Raising the Bar: How to Update Cybersecurity in the Legal Industry
Seventeen years ago, the Harvard Business Review asked its readers, "Can you trust your law firm?" The inquiry at that point alluded to whether corporate attorneys were issuing genuine counsel to their clients. In today's society this question is even more applicable, with not just legal counsel under scrutiny but also the cybersecurity methods taken by law firms scrutinised too.
The entire legal industry faces unique challenges in ensuring proper stewardship of client materials, due to:
- The universal sharing of sensitive documents- from amalgamations and acquisitions to tax filings, a law firm must process and protect these valuable assets. This type of information and documentation constantly include confidential information and are often shared insecurely; making them magnets for cyber attacks.
- The rise in sophisticated threats are specifically affecting law firms; notable incidents include the breach of the Bermuda-based Appleby, resulting in the Paradise Papers exposure, and the comparable Panama Papers leak in 2016.
- Underinvestment in security-specific personnel, as well as in technologies capable of defending networks from attacks; a recent study published by the The American Lawyer found that only 38% of surveyed firms actually employed an Information security executive.
At this point, it is clear that not only are cyber attacks of the utmost importance to the success and reputation of companies, but also that boards and management are now reliant on the legal industry to help their organisations manage and respond to cyber threats. This reliance results in a sharp increase in responsibility when it comes to understanding and managing cybersecurity which can even result in law department members taking the fall for poor cybersecurity management.
Clients are acutely aware of such matters, since they regularly face similar pressures within their own operations. They have extended cybersecurity concerns beyond their internal controls and into their lawyers' practices. It has become a key issue for forward-thinking companies when searching for law firms.
Client privileges: Higher security expectations for Law Firms
Whilst the level of investment in cyber tools is still a major hurdle of effective cyber defense in the legal field, these heightened expectations are driving new security initiatives and awareness. According to the 2016 ABA Legal Technology survey, almost one-third (30.7%) of all law firms reported receiving security requirement lists from current or potential clients. The share was even higher (62.8%) amongst firms serving Fortune 500 companies.
What do these requirements typically include?
Fundamentally, they often specify how a firm should use and store client data, as well as create performance benchmarks for detection and response. Clients also try to determine whether a firm has basic protections in place- such as a fully staffed cybersecurity team, a properly tested set of security practices, thoroughly evaluated IT environments, and a cyber liability insurance policy.
Unlimited Liability: Assessing The Security Risks Facing Law Firms Today
The legal industry is a recurrent target of all types of advanced cyber attacks. In June 2017, multinational DLA Piper revealed it was victimised by a coordinated ransomware campaign, one of several such high-profile incidents during the year. As well as that the 2017 Verizon Data Breach Investigations Report identified the particular susceptibility of the broader professional services sector to cyber espionage and distributed denial-of-service (DDoS) attacks.
There are numerous overlapping causes of these vulnerabilities, including:
- Lack of sufficient risk assessments: IT groups at numerous law offices are overburdened and short on in-house security specialists, frequently abandoning them to conduct crucial evaluations and training. This circumstance is common in all verticals, its 2018 State report from Spiceworks uncovered a majority (48 percent) of IT groups expected no adjustment in staff in 2018– yet it's aggravated by underinvestment in IT across the legal sphere.
- Less security regulation: Unlike tightly controlled fields such as health care, accounting and government, the legal industry is not beholden to any cybersecurity compliance frameworks. Lawyers might interact with PCI DSS, HIPAA, SOX, FISMA, etc on a case-by-case basis, but there’s no rigorous universal equivalent to these standards for their own profession.
- A wide range of attack vectors: The high-profile attacks mentioned earlier (e.g., the Paradise and Panama Papers) were targeted attacks by the work of activists with thorough resources and expertise who sought a treasure trove of sensitive information; at the same time, seemingly minor exploits, like outdated printer software, can also lead to data exfiltration.
What can law firms do to reduce these elevated levels of risk? Growing reliance on internet-connected devices, paired with shorthanded internal IT teams creates a recipe for never-ending problems in network security. However, recently, there have been some improvements and developments in applicable standards.
Legal Defense: Protecting Data from Theft with a secure communications app
SaltDNA is highly differentiated in the legal industry, both technically and functionally. The majority of SaltDNA's competitors operate in the consumer market, offer secure communications for consumer use. SaltDNA only deal with enterprises, and have built their features around this market.
A key differentiator that SaltDNA has over competitors is that SaltDNA provides organisations to control who speaks to who within their company. SaltDNA provides a secure management system to ensure companies have complete control over all employees contact lists and communications, making it easier to manage communications, and facilitating the operation of closed user groups. This has been utilised within the legal space to enable lawyer-client communications, as well as communications with external firm when handling a legal matter.
Law firms can also control where the SaltDNA solution is hosted. The SaltDNA Solution is available as a cloud based service or as an on-premise installation within private infrastructure. This allows law firms to own the system themselves and even securely archive the content themselves for evidential recall purposes - a feature that is only available for on-premise deployments with content never stored on the SaltDNA servers.
If you have any questions about this article, please contact us on firstname.lastname@example.org and we'd be happy to assist you in any way.
SaltDNA, ranked in the top half in the Cybersecurity 500, provides a fully enterprise-managed software solution that enables absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. The SaltDNA Desktop and Mobile apps are intuitive and easy to install and use. The SaltDNA Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance. SaltDNA is headquartered in Belfast, Ireland, for more information visit www.saltdna.com.