The Panama Papers scandal, the security breach of Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP and other recent breaches and hacks have moved cybersecurity to the top of most law firms’ priority lists. However, today’s security environment is complex, and many law firms seeking to implement or update their cybersecurity policies often make mistakes that increase the likelihood of a successful attack or the damage caused by such an attack. In particular, law firm partners, chief information officers and others responsible for a law firm’s cybersecurity should avoid three common mistakes: assuming perimeter defenses are the only technology that can minimize the damage from security threats; using “open” security models that allow everyone in their firm to access all client information by default; and not implementing a strong data retention policy. With security experts agreeing that even the most diligent firms will be compromised at some point, avoiding these three mistakes can significantly reduce, if not eliminate, the damage caused by such breaches.
Don’t just depend on perimeter security
One of the most common mistakes made by law firms is to assume that the only way to minimize the damage from cybersecurity attacks is to put in place perimeter security technologies —firewalls, antivirus software, etc.— that “wall-off” the firm from outside attacks. While such perimeter security is essential, its usefulness is limited if an outside attacker finds a way around it. For example, criminals are using phishing and other sophisticated types of cyberattacks to secure the passwords and other credentials of a firm’s employees, and the strongest lock in the world will not stop a criminal if they have the key. Moreover, such perimeter security technologies are limited in their ability to stop or alert firms to attacks from those who are already “inside” the firm — for example, a disgruntled employee who decides to steal client documents before they leave the firm.
One way that law firms can limit the damage from attacks that find a way past their perimeter security is to deploy strong information governance technologies. Such technologies enable law firms to ensure that users must properly authenticate themselves to access information, that users can only access information of relevance to them, that all client information is encrypted and that all user actions involving their access or use of information is tracked. In addition, advanced information governance technologies have powerful analytics that alert law firms to unusual activity that might signal a breach by either internal or external attackers. With strong information governance technologies in place, law firms can stop attacks after they get past their perimeter security, or at least minimize the damage from such attacks. Perimeter security technologies are essential but unless law firms complement perimeter security with strong information governance technologies, they risk providing attackers with broad, long-term access to client information after a successful breach.
Stop using open security models
Another mistake many law firms make is to use open security models that provide all their employees with free and open access to sensitive client information. Such open access can promote more knowledge sharing, which can benefit both the firm and its clients. However, in today’s security environment the risks involved in using such an open security model, where a criminal able to obtain any user’s credentials has access to all of a firm’s client information, are too great to take. Instead, law firms should adopt a “need-to-know” security model. Such a model only provides users with access to matters and other information that they are specifically working on. By providing access to information only on a “need-to-know” basis, security models dramatically reduce the amount of information an attacker can access if they successfully compromise a user’s credentials. In addition, clients are increasingly demanding their firms adopt such models. With open security models increasing the risk of significant damage from a breach, as well as the risk of client displeasure, it would be a mistake for law firms to not abandon such models for a “need-to-know” security model, sooner rather than later.
Make sure to implement a data retention policy
A third mistake that many law firms make is to not have a data retention policy in place. Firms that do not have such policies often tend to retain all the documents and other client data they have. This allows them to produce this information if required to legally. However, it can often result in over-retention of data, enabling cybercriminals to steal sensitive client documents from years past, even if the firm no longer needs to be able to access this information. One of the key benefits of a data retention policy is that it puts in place a system to track, retain and, when it is no longer needed, delete client information. A cybercriminal cannot steal what a firm does not have. In addition, for the information a firm does retain, a strong data retention policy can ensure that information that is no longer needed for any immediate work is archived to a location where it is only accessible to a few select users, making it more difficult for a cybercriminal to access it. In addition, as long as a formal, properly justified data retention policy is in place, a firm can justify its disposal of client information if this information is legally requested.
The growing number and sophistication of cyberattacks should make the protection of client data a priority. Yet, while it is impossible for law firms to fully protect themselves from cyberattacks, many are making simple mistakes: depending exclusively on perimeter security technologies to protect their data, failing to adopt “need-to-know” security models or not implementing data retentions policies. Such mistakes both increase the risk of a successful breach and the damage that such breaches can cause. By correcting these mistakes, law firms can limit cybercriminals’ ability to access client information and the damage any breaches might cause, benefiting both their clients and themselves.
Ian Raine is head of product management at iManage, responsible for their suite of information governance products for law and other professional service firms. He has 25 years of experience building information governance, records management and other enterprise software products.