Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/8/2017
10:30 AM
Tom Cross
Tom Cross
Commentary
100%
0%

How Law Firms Can Make Information Security a Higher Priority

Lawyers always have been responsible for protecting their clients' information, but that was a lot easier to do when everything was on paper. Here are four best practices to follow.

Some people think that law firms aren't interesting targets for computer criminals. They don't typically have terabytes of credit cards and bank accounts on file. But they do retain powerful clients, from wealthy individuals to big companies, and they often have privileged information about those clients, including details of business dealings and inside information about their negotiating positions and future plans.

Of course, law firms have always had an ethical responsibility to protect the confidentiality of their clients. This was a bit easier to do when everything was on paper; the only risk was if the attorney left a sensitive memo in a bar or if the firm didn't have tight physical security to prevent a thief from gaining entry to the office — think Watergate. Clearly, things have changed, but like many other sectors, the adoption of new technology by law firms has outpaced the adoption of the security best practices needed to live with that technology safely.

There are now several prominent examples of how things can go wrong. Earlier this year, global law firm DLA Piper was hit by a strain of ransomware that forced management to shut down its offices for several days while IT dealt with the problem. In 2016, a breach referred to as the Panama Papers entailed a massive document disclosure of 2.6 terabytes of data from Panamanian-based law firm Mossack Fonseca. German newspaper Süddeutsche Zeitung got hold of the documents, resulting in coverage of celebrities' and politicians' financial transactions and other personal details. 

If events like these have a silver lining, it is the possibility that other firms might learn from them in hopes of avoiding the same fate. Here are four best practices law firms should consider as they seek to make information security a higher priority:

1. Prioritize information security in the right way. Unfortunately, when firms get serious about information security, they often do so by designating a person responsible for preventing breaches from occurring. While having a professional CISO is an important step that many firms ought to take, they should do so with a broader understanding of what that person is responsible for.

Breaches are going to occur. The CISO is not just responsible for reducing the risk that they'll happen, but also leading the organization to adopt practices that will limit their impact and setting the organization up to respond properly and recover quickly when they do happen. And incidentally, CISO's are most effective when the rest of the organization understands the importance of good security practices and is open to improving those practices rather than resisting them.

2. Reduce the firm's information footprint. Through our day-to-day use of digital technology we tend to amass piles of valuable data, without even thinking about it. What will computer criminals be able to get access to if they compromise the computer or email account of a typical member of your firm? There may be a lot of old data, documents, and emails sitting on the laptops of your attorneys or on file servers that just don't need to be there. Can you automatically archive old data to offline storage, where it isn't readily available on the network?

3. Involve your employees as a part of the solution. When it comes to reducing the firm's information footprint, a bit of personal awareness on the part of individual employees can go a long way. Tagging an email as "attorney client privileged" won't stop computer criminals from reading it. They should constantly ask themselves, "Is this conversation with a client an appropriate conversation to have via email, where it might be permanently stored or exposed, or should I pick up the phone?"

Employees are also your front lines for detecting things such as phishing attacks. Some people aren't very responsive to training, but others will learn, and report suspicious things they see. Often, sophisticated attacks will target multiple employees. The ones who are good at identifying them may be your first warning.

4. Build an organization that is resilient. Again, breaches are going to happen. The sensible approach is to put together a thorough incident response and recovery strategy. The advent of ransomware makes an especially powerful case for this: if your firm has been backing up all its files and systems daily or even continually, there's no need to pay tens of thousands of dollars to the criminals hijacking your firm's files.

Maintaining a highly secure and safe operation should be top of mind for partners and directors at law firms of all sizes. This is not a routine IT administration task but a smart business strategy that can keep your firm thriving and in good stead with clients for many years to come.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Tom Cross is a highly experienced and respected information security leader who oversees all technical elements of OPAQ Networks and is responsible for communicating the technology strategy to partners, employees, and investors. He is the co-founder and former CTO of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olaf Barheine
50%
50%
Olaf Barheine,
User Rank: Apprentice
11/9/2017 | 2:43:01 AM
And please!
Do not carry your client data around on notebook computers or external hard disks in unencrypted form. Notebooks get stolen, hard drives get lost. The same applies to doctors I know and their patient records.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...
CVE-2020-8905
PUBLISHED: 2020-08-12
A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The 'enc_untrusted_recvfrom' function generates a return value which is deserialized by 'MessageReader', and copied into three different 'extents'. The length of ...
CVE-2020-12106
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
CVE-2020-12107
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System.
CVE-2020-7374
PUBLISHED: 2020-08-12
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user ...