For reasons obvious to some – certainly to a good number of my own colleagues here at AccessData – the collision between the previously insular worlds of security and lawyers is making headlines and conference agendas with unprecedented frequency. I realize that groups on either side, whether IT, forensics experts or lawyers entrenched in issues of privacy and the myriad of data protection laws, are already well-versed on the intersection of legal counsel and security. But until recently, I shared a blind spot with the vast majority of the world’s legal community (a community still baffled by the technical intricacies of electronic disclosure) when it comes to the technical security of our own systems and data.
Most lawyers have no doubt assumed that the security of one’s office and network belongs in the trusted hands of internal or outsourced IT. We often fail to recognize, however, that a firm’s (or home office’s) security, and through it the security of our clients’ confidential information, is only as good as the budget and priority we assign to it.
Recent articles have highlighted law firm security as the most vulnerable in the chain of organizations creating or receiving sensitive data; far more vulnerable, in fact, than the corporate clients we serve, and potentially more at risk than infamously underfunded government offices. Even in the wake of the more than 80 law firms reportedly hacked in the US last year, firms continue to earn their standing as the weakest link in data security. In fact, their reputation as “soft targets” has become so pervasive as to lead to some interesting anecdotal evidence. One article tells the story of law firms being assigned to C-level hackers in high risk areas like China in order to free up A- and B-level hackers for more challenging work. Another describes lawyers as a well-known “back door” to otherwise protected information. A third draws the reasonable conclusion that the number of recent intrusions into Canadian and American firms suggests that cyber-attacks on lawyers “are now part of the hacking playbook.”
How did this standardization of hackers targeting law firms go unnoticed for so long? In part, the oversight may owe to the sparse and anecdotal record of the occurrences. No government or public resource appears to collect or make readily available formal statistics on law firm intrusions. And outside the strict requirements of data breach notification laws, no one can blame firms (organizations built on secrecy and propriety) for not advertising a breach on their watch.
But perhaps in larger part, lawyers have simply failed to see security as a relevant function of an ethical and business-savvy practice. How many lawyers, for example, could differentiate between “spoofing” and “phishing” if asked? How many know whether their antivirus protection is up to date, or the fact that malware thrives on vulnerabilities not yet known to even the most current versions? How many legal professionals know how to construct a strong password (hint: it’s not the outdated notion of supplementing letters with similar-looking symbols or numbers) or the value of wrapping documents into an encrypted zip file before hitting “send”?
As in all things, there exists a spectrum of firm knowledge and prioritization of these issues across the market. Some firms have made proverbial lemonade out of the potential public relations disaster by recruiting – and empowering with budget and resources – an internal CIO, or by earning third party certification for information protection that they can tout to current and prospective clients. Others, however, still live in a state of partial or complete denial, responding to dangers with kneejerk reactions like forbidding the use of mobile devices altogether…or worse, not responding to the dangers at all.
In a recent article for the American Bar Association on the related topic of mobile device discovery, I described the current technical landscape “as good news for lawyers.” The heavy lifting of addressing these issues, both in policy and practice, has already been started by institutions with an immediate legal or financial impetus. (See, for example, the tools and practices of criminal investigators and the finance industry). The software used to manage and protect our information has likewise undergone a helpful facelift in recent years; here at AccessData, I was pleasantly surprised to see the same colorful, user-friendly interface on both our new Summation case management platform and CIRT malware analysis and remediation platform. Just further evidence that the worlds of lawyers and security are now one and the same.