[BreachExchange] Data breaches: Why law firms are at risk

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 7 19:53:13 EDT 2018


It’s not surprising that the legal sector represents a goldmine for
hackers; it is a vital component of UK business and government
infrastructure. Law firms don’t just handle highly sensitive IP, business
critical and financial data for clients but also personally identifiable
information (PII), making them a highly attractive target.

PwC's annual Law Firm Survey 2017 found that over 60 percent of all law
firms had reported suffering some form of security incident during the last
year. The most common security incidents continue to be phishing attacks,
with 12 percent of firms under attack on a daily basis.

It’s clear that the stakes couldn't be higher. UK privacy watchdog, the
Information Commissioner’s Office (ICO) revealed a 173 percent increase in
PII-related incidents in the sector over the past quarter. That’s bad news
considering the forthcoming EU General Data Protection Regulation (GDPR)
could increase fines for non-compliance to up to 4 percent of an
organisation’s global annual turnover or 20 million Euro, whichever is
higher. That’s up from the current maximum ICO fines of £500,000.

To complicate things further, the new regulation covers not just loss or
theft of PII but could also apply to any attacks which involve
“unauthorised access” to or “unlawful destruction” of personal data. That
means the GDPR could cover outages caused by ransomware, one of the biggest
threats to modern organisations, which ripped through international law
firm DLA Piper in June 2017.

Punitive fines and reputational damage are facing those who fail to take
data protection seriously. So, what can the industry do to fight back?

Hackers are increasingly targeting the sector because of the highly
sensitive data it holds, but also because law firms are typically viewed as
an easier target than some other sectors. This is because many of the
challenges associated with data protection in the legal sector come from
the mobile nature of the workforce. Data often has to be carried and stored
outside of the office, putting it at risk of theft or accidental loss. In
fact, loss or theft of paperwork and unencrypted devices were two of the
main issues affecting the legal profession according to a report by the ICO.

A combination of educating employees, establishing better processes and
implementing the right technology can boost security and make the sector a
less attractive target for hackers. A comprehensive awareness and education
programme for employees with sufficient training to prevent against
security attacks and/or breaches is a necessity. Law firms should implement
strict secure remote working policies and ensure these extend to partners
and contractors. Policies must include encryption of all sensitive data,
both at rest and in transit, particularly for removable storage devices. In
fact, the GDPR recommends that the controller or processor of the
regulation should implement measures such as encryption in article 32 of
the regulation. Encrypting removable media, such as USB drives or portable
hard drives, is a simple step towards GDPR compliance and often missing
within organisations. To avoid the potential for human error when data is
being transferred outside of the network or between systems, organisations
need to research, identify and mandate a corporate-standard encrypted
mobile storage device. In addition, the use of the device should be
enforced across the organisation through policies – such as locking down
USB ports so they can accept only approved devices.

With access and transfer of data extending beyond the corporate network,
firms must also tighten access controls by rolling out two-factor
authentication for accounts and limiting privileged accounts, with remote
access to systems authenticated and logged.

Further best practice steps include enforcing appropriate security measures
such as advanced anti-malware at the endpoint, network, gateway and server
layers, and ensuring patches are deployed promptly and IT systems
configured securely. Regular checks and continuous monitoring of all IT
systems to help detect any intrusions is a must. Should a breach occur,
firms should also be prepared by having an established incident response
plan in place.

Under current data protection law, holders of personal data are responsible
for ensuring adequate measures are in place to avoid data breaches. The
GDPR will introduce various new requirements that law firms processing
personal data will have to comply with. Firms must ensure that they are
well placed to meet these obligations by May 2018.

What remains the most important aspect of protecting sensitive data within
law firms is consistency. IT teams, C-Suite and employees all need to be
educated on, and adhere to, the policies in place to ensure that sensitive
data doesn't end up in the wrong hands.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180507/1c5361c9/attachment.html>

More information about the BreachExchange mailing list