Reprinted from the June 2016 issue of Cybersecurity Law & Strategy with permission.
For years, various government authorities and security experts warned the legal industry about the proverbial cyber target painted on their chest. And while a cornucopian crop of headlines bloomed about data breaches, most concentrated on major retailers or recognizable brands. Given nebulous reporting legislations, the data breaches at law firms remained below the press horizon. But you can only dodge so many bullets until one hits the industry square in the chest. Recently, the legal industry found itself in the spotlight as story after story about data stolen from law firms surfaced. And the media frenzy culminated when Mossack Fonseca became the poster child for hacked law firms, earning the moniker of the Panama Papers.
If the multi-law firm hack story was the first shot over the bow, then the Panama Papers leak will become a torpedo. With a record-setting data heist and enviable client list of who’s-who in government, business and entertainment, the Panama Papers leak struck a chord and unequivocally confirmed that legal wasn’t just a target — it is the target. And it is a bellwether for an industry in a fugue, unable to conceive that their firms held anything of value; certainly not anything worth stealing. Well, it turns out that boring old shell companies and tax filings had a value.
Law Firms Are Full of Sensitive Data
It doesn’t matter the size of your firm. Large or small, your firm houses a treasure trove of sensitive data. From personally identifiable information (PII) to M&A transaction details to contracts and plans, every piece is desirable in the eyes of cybercriminals. Sure, larger firms have long felt that they’re not as vulnerable to attack. They’ve been confident in the technological defenses they’ve established to protect their sensitive data, and until recently they haven’t felt the need to question the efficacy of that technology.
Small-to mid-sized law firms are at even greater risk. Unlike their larger peers, smaller firms simply don’t have the budget and resources to allocate to internal IT management and technology investments. In many cases, these bootstrapped firms are lucky to simply have the most basic technology in place, such as anti- virus systems or firewalls. For these reasons, they’re perceived as an easy mark through the eyes of attackers, and widely recognized as a conduit to larger targets.
Hackers Focus on People, Not Technology
In addition to evolving risk vectors, the nature of attacks themselves has shifted. Attackers no longer fear technology because they know they can evade it. Recent successful breach events amplify that reality.
Today’s popular attacks focus on something far more malleable than technology. They focus on people and their innate human nature. We all get busy. Dreadfully so. And it’s when we’re busy that we become careless, particularly when it comes to our e-mail inbox. This is when we’re most vulnerable to the epidemic that is e-mail spoofing.
Spoof e-mails have undergone a transformation. Once riddled with spelling errors and inaccuracies, malicious content today is cleverly veiled in glossy, seemingly legitimate corporate branding. The correct names are usually in the correct places, and the contents of the e-mail always appears to be reasonable and typical of interoffice or vendor communications. As a result, phishing and Business Email Compromise (BEC) are now big business for cybercriminals. The Ponemon Institute reported that large companies now spend an average of $3.7 million a year dealing with phishing attacks. See, “2015 Cost of Breach Data Study.” All firms have become a desirable target for phishing and BEC attacks.
Legislation and Guidance
Staggering breach cases are driving a larger conversation. At a micro level, cybersecurity is quickly becoming a paramount issue for firms, whether large or small. At the macro level, industry, national and governance discussions are turning their sights to the legal industry. The U.S. government’s Cybersecurity National Action Plan (CNAP) passed last December and the Cybersecurity Act of 2015 officially ushered the government’s resolve to guard the pillars of the U.S. economy from cyber threats and attacks. At a governance level, the industry is scrambling to ramp frameworks and measurements with industry peers like the SEC, who since 2014 have worked to establish regulatory compliance measures through a formal examination process and comprehensive frameworks.
The ABA, recognizing increased pressure from national compliance efforts and imminent threats from an unseen army of cyber attackers has worked to architect a set of cybersecurity guidelines, as outlined in its 2014 Cybersecurity Handbook. The handbook has quickly become an indispensable tool for firms that don’t know where to start. It outlines several pillars of regulatory focus, including: gaining an understanding of what assets and sensitive data the firm has; who the regulators are; which threats are targeting the firm; what protection firms have in place to guard against attacks; what risks exist; and, whether firms can demonstrate cybersecurity claims.
Essentially, cybersecurity management can be divided into two clear buckets: the first focuses on policies and planning, while the second centers on the day-to-day mechanics of cybersecurity and what kinds of frontline defenses firms have in place to block or mitigate attacks.
Often, even tackling these questions can be a daunting task for firms, particularly those that don’t have an in-house team to answer them. Commissioning a full, independent security assessment is a good place to start. Security assessments are an effective way to assess your current security posture and identify gaps in your processes, programs and technologies. An independent security assessment not only helps firms build and augment their cybersecurity programs, but it also helps prepare a response for clients who will request an audit report detailing your firm’s posture. A security assessment provides the clear direction you need to build your program, policies and defense inventory. An assessment also benchmarks your firm against that of your peers, examining the kinds of threats targeting you, and security considerations that fit your organization based on those benchmarks.
The ABA’s Tech Report, released late last year, revealed that on average, less than half of responding firms have firm technology or security policies in place. With the number of vulnerable attack surfaces in any given firm, security policies are an essential first step when it comes to defending the firm. Just as critical are framework documents like NIST, which fuses practices, guidelines and standards to protect critical infrastructure. The framework helps to prioritize and manage cybersecurity risk, and presents a sturdy platform to further policy and program development.
Security Areas to Address
Within data and network protection there are several vectors that should be addressed: security models, network assets, policies and procedures, data encryption, remote banking/transfers and mobile device management. The Tech Report found that 62% of respondents reported that their firm had not experienced a breach. But with so many threat surfaces, it’s unknown how many of those respondents suffered a breach and didn’t detect it. The Panama Breach case is a prime example; the firm claims that its mammoth data leak was a result of a year-old, undetected breach. One may assume that a firm like Mossack Fonseca would have fairly robust security in place, particularly given its top-tier client base.
While the root cause of the breach hasn’t been reported, it has been speculated that the breach was the result of a sophisticated cyber-attack, one that cleverly evaded whatever perimeter defenses Mossack Fonseca had in place.
Conclusion
While the fate of Mossack Fonseca remains to be seen, lesser breaches have caused firms to shut their doors entirely. Universally, attorneys are fundamentally obligated to protect their clients’ confidentiality. By extension, firms are required to ensure that the technology they use in no way subjects client information to an undue risk of disclosure. Pair this with the breach cases impacting firms, and suddenly firms face greater pressure, more scrutiny and evolving regulatory implications. Clients are taking data protection into their own hands, running due diligence that requires that firms demonstrate the mechanisms they’ve build to protect sensitive data.
The legal industry was founded and is fueled by professionals driven by curiosity and the desire to ask “why.” Cybersecurity has gone from simply being IT’s problem, to becoming everyone’s problem. If your firm doesn’t currently have cybersecurity initiatives underway, start the conversation. Ask the questions. Turn to your governance resources such as the ABA and leverage the tools they’ve created to drive momentum in your firm. Collaborate with peers through intelligence sharing forums like the Legal Services Information Sharing & Analysis Organization (LS-ISAO), which was founded to facilitate threat sharing amongst firms. The cybersecurity terrain is ever evolving. Consider this: Today’s fastest growing and most successful threats originate from a human culprit. You need human-driven defenses to stop them; technology simply won’t cut it.
