[BreachExchange] How Law Firms Can Make Information Security a Higher Priority
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Nov 9 20:33:42 EST 2017
https://www.darkreading.com/endpoint/how-law-firms-can-
make-information-security-a-higher-priority/a/d-id/1330337
Lawyers always have been responsible for protecting their clients'
information, but that was a lot easier to do when everything was on paper.
Here are four best practices to follow.
Some people think that law firms aren't interesting targets for computer
criminals. They don't typically have terabytes of credit cards and bank
accounts on file. But they do retain powerful clients, from wealthy
individuals to big companies, and they often have privileged information
about those clients, including details of business dealings and inside
information about their negotiating positions and future plans.
Of course, law firms have always had an ethical responsibility to protect
the confidentiality of their clients. This was a bit easier to do when
everything was on paper; the only risk was if the attorney left a sensitive
memo in a bar or if the firm didn't have tight physical security to prevent
a thief from gaining entry to the office — think Watergate. Clearly, things
have changed, but like many other sectors, the adoption of new technology
by law firms has outpaced the adoption of the security best practices
needed to live with that technology safely.
There are now several prominent examples of how things can go wrong.
Earlier this year, global law firm DLA Piper was hit by a strain of
ransomwarethat forced management to shut down its offices for several days
while IT dealt with the problem. In 2016, a breach referred to as the
Panama Papersentailed a massive document disclosure of 2.6 terabytes of
data from Panamanian-based law firm Mossack Fonseca. German newspaper
Süddeutsche Zeitung got hold of the documents, resulting in coverage of
celebrities' and politicians' financial transactions and other personal
details.
If events like these have a silver lining, it is the possibility that other
firms might learn from them in hopes of avoiding the same fate. Here are
four best practices law firms should consider as they seek to make
information security a higher priority:
1. Prioritize information security in the right way. Unfortunately, when
firms get serious about information security, they often do so by
designating a person responsible for preventing breaches from occurring.
While having a professional CISO is an important step that many firms ought
to take, they should do so with a broader understanding of what that person
is responsible for.
Breaches are going to occur. The CISO is not just responsible for reducing
the risk that they'll happen, but also leading the organization to adopt
practices that will limit their impact and setting the organization up to
respond properly and recover quickly when they do happen. And incidentally,
CISO's are most effective when the rest of the organization understands the
importance of good security practices and is open to improving those
practices rather than resisting them.
2. Reduce the firm's information footprint. Through our day-to-day use of
digital technology we tend to amass piles of valuable data, without even
thinking about it. What will computer criminals be able to get access to if
they compromise the computer or email account of a typical member of your
firm? There may be a lot of old data, documents, and emails sitting on the
laptops of your attorneys or on file servers that just don't need to be
there. Can you automatically archive old data to offline storage, where it
isn't readily available on the network?
3. Involve your employees as a part of the solution. When it comes to
reducing the firm's information footprint, a bit of personal awareness on
the part of individual employees can go a long way. Tagging an email as
"attorney client privileged" won't stop computer criminals from reading it.
They should constantly ask themselves, "Is this conversation with a client
an appropriate conversation to have via email, where it might be
permanently stored or exposed, or should I pick up the phone?"
Employees are also your front lines for detecting things such as phishing
attacks. Some people aren't very responsive to training, but others will
learn, and report suspicious things they see. Often, sophisticated attacks
will target multiple employees. The ones who are good at identifying them
may be your first warning.
4. Build an organization that is resilient. Again, breaches are going to
happen. The sensible approach is to put together a thorough incident
response and recovery strategy. The advent of ransomware makes an
especially powerful case for this: if your firm has been backing up all its
files and systems daily or even continually, there's no need to pay tens of
thousands of dollars to the criminals hijacking your firm's files.
Maintaining a highly secure and safe operation should be top of mind for
partners and directors at law firms of all sizes. This is not a routine IT
administration task but a smart business strategy that can keep your firm
thriving and in good stead with clients for many years to come.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171109/adf8c8b7/attachment.html>
More information about the BreachExchange
mailing list