Cybersecurity breaches might seem like a distant concern for law firms, when there are multiple client engagements on the go, and when attackers appear to target only the big names like Google and Yahoo. But picture the following scenarios and the threat becomes more apparent:
- A member of a law firm finds a flash drive with the firm’s logo lying on the floor outside the firm’s offices. Wanting to be helpful and return the drive to its owner, they insert it into a computer – and unknowingly download a flood of malware that opens the firm’s network to hackers.
- One evening, a member of the firm’s IT department, working late, takes a phone call from a distraught, angry-sounding person claiming she’s one of the firm’s partners, she can’t access the system, and she needs to change her password right now. The IT employee is so intimidated that he complies – and doesn’t pick up on the fact that the caller is really a hacker using social engineering to break into the system.
- A disgruntled employee uses a flash drive to download a few crucial files disclosing the firm’s litigation strategy in a major case, to sell vital information to the opposing counsel in that litigation.
These hypothetical situations are entirely possible within many law firms today. Yet cybersecurity is a topic many law firms are reluctant to discuss, partly because it lies outside their area of operations, and partly because they feel it could be a black hole that drains management time and resources.
However, with many headlines about technical giants falling victim to hackers, some clients are growing concerned about whether their secrets are safe with their law firm. Firms that take action – and can show that they have done so – can gain increased confidence among clients for being proactive about the issue.
Many law firms have a false sense of security. They think that, because they do not have large troves of customer credit card numbers, they are not a target for hackers. However, law firms do present as attractive targets for several reasons:
- Firms hold vast amounts of confidential data – working documents on arguments being used at trial, drafts of legal agreements worked on for clients, and personal information on clients and members of the firm.
- They have clients’ funds held in trust.
- They need to maintain a reputation for reliability, making them particularly vulnerable to extortion from ransomware, in which a hacker paralyzes a firm’s computers until a ransom is paid.
But arguably the most significant reason law firms are attractive targets is that so few of them have taken effective security measures. A study by the International Legal Technology Association found a low standard of security among law firms, and revealed some alarming statistics:
- 86% of firms do not use or require two-factor authentication
- 78% do not issue encrypted USB drives
- 76% do not automatically encrypt content-based email
- 58% do not encrypt laptops
- 87% do not use laptop tracking technology
- 61% do not have intrusion detection tools
- 64% do not have intrusion prevention tools
In the time since that study, it is unlikely that much has changed, despite the many highly publicized cases of intrusion and theft of data from many organizations. A report in the Globe and Mail noted that at least seven law firms were targeted by cyberattacks, linked to computers in China, to find information on an abortive takeover.
Two lines of defence: human and technical
As in any organization, there are two aspects to securing a law firm’s network against hostile intrusion: 1) human knowledge and alertness, and 2) comprehensive technical protection.
Human knowledge and alertness involves instilling a culture that considers security to be a high priority, making all members of the firm aware of the threats and what to do about them. This strategy is important because current threats depend heavily on people not being alert and/or taking shortcuts, such as using a mobile device that does not require a password.
Solutions are best found in frequent education that describes threats, their consequences and what to do about them. This education can be done in regular information sessions, perhaps at “lunch-and-learn” events. Online education that employees must complete, with a test at the end that they must pass, might also be effective.
The education plan should contain practical “if-then” information – for example, “if you don’t recognize the email address, then don’t open any attachments.” Technical protection must likewise be kept up to date. Instituting effective firewalls and carrying out penetration testing are only part of the process. Much of the technology solution must involve procedures and protocols, including requiring password protection on laptops and mobile devices, no matter how senior the partner and how much they complain about the time it takes to key in the password each time.
In this way, the “human” and “technical” sides of security measures complement each other.
Law firms can expect to see continuing increase in client scrutiny around these matters. Clients will want to be assured that information on their issues is kept secure, including their intellectual property, patents, and settlement parameters.
There are three key priorities for law firms in this regard:
- Analyze the vulnerabilities the firm faces, such as widespread use of mobile devices by the firm’s members without requiring password protection.
- Consult appropriate professional advisors for more guidance on the strategies available to protect firm data and client data from intrusion and theft.
- Document the steps taken, including those that instill a culture that considers protection of data to be a high priority.
These are the first and most important steps for reassuring clients and prospective clients that their interests are being safeguarded.
Deepak Upadhya, MSC, CISA, is Vice-President, Risk Assurance & Analytics, in the Toronto office of Collins Barrow.
Michael Nicoló, CPA, CA, CPA (Illinois), is the leader of law firm services in the Toronto office of Collins Barrow.
Connect with Deepak by email at {encode="ddupadhya@collinsbarrow.com"}, or by phone at 647.288.8680.
Connect with Michael by email at {encode="mnicolo@collinsbarrow.com"}, or by phone at 647.726.1408.