Imagine your law firm gets a call from the FBI or other law enforcement agency.
An agent tells you an investigation has uncovered evidence that your law firm’s security had been breached and client data has been stolen. After checking on the report, not only do you find that hackers have in fact been in your systems, but they have been lurking in your network for a year or more. By then, these intruders have made off with thousands of emails, attachments, and confidential client information.
Unfortunately, this exact scenario has already happened to dozens of law firms across the country. Mandiant, an information security firm, has reported on investigations of data breaches at over 50 law firms. In one case, investigators found intruders at a law firm were able to obtain more than 30 sets of user credentials, to compromise approximately three dozen workstations, and harvest thousands of emails and attachments from mail servers.
The recent discovery of the Heartbleed security flaw has scared a lot of lawyers. The flaw was built into some of the most commonly used security software on the planet, and could have allowed hackers to circumvent the best website defenses.
But Heartbleed is just the latest in a long line of security threats. In fact, the FBI believes the threat to law firms is so serious that it held a special meeting in 2011 for the 200 largest law firms in New York to advise them about the increasing number of attacks.
According to Bloomberg News, “Over snacks in a large meeting room, the FBI issued a warning to the lawyers: Hackers see attorneys as a back door to the valuable data of their corporate clients.”
Your Data Security Responsibility
Information security is the systems and processes you use to protect the availability, confidentiality, and integrity of information. Law firms have a special responsibility to achieve this goal. The ABA Model Rule 1.6 expressly requires “reasonable efforts to prevent the unintended disclosure of, or unauthorized access to” information relating to clients and explains the requirement for reasonable safeguards. Note however, that the requirement is for lawyers to deliver a reasonable level of security, not absolute security.
What to Do About Cybersecurity
The American Bar Association’s 2013 Technology Survey reports that 15 percent of all firms reported that they had suffered a security breach. Just as worrying, 25 percent reported they didn’t know whether their firm had suffered a security breach in the past. The answer is to put technology, monitoring, and incident response battle plans in place to prevent attacks and respond to breaches before they become critical.
No organization is identical and every organization has unique security demands. If you want a full list of everything an organization should consider, there is the Critical Security Controls – a list of security protocol agreed upon by a consortium including the National Security Agency, the Department of Defense, Department of State, the Department of Defense Cyber Crime Center, the FBI and others. We won’t bore you with the complete list, but you can read more in “A Brief History of the 20 Critical Security Controls”
The Technology of Security
Network security starts with Network Intrusion Detection Systems (IDS) which, as you might guess, are automated systems to detect and prevent network intrusions. There are usually two systems working together – IDS is a monitoring and alert tool that provides a warning of an attack, while an Intrusion Prevention Systems (IPS) takes action to prevent or stop an attack. You can also use these programs to scan your systems for obvious flaws and points of failure, like an unsecured device.
These systems can:
- Control the devices and computers on your network including laptops, workstations, and servers law firms use to monitor processes, files, user activity, network activity, and other aspects of the system for suspicious behavior.
- Keep software up to date with security patches.
- Scan across networks for any outdated software or insecure configurations.
In addition to vulnerability scanners and endpoint management software, some tools can also passively monitor network traffic to look for vulnerable software. Because many firms cannot afford to have an in-house security expert, many are outsourcing parts of the security process to managed security service providers.
These companies provide services like remote management and updating of security appliances, such as firewalls, remote updating of security software, and remote monitoring of network security.
Encryption is vital to limit the impact of a stolen or lost laptop, hard drive, or other portable media. Encryption can should be used to protect data that tends to get copied to many places, such as email messages, documents, and other files. There a variety of encryption tools that can be employed for important client emails and content, and organizations should be aware of any obligations to encrypt data, and use encryption to help protect its data when applicable.
Remember to Check Your Logs
For these tools to be effective, logs should be regularly monitored for signs of attacks, intrusions, and other security-related events. Ongoing log monitoring should cover sources such as network devices, firewalls, operating systems, authentication and access control systems, applications, and security software.
Logs should also be retained for a period of time that is long enough to meet any policies and regulatory requirements. Collecting logs from all of the appropriate sources can result in a significant volume of data. Because of this, many organizations fail to adequately review and monitor logs, and may only turn to them when it is too late and a security incident has already occurred.
There is obviously a lot more to say about information security. But this high-level overview should give you a good overview of the technology and processes a law firm should have in place to protect client data.