Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
When one thinks of enticing and lucrative hacker targets, law firms likely aren't the first to come to mind. In fact, they may not even make the list.
But starting more than five years ago, federal authorities began specifically warning legal entities about their viability - and vulnerability - to hacker intrusions. Law firms typically are in possession of a stockpile of sensitive data relating to their clients. And depending on the type of firm, those clients may be businesses that generate international interest around matters like acquisitions and patents.
Despite the warnings, the legal industry is still lagging when it comes to data protection. As a result, firms facing increasing pressure to button up their cybersecurity presence - not only from authorities, but now also from their clients.
Much like any third-party relationship, law firms sign agreements with their corporate clients. And now those clients, including Wall Street companies, are demanding law firms undertake security measures and show proof of their ongoing security and monitoring, according to a recent article in The New York Times.
So what can law firms do to both protect the sensitive information in their control and ensure their data, network and application security is up to snuff in the eyes of their clients? Here are seven suggestions:
Your clients are going to ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where your confidential data, including information contained on mobile devices, could be at risk for exposure.
Targeted, socially engineered emails, typically known as spear phishes, are a common ruse used by criminals to establish a foothold on law firm networks. To combat these attacks, consider security gateways specifically designed to protect your business in real time from threats like malware, zero-day vulnerabilities and data loss.
Your most valuable data lies in your databases. Companies traditionally fail to focus enough attention on the application and database layers. Ensure these entryways to and repositories of critical data are locked down from an access and encryption perspective, are regularly scanned for vulnerabilities and misconfigurations, and are properly patched.
Face it, breaches are going to happen. The key to mitigating the damage is detecting an intrusion and responding quickly. This requires having an actionable incident readiness and response plan in place (and many large corporate clients are asking for these plans specifically). Or consider proactive breach detection investigations, which are designed to identify if your firm has been victimized by a breach or if it suspects an attack already is happening.
Your core competency is representing your clients - not securing your infrastructure. Our 2014 Security Pressures Report, which surveyed more than 800 IT professionals, showcased that most organizations are reeling from budget constraints, skills shortages and time limitations when it comes to security. A managed security services provider can provide the help you need, while allowing you to concentrate on your business.
This blog just mentioned that criminals often rely on social engineering to trick users into downloading attachments or following links contained in an email. As such, train your employees to be on the lookout for fraudulent communications that might look legitimate, but aren't. They also should be mindful of other risks, such as transferring sensitive client data onto easy-to-lose memory sticks or sending emails containing confidential files to computers outside of the corporate firewall.
While admittedly lagging other industries, the legal community has a number of trade groups that are taking data security more seriously. For example, the International Legal Technology Association recently formed LegalSEC, an initiative whose primary goal is to introduce the legal field to the ISO 27000 series of standards. The American Bar Association also has provided resources.
Dan Kaplan is manager of online content at Trustwave.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.