This month, we speak with Matt Wolf of Carlson & Wolf about the security risks law firms face as business is increasingly conducted with the help of new technologies.
What special concerns do law firms have regarding IT security? What makes a law firm a target?
Today’s law firms face a difficult mix of operational, regulatory, and professional information data management requirements, each of which can introduce serious security concerns. Many industries are governed by one set of industry-specific rules, but because law firms provide legal services across industries, they fall under the umbrella of multiple sets of regulations and requirements.
According to reports from the FBI last year, some law firms are being targeted because they have weaker protections than their clients and are therefore an easier way for hackers to gain access to valuable client data. The most public example of this is the hacking of seven Canadian firms to gain access to sensitive information regarding a Potash merger and acquisition deal in 2010. However, law firms also have to worry about retaliatory attacks, either by hacktivists or supporters of an opposing party. There is at least one law firm that has fallen victim to a successful hacktivist attack and chose to close its doors in response.
What are some of the specific vulnerabilities you commonly see?
Data thieves are not the only pressing concern. Inadvertent disclosure resulting in a loss of privilege is something that could happen without an attacker or data thief being involved. A litigator’s exhibits or deposition transcripts being lost or damaged on the eve of a big trial is also something that could happen by accident without an attacker targeting the firm.
The most common problem I see is the fact that law firms are not consistently managing these risks in a business-centric, process-oriented way. Attackers may be the most pressing risk to one law firm, but that firm’s most pressing risk could be a seven-year-old server that is heavily relied upon and near the end of its useful life. Until a firm has gone through a risk analysis process, it will have no way of knowing if it has addressed the most pressing vulnerabilities.
What are some emerging aspects of security that are gaining in importance and concern?
The continuing explosion of data coupled with the so-called “consumerization of IT” have really added to the data security challenges facing law firms. It used to be the case that you could keep all data in a well-secured internal network and carefully control access. Today there is simply too much data and too many new cloud or mobile applications wanting to share and access that data.
One of the greatest challenges facing law firms is how firms will look to enjoy the efficiency gains associated with this new technology while still providing the level of control and protection necessary to ensure protection of client confidentiality. Firms must carefully balance the business need against the technical risk to determine the most prudent use of a new technology. Most firms have not yet established the information governance frameworks internally to wade through these decisions.
If you could make every law firm employee understand one thing for better data security, what would it be?
Attackers are focusing heavily on individuals within organizations because people continue to be a major weakness in the overall security of an organization. Every firewall, anti-virus and intrusion prevention product in the world will fail against some or other instance of dangerous employee behavior. This is one of the reasons we offer lawyer-focused security awareness training, to help ensure lawyers themselves are aware of both the risks and their ethical obligations to manage those risks for their clients. Eliminating dangerous behavior and raising awareness around the risks of technology is a necessary cornerstone of any comprehensive security program.
Matt Wolf has been working in the field of IT and security for 15 years. He began his work with Microsoft, focusing on emerging security issues within their MSN division. He earned his J.D. from UC Berkeley School of Law where he worked as a Scholar in Residence and directed an information security assessment program. He now works in the legal industry as a security and privacy consultant and is a member of the California Bar.