While securing client and firm data has always been a minimum requirement for law firms, the onslaught of successful ransomware attacks over the past 12 months undeniably demonstrates that information security needs to be top of mind for every organization, regardless of size or industry.
Over the past several years, the legal industry has emerged as a particularly vulnerable target for three reasons. First, firms typically have access to vast amounts of highly confidential information. Second, the industry’s demonstrated reticence in adopting security tools results in a weaker security posture than their clients. And third, like other similarly sized professional services organizations, law firms frequently rely on third-party vendors for anything from file sharing to infrastructure management, leaving them open to IT supply-chain ransomware attacks.
In this article, we’ll review and explore the best practices for protecting your firm and client data as well as areas of opportunity to strengthen your security posture.
Review your security principles
When considering information security, there is often an outsized emphasis on the individual security products and tools used to maintain a secure environment. Yet IT philosophy, architecture, design, configuration, and a “security-first” mindset do far more to increase an organization’s security posture than any single security tool. Here are some concrete best practices to implement:
1. Adopt a Security-First Mindset. Question everything – it’s not just IT’s problem!
Many of us have grown to be entirely reliant on IT for all things security. But as Bloomberg Law points out, we must reconsider the idea that security is “IT’s problem”. Indeed, security needs to be at the forefront of everyone’s mind. Whether it is an attorney, a paralegal, or a staff member, they all need to do their part to maintain security.
This defensive mindset is critical to maintaining a secure environment – not just digitally but physically as well. In an office setting, that might mean validating the copy repairman or the person who waters the plants. Online, it’s verbally validating an unusual request from a client or partner or double-checking a URL before entering login credentials. Consider also adjusting standard procedures with security in mind. One example is to require money transfer requests to be authorized by voice, not just email, as extra controls to prevent being victimized by a phishing attack.
As part of shifting to a security-first mindset, it’s essential to reconsider what training looks like. Often, training is treated as a “one and done event” – an annual activity that must be suffered through, rather than an ongoing priority. Instead, engage in lighter, more frequent training and use responsive training tools to help educate your team on phishing attacks. Ultimately, your employees are your first line of defense – make sure they’re aware and prepared.
2. Implement the Principle of Least-Privilege. Control exposure by limiting access to “if-needed.”
The Principle of Least Privilege (PoLP), as defined by the US Cybersecurity & Infrastructure Security Agency, asserts that a given individual, application, or system “should be given only those privileges needed for it to complete its task. If a subject does not need an access right, the subject should not have that right.”
While client confidentiality is a well-understood concept, the PoLP doesn’t rely on humans to enforce it; instead, it’s engrained in the way system access is architected. Instead of determining what data and which systems should be blocked from a given user, think critically about what they need to access.
This can sometimes be a point of contention with firm leadership that may be accustomed to accessing anything in the firm (even if they choose not to exercise that ability). However, doing so helps ensure that even if a cybercriminal gains credentials or ransomware is deployed at the firm, your exposure is limited.
Reevaluate your IT environment and security tools
Law firms that wish to maintain a strong security posture need to invest in the right tools, question long-standing assumptions about security and understand the risks and tradeoffs that their vendors and partners adopt. Here are some considerations:
3. Practice threat mitigation rather than threat prevention. Effective information security involves layers, not a single wall.
It can be tempting to think in black and white terms regarding your security program and strive to create an environment that cybercriminals cannot penetrate. Yet in the past year, the US Government and one of the nation’s top cybersecurity firms both revealed they’d been victims of cyberattacks, making it clear that no amount of focus, money, or expertise can insulate you from an attack. It is not a matter of “if” but “when.”
By erecting multiple barriers of defense (as in a multi-layered security model), you can slow down an attack, limiting your exposure and making it more likely that you’ll be able to identify and react to an attack before too much damage is done. In this model, an attacker that penetrates one layer of defense may be thwarted by another layer.
4. Reevaluate infrastructure, access methods, and data storage. Modernizing your infrastructure can dramatically improve your security posture.
This recommendation can be wide-ranging, but the goal here is to recognize that the powerful forces of inertia and the path of least resistance may be leaving you vulnerable. Consider, for example, an on-premises IT environment and the use of remote desktops. Changes in remote and hybrid working patterns may have put a strain on your bandwidth, leading to performance challenges. This leads attorneys and staff to store critical documents locally rather than centrally, creating a security hole. Increasing your office bandwidth can mitigate those performance issues, while the adoption of cloud-based virtual desktops and infrastructure could eliminate them.
With a virtual desktop, even if an individual computer is compromised (or even just left in a coffee shop by accident), the actual damage is isolated. Data stays under your control, and, as a bonus, users typically experience a dramatic performance improvement. If a computer is stolen or a laptop is damaged, no data is exposed or lost – you can just procure a new computer and get access to your cloud desktop as if nothing ever happened.
5. Review your security toolbox. Adopt the security tools you know you should.
While security tools are not a panacea, they still matter. Multi-factor authentication (MFA), advanced endpoint protection, password managers, email security, and advanced firewall technology can go a long way to protecting you in that layered defense structure outlined earlier.
In its 2020 Legal Technology Survey Report, the ABA reports that MFA has been implemented by less than 50% of respondents, while just 43% of respondents use file encryption. Such basic security standards should no longer be considered optional but rather mandatory. Email addresses have become the de facto gateway to access other applications and information. Advanced phishing techniques have made credential theft common. By deploying MFA, you can mitigate the damage done with a stolen password.
Meanwhile, password managers make it easier to maintain different, long, and complex passwords for every account. With a corporate account, firms have the added benefit of quickly shutting down access to all those passwords in the event of a termination.
Validate your vendors and partners
For too long, managed service providers and technology partners have taken the stance of shielding their clients from the headaches, intricacies, and complications that a strong security stance involves. And law firms have gratefully accepted that shield without question. However, while such partners can significantly reduce the security burden on the internal team at a law firm, the responsibility is still shared.
Ensure you understand how seriously they take security, the security principles they adopt, the tools they use, and how they separate client environments.
Law firms owe it to themselves and their clients to ensure that they understand their IT partner’s steps and security measures that require active participation and consent.
That’s why the final best practice is: