Data thieves and hackers are always looking for information that has the potential for exploitation. Whether their goal is to harass someone through blackmail or find personal data they can somehow monetize, no industry is overlooked. Of course, law firms have always worked with confidential data such as privileged communication with clients, intellectual property, or confidential deals involving major corporations -- all of which may put them in a particularly vulnerable state.
Once one understands that data thieves are experts in using mere data for criminal purposes, it becomes quite clear that law firms are just as, if not more vulnerable to cyber security risks, as are organizations in the medical field, the retail and banking industries, and a host of other industries.
In this article we will outline some of the unique issues that law firms have regarding cyber security risks, as well as outline a four-step plan designed to help reduce a firm's chance of experiencing a serious cyber security incident.
Challenges Law Firms Face
One of the foundational aspects of the legal system centers around attorney/client privilege. Lawyers are tasked with the responsibility of ensuring that all information they work with, for any given client, is protected against unwanted access and disclosure.
More Lucrative Targets
Ironically, because of the significant increase in cyber attacks, many law firms are now expanding their practices in order to reach clients in need of legal counsel regarding regulatory requirements and risk management. This expansion centering around cyber security and sensitive information, has only led the law firms themselves to become an even more lucrative target for hackers.
Potential for Blackmail
Last but not least, the personal and private information of law firm employees is another lucrative target by data thieves, since the potential for using this type of information for purposes of blackmail is significant.
Creating a Cyber Security Risk Plan
Begin With an Audit
Virtually every good plan begins with an audit to determine where an organization is at currently, and organizations within the legal industry are no exception. The first step law firms must take in developing a comprehensive cyber security plan is to conduct an internal security audit. As part of the assessment, firms in the legal industry must review their current level of cyber security readiness, by evaluating whether they have a data governance plan already in place, whether they have a security team that can rapidly locate sensitive information as well as determine who has access to this data and why, and, if they do have any technology security solutions in place, how effective are they?
Don't Forget Employees
In addition, law firms shoulder consider whether they are taking measures to ensure their employees are using safe computer practices such as using strong passwords, avoiding risky forms of communication such as personal email, or using unsecured BYOD (bring your own device) devices and/or unsecured mobile phones.
When to Engage a Cyber Security Expert
Gauge Your Expertise
While law firms certainly have their own area of expertise, so do cyber security experts. As cyber attacks become more and more sophisticated, the need for individuals with deep security experience whose full-time job is to develop an overall strategy to combat cyber security risks, will only increase.
Look at the Scale
Depending upon their size, some law firms may decide to hire a full-time security expert. Medium-sized or smaller law firms may decide to have a blend of some in-house expertise along with help from a third-party source, or they may decide to outsource security planning and execution to an independent third-party source altogether.
The Threat Within
Up until now, the primary focus has been on external security threats. However, law firms can also face threats from internal sources, whether it was due to an honest mistake made by an employee, poorly trained staff, or a malicious attempt to exploit confidential data by a disgruntled employee, in order to undermine their employer.
Step three of a comprehensive security plan should include training all employees in the use of good computer practices, with the emphasis on security issues and how to spot, as well as avoid a potential problem. Law firms must also protect both their employees and confidential data by ensuring access to data is only given on a need to know basis.
A thorough plan will also include deploying endpoint (user devices) security solutions, which means not only encrypting sensitive information on a device level but also encrypting the information itself, even while at rest.
Understanding the Threat
If a firm has not yet experienced a data breach, they may assume they're already doing everything right with regard to cyber security, or there is something about their specific practice that allows them to stay under the radar of hackers. Unfortunately, this is mere sentimental thinking which will more than likely be put to the test at some point.
As with every other industry, law firms must seriously address their obligation to protect confidential data. The potential to erase client confidence and trust after only one serious data breach of privileged attorney/client information is high. If you are part of a law firm and would like to develop a comprehensive data security plan, please contact us.