After all, nobody has figured out how to hack into someone's brain yet. For our electronic files, we encrypt identifiable fields and files in our database and during transmission. Our system meets HIPAA and bank-level security standards.
Eric Au is Director of Business Process Management for Tower Consulting Services, a full-service legal staffing and managed review company focused on the principles of agility, accountability, and transparency. Specializing in legal technology, business process improvement and risk management, he brings over a decade of project management experience in legal services at top Am Law 20 firms, global financial institutions, and electronic discovery service providers. Eric has provided guidance to clients regarding electronic discovery (eDiscovery) best practices and how best to use technology to support their matters in areas of early case assessment, data collection and preservation, and processing for review.
What technologies and/or processes are in place to protect your clients' sensitive information?
First and foremost, only users needing access to confidential files should have access to these files - in other words, these files should not be stored on the open network for everyone to access. Limiting the areas on the network where these files can be stored (e.g. document repository system or Sharepoint) and implementing user access control is a good first step.
Other processes in place to protect client information include:
Unless someone has a business need for it, users should not be able to access the USB ports on their PCs. This is to prevent the unauthorized copying of confidential files onto external media such as thumb drives, hard drives or burning data onto a DVD.
When transferring files electronically between the firm and outside parties, a secured FTP site should be used and the files to be transferred should be encrypted and password-protected so if the contents are intercepted by an unauthorized party, there is a security measure in place.
Online storage sites such as Dropbox and personal email sites such as Yahoo email, GMail, and LinkedIn email should be disabled to prevent users from saving and transferring data outside of the controlled environment.
User access to confidential case files should be monitored regularly so when someone leaves the firm, his or her email account is deactivated and access to the firm's system is promptly revoked.
Adam L.K. Philipp
Adam L.K. Philipp is the Founder of AEON Law, a high technology intellectual property law firm focused on patent, trademark, copyright, and related IP.
What technologies and/or processes are in place to protect your clients' sensitive information?
We use secured remote-desktop access over SSL and otherwise all files are key-card accessible or under physical lock & key.
Thom Gray is the Managing Attorney at The Gray Law Firm, P.C., a small firm located in Elizabethton, TN. His areas of practice include business law, information technology law, and cybersecurity. He also publishes a community website, the Carter County Compass.
First and foremost, the one thing you cannot use for client data is conventional e-mail, especially third-party services like Gmail or Yahoo Mail. These companies increasingly base their revenue models on data-mining, including mining your e-mails. A secure platform for sharing digital information is critical.
Second, permission control is critical. Only personnel with a need-to-know should ever be granted access to client data. You never know when a conflict of interest may arise or an employee may go rogue. Related to that, you need to be able to track who has access to what information.
We use a cloud-based, business-class collaboration service featuring secure messaging, conversation tracking, and total control over permissions. We can make generalized information available to all lawyers and staff, such as HR matters, but cordon off client matters so that only specific lawyers can access the info. We can even add clients as guest users to our system: they can share information directly with us but cannot even see that other clients' information or internal firm matters exist on the server.
Steve Santorelli is the Director of Intelligence and Outreach at Team Cymru, a Lake Mary, FL based Threat Intelligence firm.
What technologies and or processes are in place (or should be in place) to protect your clients' sensitive information?
It's all about encryption of the 3 main risk areas for data held: data in transit, at rest and in backups.
It doesn't matter if it's email, Instant Messages, case files, discovery or 3rd party expert communications, the principle of encryption is the ONLY way you can really satisfy due diligence requirements.
In transit means using systems that have encryption built in, as the gold standard here (GnuPG or PGP) is notoriously hard to implement in practice. So a fully patched email server is a great start, webmail with https would be mandatory also, but also give some thought to where any 3rd party email service holds your data and how they back it up for you.
Instant Message platforms that are very secure are now popping up post-Snowden like rabbits: Signal and Wickr are great starters but there are loads to chose from.
Also consider further securing your systems with a good VPN provider, especially for lawyers that are traveling a lot.
Static data is ideally protected by full disc encryption or using PGP containers, and don't forget about USB keys too - consider a hardware encrypted device like an IronKey.
Finally: backups need to be encrypted and tested regularly... where are they kept, who controls them? Do they actually restore when tested?
Sadly, lawyers are just as likely to be a victim of a non-targeted attack from traditional acquisitive criminals (e.g. a ransomware attack) as they are from a targeted attack where specific data is sought. The reality however is that the impact of a successful targeted attack is likely to be massive if significant corporate secrets are stolen: it's virtually impossible to prevent a breach, what makes it survivable is when the data that's stolen is so heavily and correctly encrypted that the thief can't use it.
David Thompson serves as the Senior Director of Product Management for LightCyber, responsible for assessing customer and market requirements, conducting sales and channel training and enablement, market education, and overall solution definition. He has been with LightCyber since late 2014. Mr. Thompson has over 15 years of experience focused on information security. Prior to joining LightCyber, he served in Product Management leadership positions for OpenDNS, iPass, Websense, and Voltage Security (now HP). Prior to running product management at Voltage Security, Mr. Thompson was a Program Director at Meta Group (now Gartner) responsible for security research topics including encryption, PKI, remote access, and secure network design.
What technologies and or processes are in place (or should be) to protect your clients' sensitive information?
The fact is, a targeted attacker can penetrate just about any network. It may take some time and effort, but eventually they will find a way in. The old belief was that better walls and security smarts would keep the bad guys out. Now, the FBI & Gartner agree that no security is flawless enough to prevent intruders. Outside of some security vendors, most everyone seems to believe that idea. In fact, most of the business discussion over the past month has ranged from "you better buy cyber insurance" to "get a communications plan in place."
It is also true that once an attacker finds a way into the network of a company or organization, they can go about undetected to conduct their clandestine business. There is very little focus or ability to patrol activity on the network. Most of the security focus - people, products, policies, procedures - is still on prevention.
When an intruder lands inside a network, they are mostly blind. They need to look around and understand things about the network and what's on it. They also need to move around to get additional points of control and prepare to steal or damage assets. This kind of operational activity can be spotted, but not with traditional security. Traditional security focuses on the signatures and "fingerprints" of attacks. Much of the reconnaissance and lateral movement done by intruders once inside a network will not be detectable by these means. The other issue with traditional security is that systems look for anomalous behaviors and issue alerts. Unfortunately the level of accuracy and actionability of these alerts is low, and a firm may receive hundreds of alerts in a single day. One of these may indicate a real active breach, but it would likely be drowned in a sea of false positives. A new category of technology, called active breach detection, can discern these movements early and accurately so that the breach can be shut down before theft or damage ensues.
While data breaches cannot always be prevented, it is possible to detect a breach early and stop it.
Michael Fimin is an accomplished expert in information security, and the CEO and Co-Founder of Netwrix, the #1 provider of change and configuration auditing solutions. Netwrix delivers complete visibility into who did what, when and where across the entire IT infrastructure.
I would suggest three practices law firms can follow to protect confidential data:
- Privilege management. The main thing in protecting sensitive information is to grant adequate access privileges and separate them. Make sure that every employee has necessary permissions according to their business needs, but nothing more.
- Monitor user accounts. This is an effective method to spot malicious activities on the early stage, it is especially true for privileged users, such as system administrators. Since it's not always possible to restrict access rights, the best thing you can do is to watch closely after these particular accounts. As to regular users, it's much simpler - disable accounts of former employees as soon as they leave the organization and be attentive to sudden splash of users' activity, which is a good reason to investigate.
- Audit IT infrastructure. Regular audit of all changes made across IT infrastructure is a key for successful compliance validation. Manual auditing can be ineffective and time-consuming, whereas automated auditing will do all the job for you, ensure all security policies are working and help to comply with regulatory standards. I would recommend to make sure that employees are aware that their activities are being monitored for security reasons and publish regular anonymous audit reports. This will force both ordinary users and IT administrators to control their actions and be more careful when dealing with sensitive data.
Evan Saez is a Cyber Threat Intelligence Analyst at LIFARS LLC, an international cybersecurity and digital forensics firm. His research and expertise are mainly focused on data mining, social media analytics, digital forensics, data breach response, and corporate network management. Evan's latest work project consisted of providing network support and policy compliance to a leading PR firm. As a member of a research team at the St. John's University, Evan performed an in-depth analysis of the Zeus family of Trojans affecting the financial sector. Evan currently works on development and implementation of an advanced threat intelligence and monitoring software designed for financial institutions.
What technologies and or processes are in place (or should be) to protect your clients' sensitive information?
Although it may seem trivial, a good and properly set up firewall is the first step in defending your law firm against intruders.
Many firms make the mistake of wanting to save a bit of money and use a personal firewall instead of a business firewall. It's simply not worth the risk. Personal firewalls were not designed to protect a business and are likely to fail at the most critical of times. Proper endpoint protection is also a must. Be sure to select an endpoint protection vendor that offers lots of options and is able to detect a wide range of threats. Next step is to use IRM on sensitive documents. Using IRM protects your files from unauthorized access while also giving you the ability to monitor document access, as well as to revoke access by intruders at any time.
Of course, cybersecurity awareness programs are also a vital part of protecting your law firm, because humans are always the weakest link in the system and phishing attacks are the most effective ways for hackers to gain access to your network. My advice would be to work with a company that can grab your employees' attention and really engage them in the training process. Not just lecture them - that is proven not to be very effective.