Editor’s Note: The author of this post is a partner at Holland & Knight in Miami who practices real estate finance and is an experienced computer coder.
By Joe Dewey, Holland & Knight, Partner
Cybersecurity practice groups are springing up at law firms at a rapid pace. This should come as no surprise given the increasing number of high profile hacker attacks. While these teams of legal professionals are assisting corporate America with understanding potential liability associated with security breaches, there is an obvious, yet less often discussed question: What should law firms be doing to protect the security of their own data and the integrity of their IT infrastructure?
Law firms of all sizes are subject to attack. Small to midsize firms are often at risk of attacks that compromise their email systems. The author of this article has personally seen two such attacks that almost (fortunately, red flags compromised each attack) resulted in the possible theft of several million dollars. Large firms often possess highly sensitive data associated with non-public information about publicly traded companies. Having access to this information could easily be worth millions of dollars for someone willing to engage in insider trading. So, whether small or large, law firms will remain a target of malicious hackers.
Before discussing the defensive strategies available to law firms and setting forth some considerations for law firm management, it’s important to note that cybersecurity decisions are driven in some respects by balancing convenience versus security. Notwithstanding what any security firm may claim, there is always a trade off between convenience and security. That’s not to say that there are not relatively convenient systems that are relatively secure, but rather that those systems can be made more secure--but at the expense of convenience. Readers should read the balance of this article with that in mind.
Traditionally, cybersecurity has focused on keeping malicious hackers out of corporate networks. While this remains an important part of any comprehensive cybersecurity plan, some experts have recently suggested that we may be focusing too much on this line of defense—a concession to the idea that if a sophisticated, malicious hacker wants access to your system, they will obtain it no matter how good your security measures. There is a tremendous amount of truth to this proposition. While Hollywood depicts hackers sitting in front of numerous computer screens quickly manipulating highly graphical screenshots, the reality is far from this depiction. Not only do most hackers work from a simple command line prompt, the most successful hackers are equal parts coder and social engineer. They are incredibility proficient at obtaining information through social media, impersonating vendors or others, in each case, able to obtain valuable information that can be used to penetrate even the most sophisticated defensive system. Bottom line, penetration defenses are only as strong as the weakest individual within an organization with access privileges—think about that.
So what should law firms do to minimize damage from such attacks? This author suggests focusing on three key elements: (1) education, (2) detection systems, and (3) sandboxing particularly sensitive information. First, education about cybersecurity needs to be engrained into firm culture. A mere mandatory video on cybersecurity and posters throughout the firm are not sufficient. The goal is that every person within the firm with access is reminded every day that the network is under attack—because it is. Second, firms should accept the fact that their systems will be hacked (because they will) and shift investment into infrastructure that will detect such breaches quickly and determine the payloads of data that have been compromised. Finally, highly sensitive data should be sandboxed from other data within the firm. Properly structured, a system breach will not necessarily allow the intruder access to the most sensitive information within the firm.