Ask An Expert: Matt Wolf Discusses Website & IT Security for Law Firms

BY Ryan Conley



This month, we speak with Matt Wolf of Carlson & Wolf about the security risks law firms face as business is increasingly conducted with the help of new technologies.

What special concerns do law firms have regarding IT security? What makes a law firm a target?

Today’s law firms face a difficult mix of operational, regulatory, and professional information data management requirements, each of which can introduce serious security concerns. Many industries are governed by one set of industry-specific rules, but because law firms provide legal services across industries, they fall under the umbrella of multiple sets of regulations and requirements.

According to reports from the FBI last year, some law firms are being targeted because they have weaker protections than their clients and are therefore an easier way for hackers to gain access to valuable client data. The most public example of this is the hacking of seven Canadian firms to gain access to sensitive information regarding a Potash merger and acquisition deal in 2010. However, law firms also have to worry about retaliatory attacks, either by hacktivists or supporters of an opposing party. There is at least one law firm that has fallen victim to a successful hacktivist attack and chose to close its doors in response.

What are some of the specific vulnerabilities you commonly see?

Data thieves are not the only pressing concern. Inadvertent disclosure resulting in a loss of privilege is something that could happen without an attacker or data thief being involved. A litigator’s exhibits or deposition transcripts being lost or damaged on the eve of a big trial is also something that could happen by accident without an attacker targeting the firm.

The most common problem I see is the fact that law firms are not consistently managing these risks in a business-centric, process-oriented way. Attackers may be the most pressing risk to one law firm, but that firm’s most pressing risk could be a seven-year-old server that is heavily relied upon and near the end of its useful life. Until a firm has gone through a risk analysis process, it will have no way of knowing if it has addressed the most pressing vulnerabilities.

What are some emerging aspects of security that are gaining in importance and concern?

The continuing explosion of data coupled with the so-called “consumerization of IT” have really added to the data security challenges facing law firms. It used to be the case that you could keep all data in a well-secured internal network and carefully control access. Today there is simply too much data and too many new cloud or mobile applications wanting to share and access that data.

One of the greatest challenges facing law firms is how firms will look to enjoy the efficiency gains associated with this new technology while still providing the level of control and protection necessary to ensure protection of client confidentiality. Firms must carefully balance the business need against the technical risk to determine the most prudent use of a new technology. Most firms have not yet established the information governance frameworks internally to wade through these decisions.

If you could make every law firm employee understand one thing for better data security, what would it be?

Attackers are focusing heavily on individuals within organizations because people continue to be a major weakness in the overall security of an organization. Every firewall, anti-virus and intrusion prevention product in the world will fail against some or other instance of dangerous employee behavior. This is one of the reasons we offer lawyer-focused security awareness training, to help ensure lawyers themselves are aware of both the risks and their ethical obligations to manage those risks for their clients. Eliminating dangerous behavior and raising awareness around the risks of technology is a necessary cornerstone of any comprehensive security program.

Matt Wolf has been working in the field of IT and security for 15 years. He began his work with Microsoft, focusing on emerging security issues within their MSN division. He earned his J.D. from UC Berkeley School of Law where he worked as a Scholar in Residence and directed an information security assessment program. He now works in the legal industry as a security and privacy consultant and is a member of the California Bar.

Ryan Conley

Ryan Conley is a staff contributor to Bigger Law Firm Magazine and a legal content strategist for U.S. based law firms.


WordPress Plugins for Law Firms

Supercharge Your Law Firm’s Website: 5 Must-Have WordPress Plugins!

Are you looking to maximize your law firm’s website’s potential? You’re in the right place. WordPress offers a wealth of plugins that can improve your website’s functionality, from search engine optimization to online event scheduling. Here are five must-have plugins for law firms: Gravity Forms – Communication is key when it comes to your law…

Security vulnerability infected websites

WordPress Security Breach Used Vulnerabilities in Plugins in Themes

Over one million WordPress websites have been infected by a malware campaign called Balada Injector since 2017, according to cybersecurity firm GoDaddy’s Sucuri. The attackers behind the campaign use all known and recently discovered vulnerabilities in WordPress themes and plugins to breach sites. They typically play out their attacks in waves once every few weeks,…

Law firm partner learning about SEO

How to talk to the partners about SEO

As a law firm marketing director, you understand the importance of SEO in driving traffic to your website and generating leads for your firm. However, convincing the partners of your law firm to invest in SEO can be a daunting task, particularly if they do not understand its benefits. Here are some tips on how…