Sign In
    Wisconsin Lawyer
    October 01, 2016

    What’s Behind Your Firewall? Know Your Cyber Risks

    The continuing pace of successful hacks into the confidential databases of law firms and other businesses makes clear that most lawyers would benefit from a refresher on the dangers posed to competent practice and good customer service by cyberattacks. Security experts Sharon D. Nelson and John W. Simek lay out recent statistics, explain why lawyers often fail to protect their systems and data, and summarize professional organizations’ current stances on cybersecurity. They also highlight the most common types of attacks and suggest ways to detect and respond to them.

    Sharon D. Nelson & John W. Simek

    Cybersecurity padlock

    Cybersecurity is a hot topic these days, but what does it mean to practicing lawyers? Essentially, cybersecurity is the protection of your information systems from theft or damage. For a lawyer, that means making sure your client’s information stays confidential. Today, that includes taking steps to protect your practice from experiencing a data breach.

    Are lawyers doing enough to safeguard law firm and client information? Our opinion is that many are not. Here are a few reasons we hold that opinion.

    • The FBI reported at a legal technology conference in 2013 that they are seeing hundreds of law firms being increasingly targeted by hackers.
    • Mandiant, now part of InfoSec giant FireEye, reported that 7 percent of the breaches it investigated in 2014 involved law firms.
    • Another report noted that 80 percent of the 100 largest law firms, by revenue, had been hacked between 2011 and 2015.
    • At a meeting of large-firm information security experts from Washington, D.C., most admitted that they had been breached – and that they were aware from their colleagues that others had been breached as well.
    • Even with the dismal record of reporting law firm data breaches, we still learn of them in the press and informally – and we will detail some of them for you.

    Why Law Firms Fail to Protect Data

    While data breaches can happen despite reasonable (or even stronger) security, the frequency of law firm data breaches and reports on how some of them have occurred suggest that many lawyers have not been employing reasonable safeguards. Why do many otherwise competent lawyers fail so miserably in protecting firm and client data? Here are some of the reasons.

    • Ignorance – they simply need education – and many of them don’t know they need education.
    • The "it can’t happen here" mentality is flatly wrong. Since the FBI issued an advisory in 2009 warning that law firms were specifically being targeted by identity thieves and by those performing business espionage, it has continued to meet with large firms to preach the gospel of information security. We were, in earlier days, worried about cybercriminals, China and other statesponsored hackers, which continue to be major threats. Thanks to Edward Snowden, we now know that we also need to worry about surveillance by our own government.
    • According to press reports, lawyers and law firms are considered "soft targets"; they have high-value information that’s well organized and frequently have weak security – although we are happy to report that, at least at large firms, cybersecurity is now a pretty high priority.
    • Although there are many low-cost or free measures that solo and small firm lawyers can take to protect sensitive data, true information security, including hardware, software, training, and so on, is expensive. Protecting the security of client data can present a big burden for solos and small law firms. This does not take away a lawyer’s ethical duty, however, and it is one reason the authors lecture so often on computer security. Once a lawyer sees the most common vulnerabilities, he or she can take remedial steps – or engage an IT consultant to do those things that are beyond the lawyer’s skill.
    • The need for vigilance never stops. You cannot secure your data once and think you’re finished; the rules of information security change on close to a daily basis. Certainly, someone in the firm needs to keep up with changes regularly, or the firm needs to engage a security consultant to do periodic reviews. While the necessary frequency of security assessments depends on the size of the firm, the sensitivity of the information, and identified threats, mandatory assessments should be conducted at least annually. And clients are beginning to demand self-audits or third-party audits of law firm security. Sensei has never seen a client who passed such an audit on the first go-round. In fact, clients don’t even understand the audit questions, which doesn’t bode well for the results.

    Detect and Respond

    In a more innocent time, we really thought we could keep the barbarians outside the walls that guard our data. Alas, those days are gone. For years, the emphasis was on preventing villains – cybercriminals, state-sponsored agents, business espionage spies, and hackers – from getting in. We went from fairly simple antivirus software to sophisticated antivirus software and, finally, to enterprise anti-malware software security suites.

    Sharon D. NelsonJohn W. SimekAttorney Sharon D. Nelson is president and John W. Simek is vice president of Sensei Enterprises Inc., a legal technology, information security, and digital forensics firm based in Fairfax, Va. (703) 359-0700

    The products got better and better and better. Unfortunately, all the would-be intruders were not only matching the good guys step for step, they were outpacing them.

    It took a surprisingly long time for everyone to "get it" – but in the end, cybersecurity professionals realized that if the bad guys are smart enough and target a particular entity, they are going to successfully scale the walls we built to keep them out. And with that realization, "detect, respond, and recover" became the new watchwords in cybersecurity.

    Mind you, we are still trying to keep the bad guys out – that is the first line of defense. But now that we know that our first line of defense is a Maginot Line for sophisticated attackers, we have moved forward in our thinking.

    The NIST Cybersecurity Framework

    In February 2014, law firms had begun moving forward toward securing our data and the physical infrastructure protecting it when the National Institute of Standards and Technology (NIST) released Cybersecurity Framework Version 1.0.

    The framework provides a structure that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs. This came as a result of Executive Order 12636, issued in February 2013, which called for "the development of a voluntary, risk-based Cybersecurity Framework – a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses." [Editor’s Note: Please see the Technology column, "NIST Cybersecurity Framework Introduction," for more information.]

    The framework allows organizations – regardless of size, degree of cyber risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.

    The document is called "Version 1.0" because, much like the U.S. Constitution, it is supposed to be a "living" document that will be updated to reflect new technology and new threats – and to incorporate "lessons learned."

    Here is where you find the magic words of the document, "identify, protect, detect, respond, and recover," which should shape any law firm’s cybersecurity program.

    "Identify and protect" were the first steps in the early days of cybersecurity. Although those words are still important, "detect and respond" have surged forward as a new focus, along with, of course, recovering from security breaches – no easy task. It is especially tough if you don’t know you’ve been breached – and the average victim has been breached for seven months or more before the breach is discovered!

    What "Detect and Respond" Means for Law Firms

    The new focus on detect and respond means rethinking how you approach security of your data. Now that you know that you can’t keep out determined intruders, you know you must detect them once they’ve penetrated your network. So you need technology and software that will help you detect that you’ve had what is called, in polite circles, "a cybersecurity event" – translate that to "a breach."

    As you can imagine, you want to know about these "events" as soon as possible so you can take action. Today, there are technology solutions that identify "anomalies" in networks (things that are outside the norm) or that look for executables that are unknown but are behaving like malware or some other form of cyberattack. While some of the solutions may be beyond the need or the budget of solos and very small firms, your firm need not be very large for you to start considering heading down this road – the risks of not doing so are simply too great. The good news is that there are technical solutions that are very affordable and would be a good starting point for solo and small firm lawyers.

    Some of the solutions include data loss prevention (DLP) software and appliances, intrusion detection systems (IDS), intrusion prevention systems (IPS), electronic content management systems (ECMs), and security event management systems (SEMs). When you meet with someone who can explain the various solutions to you, brew a pot of espresso: you must be highly focused to understand how one solution differs from another. This is really cutting-edge technology that changes from month to month (if not day to day).

    We recommend that solo and small firm lawyers start by investigating intrusion detection systems. An intrusion detection system watches network and system activity and alerts you if there appears to be some malicious activity. It begins by creating a baseline of network traffic. Any suspicious activity outside the configured parameters (for example, 10 percent additional network bandwidth utilization) causes an alert, which is typically an email message to an administrator.

    One of our favorite IDS products is Meraki by Cisco. It is subscription based and only costs a few hundred dollars per year. The hardware itself is a few hundred dollars and then you only have to deal with annual subscriptions after that. The system is cloud based and updates are automatically delivered and installed. The updates are based on the activity seen by all the Meraki devices in the Cisco network. In other words, you take advantage of having fixes applied based on malicious activity that someone else may have experienced. Cisco is a very trusted brand.

    If suspicious activity is detected on your computer system, your response to the incident might vary. Your in-house or outside technology consultants (and you are likely to need digital forensics technologists, who are more familiar with data breach investigations) should take a look at the situation and see what they can determine. They can also, once they understand what has happened, figure out how to "plug the hole" and otherwise mitigate the breach. Remediation of whatever caused the breach is key.

    We hope that you already have an incident-response policy and plan in place, no matter how big or small your firm is. For all but the smallest firms, there should also be an incident-response team in place to implement the plan. At a minimum, you should have already identified who will be involved, along with the appropriate role for the individual(s).

    You probably will want to call a lawyer familiar with data breach laws, to advise you on complying with any of the 47 state data-breach-notification laws. And if there is data protected by federal law (such as HIPAA data), you’ll need advice on that front, too.

    Finally, one of the first pieces of advice you are likely to be given is to call the FBI. While that is anathema to most law firms, it is the appropriate course of action. Remember that the FBI makes no public statements about these investigations and doesn't show up in flak jackets or otherwise make a public display of your "cybersecurity event." You can determine which FBI office to call by performing a Google search for "FBI regional offices" and entering your zip code.

    The ABA Cybersecurity Resolution

    The ABA has weighed in on cybersecurity concerns, always a sign that state bar organizations may do so, too. On Aug. 12, 2014, the ABA House of Delegates passed, without opposition, Resolution 109, which reads as follows:

    "RESOLVED, That the American Bar Association encourages private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations, and is tailored to the nature and scope of the organization, and the data and systems to be protected."

    You might be forgiven for thinking, "Wow, that really says a whole bunch of nothing." And you'd be right – it is really a cautionary resolution intended to raise awareness.

    There is a back story to the resolution, which at first was longer and broader in scope. The original resolution appeared to command all law firms, large and small, to come up with a cybersecurity program that met national and international standards.

    This met with fierce opposition from a number of ABA entities, including the Law Practice Division and the GP/Solo Division. The resolution was submitted by the ABA Cybersecurity Legal Task Force and the Section of Science & Technology Law.

    In response to the controversy, the language of the resolution (which stands on its own and is not governed by the accompanying report) was watered down to the tepid version above. At the behest of other entities, language in the report was also changed to clarify that the resolution was not attempting to make a change in lawyers' ethical duties and to add language recognizing that smaller firms could not be expected to adopt a program that made no sense considering their size and budget constraints.

    Clearly, for small firms, the international and national standards cited in the report appeared fearsome. There are standards for smaller firms like the NIST standard mentioned above.

    The report states: "Small organizations, including small law firms and solo practitioners, can prioritize key cybersecurity activities and tailor them to address the specific needs that have been identified." For help with this, check out NIST Interagency Report 7621: Small Business Information Security: The Fundamentals, available at Written in 2009, it's a bit dated, but many fundamentals remain the same. As an example, target hardening is one of the sections. It would seem pretty obvious that you should beef up your security to reduce the chance of compromise, but most people just set it and forget it.

    One Last Shot Across the Bow

    While it is true that "detect and respond" has set off a hue and cry, never forget that it is best for your law firm if you really can keep the barbarians outside the gates. We were reminded of this as we were writing this article – a news article appeared on our newsfeeds telling us that another law firm had suffered a data breach after a firm backup disk (apparently unencrypted) had been stolen from an employee's locked car trunk.

    The best defense we currently have to protect law firm data is encryption. "Detect and respond" is a mantra you need to adopt, but don't make the mistake of failing to adequately protect your data. Encryption is a law firm's best friend when it comes to risk management. If you haven't deployed encryption everywhere, now is the time. Google is marching full steam ahead with its encrypt-everything program. That's a good cue that you should be doing the same thing.


Join the conversation! Log in to comment.

News & Pubs Search

Format: MM/DD/YYYY