Today, no industry sector is safe from cyberattacks, as threat actors target businesses with a malicious aim of gaining information or monetary benefits. The digital age has undoubtedly ushered in beneficial changes in the life and work of many. But on the flip side, it has also been accompanied by an alarming rise in cybercrimes. This trend of continuous changes in the digital world that tends to attract more cybercrime has become a significant concern for cybersecurity specialists. Many organizations conduct businesses online by making their service or related information available online over a network of databases, applications, websites, etc. Thus, this network and the edge where it connects to the internet have become an entry point for hackers to initiate their intrusion.
By Bradley J. Schaufenbuel, Vice President and Chief Information Security Officer at Paychex
Network security has become a mandate when it comes to digital security in various industry sectors, as in today’s age, even losing information details of your client will in no time become a liability issue that needs to be settled through the court of law. Ironically no other industry than the legal sector and especially the law firms are in dire need of network security due to the significant amount of sensitivity and liabilities their business information holds. Though compromise of information security is relatively common in the digital landscape, its impact will differ with respect to the sensitivity of compromised data. The colossal amount of sensitive information available with law firms becomes the target of frequent cyberattacks by threat actors. The overhaul affects law firms that tend to store on their networks legal, proprietary, and personal/sensitive information related to their clients, which could be exploited to harm both the firm and the client.
Organizations tend to establish and implement a security architecture around their information processing cores to safeguard sensitive and confidential information. As the networks are the data transmission platforms that connect this core with the internet, without stable and robust security, the organization’s sensitive data such as the client’s personal information, financial records, business data, proprietary, and other legal data will be exposed tremendous risk. The security architecture built around an organization’s network aims to defend the digital assets and data against attacks such as trojans, viruses, spyware, malware, worms, Denial-of-Service (DOS) and Distributed Denial-of-Service (DDOS), sniffing, eavesdropping, spoofing, and much more .
Current Threat Landscape
The clients expect their law firm’s security standards to be of the level equivalent to that used or displayed by the IT industry as many law firms tend to run virtual offices to work with their overseas clients and global partners, making more than 90% of legal information available in digital form. The digital assets and data held by law firms keep increasing in quantity with a continuous accumulation. Unlike other information security compromises where the primary motive is a monetary benefit (due to digital fund transfer), attacks on law firms stem from the exploitation of sensitive information. Hence, ransomware attacks are one of the most prominent attacks in this sector.
As one could expect, the COVID 19 pandemic has propelled the digitalization of a business process, and law firms are no exception. Many jurisdictions, including those in developing countries, permit online filing systems, client briefs, and even interviews via phone and emails. Hence, it has become imperative for law firms and judicial bodies to prioritize information security. Coincidently, cyberattacks against law firms have also increased substantially since 2015 in the United States alone. Cybersecurity evangelists are concerned that law firms are either poorly aware of the cybersecurity-related risks or do not intend to discuss them publicly. According to a 2020 survey by American Bar Association’s (ABA) & Legal Technology and Resource Center (LTRC), less than half of the law firms used advanced computer and network security tools and techniques. Even less than 40% of them used what appears to be an essential security feature from the perspective of corporate MNC’s . On multiple occasions, large US law firms have been criticized for not acknowledging or even discussing their breaches and compromise of information security.
Discussing the Current Challenges
Law firms operate in a complex and challenging environment that involves balancing multiple projects wherein each project is staffed with numerous attorneys working with a more significant number of clients. Many law firms conduct business over email and are responsible for the large volumes of sensitive digital data, and though they aim to secure these communication channels, there exist multiple challenges in implementing security controls. The lack of database and endpoint security, vulnerability assessment framework or tools, resources and budget, a framework to manage and mitigate insider’s threat, security awareness framework for employees, clients, and business partners, etc., constitute some of the significant technical and policy-based challenges faced by law firms.
Even if the above mentioned technical and policy-related challenges could somehow be resolved, there exists another issue pertaining to the ‘intent of the law firm or business associates, wherein the implementing cybersecurity faces roadblock due to various reasons such as:
- Many law firms and associated businesses see security expense as a secondary aspect, as committees with limited cybersecurity knowledge tend to manage these firms.
- Implementing security controls for endpoint or end-user is difficult as security compulsions are not able to bind end-users, clients, and partners.
- Law firms tend to compromise some of their information, such as contact information, email, etc., as part of their much-needed advertisement campaign.
- The interest of state-sponsored attackers when it comes to sensitive inter-state or international cases has become a leading security challenge for larger law firms that handle important clients with diplomatic connections.
- Some in-house policies require the storage of sensitive information to be in-house, which may deny affordable and secure third-party database/cloud storage.
- The lower job satisfaction rate among security professionals working for law firms compared to other industries or a limited number of professionals is tasked with the complete security architecture, leading to subpar performance.
What do law firms stand to lose?
The main repercussions of any security breach are financial loss, reputation damage, and legal suits, and the same stands true for law firms. Apart from this, law firms are primarily trusted with the client’s crucial and sensitive data. Hence, the trust takes the real and complex damage in the event of a security breach. The attorney-client privilege and standard of care provided yields a greater degree of trust between the client and attorney (and the law firm). It is inherent for clients to share secrets and expect a high level of confidentiality in return. This inherently also applies to the safekeeping of the sensitive information shared by the client. Hence, it could be said that apart from legal maturity, the information security capability of the law firm will also decide its reputation in the market. The clients tend to expect the highest security standards, similar to what their organizations use in their respective industries/sectors. Apart from trust and reputation loss, the compliance factors also kicks-in, where frameworks such as ISO27001, European Data Protection Law, and other legislative compliance for cybersecurity require firms to hold sensitive information to comply with its security in the digital space. Many of these compliances need the law firms to have an incident response plan to reduce the impact of damage caused in the event of an attack.
Mitigating the Threats
Comparing the security readiness of law firms to that of the IT businesses, it could be noted that the majority of law firms pose multiple vulnerabilities that could be exploited to compromise information security. These include unsecured devices and storage, open wireless networks, insecure remote communicating, poor state security with vendors and third-party service providers, and much more.
In order to strengthen the network security architecture, law firms need to build a robust security plan with a mitigation strategy for every security scenario that may arise. These plans and protocols should be versatile enough to include various security tools and seamlessly work with threat techniques such as:
- Firewall, which is the first line of defense in any network’s security layer, and traffic flow through the set access control rules.
- Intrusion detection systems/intrusion prevention systems (IDS/IPS), that assists the network security with the detection and prevention of any attempts of cyberattacks. These security measures are effective to prevent Distributed Denial-of-Service (DDOS) attacks and perform behavioral analytics for network traffic.
- Using honeypot, that acts as acts a decoy for the original network and lures threat actors to study and record their behavior during network intrusion.
- Segmenting the network to enforce different security policies onto the subnetworks. Splitting the network assets into segments will reduce the attack surface available for exploitation.
- Using a virtual private network (VPN) that creates a virtual channel to securely connect users and a private network over the public network.
- Enabling endpoint security that secures devices at the end of the data distribution chain. It involves VPN security, antivirus, and antimalware solutions, along with securing operating systems, email, and phishing & vishing solutions.
- Implementing wireless security, that preventing unauthorized access/intrusion into a network through a wireless connection.
- Implementing access control, that employs user and device authentication as a unified security architecture for network security.
- Encrypting the network data that employs IPSec to protect private communication over IP networks.
- Implementing SIEM (Security Information and Event Management) helps the incident response team to detect and managing security incidents.
- Establishing Security Operations Center (SOC) in order to manage all the security activities mentioned.
The methods and protocols that any law firms should incorporate as part of their architecture design toward information security could be divided as a five-step road map that involves:
- Establishing a security governance body to make partners aware of the risks.
- Adopting a set of policies and standards aligned to an established risk framework, e.g., NIST CSF, ISO 27001, etc.
- Performing a gap assessment against these policies and standards.
- Prioritizing gap remediation efforts and obtain funding.
- Implementing process, technology and people to build security capabilities, eliminate gaps, and reduce risk.
When integrating information, tools, and applications across the internet in correspondence to digitalization, or emerging technologies to facilitate easier access, management, and processing, it is essential to assess the security implication as these changes bring multiple associated risks. Though legal sectors have made substantial attempts to ensure information security, there is still a lot to be done. Law firms in particular lag behind in cybersecurity readiness, which has led to multiple issues. It is imperative for law firms to prioritize safeguarding their client’s data and evaluating their security architecture to detect and fix problems. The network security architecture of the law firms needs to be reviewed and updated frequently, accompanied by establishing and implementing a security awareness program. Failing to improve the security can could lead to vulnerabilities that are signified as a potential lawsuit waiting to happen. Law firms and their management need to have a practical and comprehensive understanding of cybersecurity and implement security programs with the help of various tools and techniques.
About the Author
Bradley J. Schaufenbuel is currently Vice President and Chief Information Security Officer at Paychex. He leads his infosec professionals to manage and monitor tasks focused on crisis management, security training and awareness, risk and compliance, identity management, managed file transfer, security engineering, security investigations, cyber intelligence, vulnerability management, and security architecture and application security. He has multiple years of experience working with the financial sector and has authored numerous books and research publications wide variety of topics related to information security and governance. Schaufenbuel also holds a license to practice law in Illinois and is a U.S. Supreme Court Bar member. He has served on several corporate and non-profit boards and is a regular speaker at industry conferences.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.