“Risk comes from not knowing what you’re
doing.” Warren Buffett
As treated here, Risk refers to virtual risks- hidden
dangers that are inherent in our electronic ecosystem. Each time that
businesses and/or consumers utilize technology there is an associative risk
accompanying that activity, regardless of whether that action it is simply entering
information into a cloud database, downloading a file, or purchasing products-
the risk of exposing systems to intrusion is great; hence, nowhere is the above
adage more apropos than when it comes to computing.
Each week we see more and more
technology developed to streamline business processes and/or with the claim of
enriching our lives. Increasingly the legal community, much like industries
before it, continues to incorporate technologies into its practices- albeit a bit more
hesitantly than sectors like finance, banking and healthcare; yet, according
to the
ABA 2015 Legal Technology Survey
Report, many lawyers and firms have not implemented elementary security measures
considered basic by security professionals and that are used quite frequently
in other professions. Consequently the
number of data breaches in law firms has increased- in detailing the alarming
number of law firm breaches, the aforementioned report states that 80% of the
top 100 largest law firms have been breached
[i]
and these are firms with in-house I.T. departments. For some this statistic is startling, but not for
the information security [InfoSec] community, on the contrary it comes as
little surprise, particularly given the lack of general technological understanding
in the legal community, as well as, the relatively late (in comparison to other
industries) adoption of technology.
One might wonder why lawyers
and law firms are such tempting targets. This question was recently addressed
by prolific freelance blogger Jai Vijayan
[ii]
as he mused over this very question and spoke with one Mr. Jake Olcott, VP,
BitSight[iii]
and former counsel to the House of Representatives’ Homeland Security
Committee. Mr. Olcott indicated that law firms, in addition to holding
mountains of sensitive data, lack dedicated information security practitioners,
as well as, the budget to properly implement information security programs and
incident response plans (codified
post-breach procedures). So for firms facing this circumstance here are a few
suggestions:
start small- begin by
understanding what it is that you have then classify the data in terms of
importance, next partner with someone in the information security field (this is not your contracted
network administrator who in all likelihood lacks little, if any knowledge of
information security) to get a vulnerability
assessment- which differs from a Pen Test in that the practitioner will not
attempt to break into your system- only identify where your weaknesses lie, look
for organizations- educational, non-profit and governmental that disseminate free
guidance materials and webinars on the topic, and finally, check out
periodicals such as Dark Reading,
which offers comprehensive up-to-the-minute coverage on security together with
information on vulnerabilities and application weaknesses. Equally important to
remember is that software alone is no panacea otherwise, conglomerates such as
Sony, Yahoo, Target and Wendy’s International would not have been breached-
they own cutting-edge network security software!
While none of the aforementioned
measures alone will guarantee 100 % safety, they do serve as preventative steps
in the fight against attacks- much as the acts of brushing and flossing serve
to prevent tooth decay and later heart disease should the infection spread into
the bloodstream. Malware that spreads into a system can lock up the network,
preventing the firm from accessing documents and files- a crippling blow to
business.
With an estimated 1, 365, 561
lawyers in the country- according to the American Bar Associations’ statistics-
it behooves the legal community to work toward a solid understanding of, and
grasp on, information security, especially given the legal community’s
fiduciary duty to protect the sensitive data of its clients. It is only by
acknowledging the lack of awareness then taking the requisite steps to becoming
informed that this community will shore up its virtual doors. Consider this, firms take precautions against
the thief that might physically walk through the door or climb through a
window, so why not develop measures against those who are coming in virtually?
Wondering how intruders get in, what behaviors they exhibit, and what
you and your staff can do beforehand? Then stay tuned for future installments
of Non-private
Lawyers and Firms.
[i]
ABA Legal Technology Resource Center.
ABA
Tech Report 2015. Chicago: American Bar Association, 2015. PDF.
[ii]
Vijayan, Jai. “Law Firms Present Tempting Targets For Attackers.”
Vulnerabilities. Dark Reading.com, 12
April 2016. Web. 15 April 2016.
[iii]
BitSight is a company aggregating, analyzing, and rating the security
performance of companies and organizations across the globe.
