Envision, if you will, how a document’s security was handled at grandfather’s law firm: A sturdy deadbolt on the main door, lockable file cabinets and sensitive files stashed away in the stately, 50-year-old Mosler safe with Ernie, the trusted night-guard in his 32nd year of keeping an eye on the premises after hours and preventing unauthorized access, while the beat cop down in the street would stroll by every so often to shoo away any ne’er-do-wells who might be loitering on the sidewalk by the main entrance.
Fast-forwarding to the present day, we find that the exact same document now has multiple digital copies – one on a partner’s desktop, one on the associate’s who drafted it, three additional versions on the administrative assistant’s computer and six email attachments that were part of the correspondence with the client. So how secure are they? Well, the partner’s desktop had a “rootkit” malware installed on it, recording all keystrokes to a rogue server in the Baltics, the associate had already downloaded his draft to his personal laptop (in advance of him taking that offer from the crosstown rival firm), and the client’s copies were emailed to them unencrypted and intercepted by a packet sniffer seeking out credit card and Social Security numbers. What about our administrative assistant? No need to worry about the security of her files; there’s a bigger concern at hand. During her lunch break, she clicked a link promising a free Caribbean cruise and in 24 hours, the entire practice’s network will be corrupted as a result of the ensuing ransomware attack in which no files will be accessible to any user until 500 Bitcoin are transferred.
Non-Compliance is Not an Option
Let’s go straight to the heart of the matter. In the past, our clients’ valuable information was securely maintained in one location under lock and key. This has been replaced with data files spread all over creation, concurrently accessible to many authorized (and potentially unauthorized) users, exposed to all sorts of harm, be it security breaches which destroy privacy and confidentiality, or any one of myriad malware, viruses, worms or trojans continually threatening our data. Moreover, the actual environment in which it resides is fraught with opportunities for nefarious acts for which the software applications and operating systems themselves are under cyberattack effectively bringing IT operations (and, by extension, ongoing work in the firm) to a complete halt.
So how do we get this genie back into the bottle? Our clients expect that their privileged information be kept secure, corporate America is contractually mandating protection against data breaches and an entire alphabet soup of regulations (HIPAA, PCI, SOX, HI-TECH, CFPA, FERPA, FACTA and more being developed) demands both vigilance and compliance. Clearly, this will take more than Ernie the night-guard and an old safe to put in order.
Stopping the Bad Guys
First, we need to parse the problem into three equally important groups: intrusion detection and prevention, data security and privileged-user management. To effectively defend against cyberattacks, a solid digital perimeter should be established. Such a barrier is composed of a blend of hardware devices, such as firewalls, gateways and software solutions, which include anti-virus, anti-phishing, anti-trojan, anti-spam, anti-spyware and intrusion detection, all of which combine to minimize the ability of malevolent actors gaining access to the IT environment and disrupting operations.
Next, the data itself needs to be protected. In years past, one would have required trucks and movers to steal a firm’s files; now, they all fit in a pocket-sized portable drive. Data repositories (and access to them) should be encrypted. This will prevent unauthorized users from being able to decipher any information should they somehow obtain your files. Password policies should be strongly enforced and applied equally to all law firm staff. Additionally, any and all transmissions to clients should be sent via encrypted email, which represents two important benefits: the content of the message and file attachments will be unreadable by anyone other than the intended recipient, and since credentials have to be entered in order to read such a transmission, you will benefit from a disreputable record of receipt.
“We’ve Seen The Enemy; It Is Us”
Lastly, multi-attorney firms should pay close attention to their privileged users, including attorneys, legal professionals and support staff alike. Exfiltration of confidential information by authorized users has become a common scourge. Deploying privileged user monitoring applications helps protect your data assets from unexpected attacks by disgruntled employees, departing colleagues, or just plain busybodies within.
The modern legal practice has benefitted enormously from technology. Efficiencies have increased considerably, greater accuracies achieved and the ability to communicate with clients in a manner that does not involve the post office is a blessing. However, in order to prevent costly operational disruptions, maintain regulatory compliance and ensure clients’ peace-of-mind, the time has come to see to it that our practice data is at least as secure as it was back when it resided in grandpa’s old office vault.Mark Wiener