BreachExchange mailing list archives
Law Firms Aren't Immune to Cybersecurity Risks
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 29 Jan 2015 19:25:25 -0700
http://www.nationallawjournal.com/home/id=1202716120611/Law-Firms-Arent-Immune-to-Cybersecurity-Risks?mcode=1202617074964&curindex=5 Although law firms have managed to remain off the list of the year’s biggest data breach victims, firms watching cybersecurity trends most closely are feeling increasingly uneasy about their own security posture. Astute firms are looking to learn as they watch Target Corp., The Home Depot Inc., JPMorgan Chase & Co., Sony Corp. and others struggle to manage an endless stream of news stories that damage their brands, massive disruptions to everyday business, and a significant strain on resources as organizations respond to legal claims, comply with requests for information from regulators and scramble to bolster security systems in efforts to prevent further incidents. Because law firms are routinely entrusted with large volumes of highly sensitive data under attorney-client privilege—private personal information, trade secrets, mergers and acquisitions details, litigation strategy, intellectual property research, health care data and more—it’s only a matter a time before they face the same level of scrutiny of their security practices as do corporations. The risks firms face from inadequate information-security policies, procedures and technology are just as serious and far-reaching as those faced by their corporate clients, and hackers are likely to perceive firms as an easier target. Under mounting pressure from both clients and regulators, firms are being forced to reassess their cybersecurity controls and make investments that will better equip them to respond to attacks when they inevitably occur. Recent developments in the financial-services industry are especially instructive on how law firms can be more active in bolstering security. On Dec. 10, New York Superintendent of Financial Services Benjamin Lawsky issued an industry guidance letter to all banks regulated by his department, detailing how those institutions will be examined on protocols related to cybersecurity, including their “due diligence process” in “vetting, selecting and monitoring” the information-security practices of their third-party vendors. Law firm partners and executives who think this doesn’t apply to them haven’t been paying attention. Compliance checklists As The Wall Street Journal reports—and many firms can wearily attest—many banks have already begun requiring outside firms to complete compliance checklists detailing the state of their technology systems and security policies, and in some cases requiring firms to fulfill specific requirements regarding their own vendor-security programs. On-site visits by bank security officials to data centers of outside counsel are increasingly common, as are mandates that firms periodically hire independent auditors to test defenses and identify weaknesses. As the fallout from high-profile data breaches makes abundantly clear, cybersecurity is not just an information-technology issue. It’s a business-risk issue that requires active engagement on the part of stakeholders across the organization. As such, cybersecurity requires a top-down, strategic approach driven by senior leadership. A narrow focus on tools and tactics simply is not adequate. The general consensus among cybersecurity experts is that a purely defensive posture is likely to fail. Savvy organizations begin with the assumption that, no matter how good your defenses are, at some point a breach will occur. Rather than focus all efforts on preventing an attack, law firm partners should develop an information security program based on the premise that the firm’s network is already compromised. This mindset forces the firm to address some uncomfortable but revealing questions: “How would we know whether we were compromised?” “Who is responsible for managing the firm’s response to a security breach that affects client data?” “What information would investigators need to determine the scope and scale of an incident, and are we equipped to collect and preserve such information?” The planning process required to answer those questions should be built on input from stakeholders across the organization, including information technology, security, compliance and management. Sound cybersecurity policy needs to start at the top, with partners setting the tone. Initial steps How do firms begin building a solid information security program? Here are some basic considerations. Create a team of stakeholders from across the organization to take responsibility for information security. Their first task should be to perform a formal risk assessment to understand the sources and kinds of data they have and the risks associated with it. They should map the data to make sure they know who has access to them and why. Determine what data reside with third-party vendors. Do they have direct access to the firm’s internal network? What due diligence has been conducted to assess risks and ensure the adequacy of the vendors’ security controls? Examine data retention policies. Most organizations hold on to data much longer than is necessary. Data that you don’t have are data that can’t be compromised. Understand and regularly review policies for data access controls, passwords, encryption, physical security and remote access. Given the nature of the work they perform, lawyers have a legitimate need for real-time access to large volumes of sensitive information. However, given the level of risk present at the “human layer” in any network, it is critical for firms to strike the right balance between accessibility and security. For many firms, cultural resistance from attorneys represents the greatest challenge in implementing necessary security controls. Develop a detailed incident response plan, with provisions for business continuity and disaster recovery. A major component of this plan should be a comprehensive, mandatory training program for every individual in the organization who has access to sensitive data. Attorneys and staff need to understand the consequences of a breach and the importance of recognizing and reporting warning signs to minimize the impact of an incident. Establishing sound information security practices is not just about policies and protocols. It requires a cultural transformation, starting at the top. Smart firms will work hard to build a culture of awareness and commitment to security. Employees can be your most valuable asset if they are well-trained and know what to watch for. For many law firms, cybersecurity is not a do-it-yourself proposition. Firms that seek outside help from competent, independent professionals are, in effect, demonstrating to their clients and regulators that they take information security seriously. Consultants who provide risk-assessment services should be able to assess technical data security, privacy policies and security protocols and provide recommendations for improvement. They should also be able to perform vulnerability assessments and, if necessary, provide hand-on services like network monitoring and regular penetration testing. Having on-call access to expert cyber incident response services, including network forensics, malware analysis, insider incident investigations and root-cause analyses, is also helpful. A data breach impact assessment might help a firm identify, extract and analyze exposed data sets and develop an incident reporting process that will provide a clear picture of the progression of a breach and its potential impact. Response services are available to improve litigation readiness in response to a breach. Can your firm ensure there will be proper preservation, collection and analysis of evidence if a breach occurs? Will you be able to prevent spoliation of data that may be relevant to subsequent litigation? If a vendor suffers a breach involving data entrusted to your firm, are you prepared to undertake an investigation? If the answer to any of these questions is “no” or “we’re not sure,” seeking outside help may be a good idea. Finally, independent consultants can collaborate with a firm’s human resources department to optimize employee training for enhanced awareness and readiness. Specialized training programs can be customized for your firm’s risk profile and its likely attack vectors. Programs can be tailored to specific groups of employees, such as partners and executives, associates and legal support staff, information technology staff and incident first-responders. As law firms invest the time and resources required to develop a solid, defensible information security program, it’s worth remembering that doing so not only prepares them for any security audits they may face in the future, but can also reap big benefits in their relationships with existing clients and their ability to win new business.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Law Firms Aren't Immune to Cybersecurity Risks Audrey McNeil (Feb 02)