April 2013 | Disaster Prep: Special Issue
The Cyber Challenge Facing the Legal Profession
The good news is the bad news. Law firms large and small have access to a stunning array of innovative tools and resources to help reduce costs and increase productivity. Email, social media, web technology, and global video conferencing empower law firms of all sizes. Cloud computing and mobile applications enable even small firms to store and access their information from anywhere in the world.
At the same time, this incredible increase of information technology has given rise to a new brand of cyber-criminal, and their numbers are growing. They range from lone actors to nations determined to steal sensitive information. Everything is fair game, from intellectual property to personal financial information. Typical of these intrusions are the denial of service attacks which have recently been used to disrupt internet access and interfere with client communication.
Such attacks can have a catastrophic impact on reputation, ruining client trust and confidence. One recent report cited by U.S. Representative Chris Collins (R-NY) claims that nearly 60 percent of small businesses will close within six months of a cyber-attack. Leon Panetta’s warning that the U.S. is facing a cyber-Pearl Harbor was no surprise to information technology professionals at many law firms and enforcement agencies. They’ve been dealing with attacks for years.
A similar warning was echoed in February by ABA president Laurel Bellows, who, in an interview with the ABA Journal said, “Cyber-attacks are happening thousands of times a day, and some of the most vulnerable targets are law firms, which hold so much information of their clients and serve as ‘gates’ to their clients.”
Industry studies support Bellows’ comments. A report by the Ponemon Institute documented an 81 percent increase in the number of cyber-attacks between 2010 and 2011. In a 2012 study sponsored by the Zurich Financial Service Group, 86 percent of the respondents believed that such malicious attacks pose a moderate to severe threat to their organization. The survey, A New Era in Information Security and Cyber Liability Risk Management, found that only 68.8 percent of responding firms admitted to having any type of IT disaster plan in place and less than a third had cyber liability insurance.
Hackers are increasing the intensity and persistence of their attacks, while broadening their targets. Smaller law firms in particular, have become cyber criminal’s latest victims. Robert Baumgarten, CIO at Shulman, Rogers, Gandal, Pordy and Ecker in Potomac, MD., recently characterized this change in focus as having “shifted from the server rooms and data centers to the space occupied between the desktop and the chair—to the attorneys, paralegals and administrative assistants.” Unfortunately, the resources available to smaller firms don’t match the challenge facing them, as the number and sophistication of threats increase. An obvious solution to this challenge is to outsource some of the responsibility to organizations with the training and resources to keep up with the ever-changing array of threats. However, surprisingly few firms are adopting this strategy. The Ponemon Institute found that 79 percent of businesses across all industries stated that they would, “rely on their own internal information technology department to assess the level of cyber risk exposure.”
What Are They After?
The range and scope of material that cyber criminals target covers every aspect of legal practice. From lists of confidential witnesses to patent applications, seemingly any type of information is of interest. Some organized crime groups attempt to hack into not only law offices, but court systems and even the U.S. Marshals Service. Other groups focus on financial information, especially M&A documents that might provide a negotiating edge or insight into how the financial markets might react to a deal. Any type of intellectual property is high on the list of targeted material, including the results of drug studies, client correspondence, or information linked to possible litigation claims.
The Way In
While some of cyber crimes’ success can be attributed to inventiveness, in many cases the way inside is paved by employees who exercise poor judgment. One technique, known as social engineering, seeks to manipulate an employee into either granting access to an internal network or disclosing a seemingly innocuous bit of information. Clever criminals can later use this tidbit to find a way past network security and to confidential information. Another technique known as spear phishing relies on authentic looking emails to trick users into opening attachments or following hyperlinks to seemingly legitimate websites. Once opened, these files or links secretly install malicious software onto a computer or storage device such as a memory stick. As other computers connect to these storage devices, the virus is inadvertently passed. Sometimes these viruses are embedded inside downloads of music files or computer games, bypassing normal safeguards.
This latter form of cyber-spying is especially successful when employees naively blur the distinction between business and personal computing. For example, individuals who diligently follow company security polices while at work, may let their children surf the web on their PCs while at home, or connect to storage systems that haven’t been properly vetted.
BYOD, the Cloud and MDM
Clients, witnesses, courts, and fellow attorneys now demand near instantaneous communications and use technologies unheard of a scant few years ago. Finding a balance between protecting the integrity of the law firm’s network and meeting the demand for wide-scale connectivity requires finesse and diligence.
The proliferation of user-supplied smart phones, tablet computers, and laptops further complicate the issue. Known as the Bring Your Own Device (BYOD) challenge, IT departments must now find a way to maintain security while allowing a variety of digital appliances of unknown configuration, loaded with software from questionable sources, to access and use online corporate assets in an unrestricted manner, from multiple locations. These same devices carried by contractors, guests, and temporary employees further complicate the situation.
A new area of information security has emerged that attempts to bring order, structure, and predictability to the BYOD threat. Mobile Device Management (MDM) is the latest sub-specialty discipline that already over-taxed IT departments are expected to understand and put into practice.
Smart devices aren’t the only new frontier of challenge. As new software development tools come into common use, firms may unknowingly gather and store information about visitor behavior on their websites. For example, some websites automatically collect information that many would view as private. Examples include your identity, how long you linger on each webpage, what you read, actions you take, and where you navigate to afterward leaving the website. Would anyone find it advantageous to hack into a weblog and review this information about clients or other visitors to your website?
Then there is the movement to the cloud, an amorphous computing environment which is out of the IT department’s direct control. At any time and without prior notice, critical data may be moved from secure servers to locations in other countries where the rules and controls governing access maybe lax or virtually non-existent.
The Way Forward
So what should be done? A cyber security plan can be adopted and implemented rather easily. According to the FCC, every business that uses the internet is responsible for creating a culture of security that will enhance business and consumer confidence. The FCC website includes Small Biz Cyber Planner 2.0, which is a 10-step program to greater protection. This resource is a valuable reference that should be periodically consulted, especially by small firms that may lack cyber-security trained IT staff.
Policies govern network access and use. But how often are these policies reviewed and updated? The changing landscape of cyber crime demands constant vigilance and frequent vulnerability assessments. While this level of attention to security can be expensive, the alternative can be disastrous.
Setting up secure networks protected by firewalls and other technological tools is a necessary first step. But the solution to cybercrime will not come from technology alone. Ultimately, security is a management challenge that requires a mix of prevention, mitigation, and quick response to malicious intrusions. Better education of employees, business partners, and clients can help reduce the number and scope of the risk. However, when it comes to cyber security there are no safe harbors, just temporary mooring sites.
Don Byrne is president and CEO of Metrix 411, a web-based measurement and analytics business.
LAW PRACTICE TODAY
Micah U Buchdahl, HTMLawyers, Inc
Andrea Malone, White and Williams LLP
BOARD OF EDITORS
John D. Bowers, Fox Rothschild LLP
Margaret M. DiBianca, Young Conaway Stargatt & Taylor, LLP
Nicholas Gaffney, Infinite Public Relations, LLC
Nancy L Gimbol, Eastburn & Gray
Richard W Goldstein, Goldstein Patent Law
Katy M. Goshtasbi, Puris Image
William D Henslee, Florida A&M Univ College of Law
Allison C. Shields, Legal Ease Consulting, Inc.
Gregory H. Siskind, Siskind Susser, P.C.
Send us your feedback here.