When one thinks of enticing and lucrative hacker targets, law firms likely aren't the first to come to mind. In fact, they may not even make the list.
But starting more than five years ago, federal authorities began specifically warning legal entities about their viability - and vulnerability - to hacker intrusions. Law firms typically are in possession of a stockpile of sensitive data relating to their clients. And depending on the type of firm, those clients may be businesses that generate international interest around matters like acquisitions and patents.
Despite the warnings, the legal industry is still lagging when it comes to data protection. As a result, firms facing increasing pressure to button up their cybersecurity presence - not only from authorities, but now also from their clients.
Much like any third-party relationship, law firms sign agreements with their corporate clients. And now those clients, including Wall Street companies, are demanding law firms undertake security measures and show proof of their ongoing security and monitoring, according to a recent article inThe New York Times.
Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.
So what can law firms do to both protect the sensitive information in their control and ensure their data, network and application security is up to snuff in the eyes of their clients? Here are seven suggestions:
1. Conduct a Risk Assessment
Your clients are going to ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where your confidential data, including information contained on mobile devices, could be at risk for exposure.
2. Deploy Advanced Security Defenses
Targeted, socially engineered emails, typically known as spear phishes, are a common ruse used by criminals to establish a foothold on law firm networks. To combat these attacks, consider security gateways specifically designed to protect your business in real time from threats like malware, zero-day vulnerabilities and data loss.
3. Secure Your Apps and Databases
Your most valuable data lies in your databases. Companies traditionally fail to focus enough attention on the application and database layers. Ensure these entryways to and repositories of critical data are locked down from an access and encryption perspective, are regularly scanned for vulnerabilities and misconfigurations, and are properly patched.
4. Have a Breach Response Plan in Place
Face it, breaches are going to happen. The key to mitigating the damage is detecting an intrusion and responding quickly. This requires having an actionable incident readiness and response plan in place (and many large corporate clients are asking for these plans specifically). Or consider proactive breach detection investigations, which are designed to identify if your firm has been victimized by a breach or if it suspects an attack already is happening.
5. Consider Help From a Managed Security Services Provider
Your core competency is representing your clients - not securing your infrastructure. Our 2014 Security Pressures Report, which surveyed more than 800 IT professionals, showcased that most organizations are reeling from budget constraints, skills shortages and time limitations when it comes to security. A managed security services provider can provide the help you need, while allowing you to concentrate on your business.
6. Establish or Improve Your Security Awareness Program
This blog just mentioned that criminals often rely on social engineering to trick users into downloading attachments or following links contained in an email. As such, train your employees to be on the lookout for fraudulent communications that might look legitimate, but aren't. They also should be mindful of other risks, such as transferring sensitive client data onto easy-to-lose memory sticks or sending emails containing confidential files to computers outside of the corporate firewall.
7. Reference Industry Groups
While admittedly lagging other industries, the legal community has a number of trade groups that are taking data security more seriously. For example, the International Legal Technology Association recently formed LegalSEC, an initiative whose primary goal is to introduce the legal field to the ISO 27000 series of standards. The American Bar Association also has provided resources.
Dan Kaplan is manager of online content at Trustwave.