Workshare: Law firms close rank on cybersecurity
For several years, large law firms have been accused by the FBI and security consultants of being the weak link in the corporate security chain. While that may have been true 10 years ago, large law firms are now on equal footing with most industries in the application of sound practices to manage cybersecurity.
I recently discussed this with an FBI Cyber Crime agent, who confirmed they no longer worry about risk emanating from law firms as they once did. In fact, most of the calls they get from law firms are on behalf of their clients to enable the preservation of confidentiality associated with data breaches.
Law firms have taken many steps to address their security challenges. As is typical, these changes were driven by clients.
Large financial institutions, responding to federal oversight, required their suppliers to respond to extensive security audits. As firms learned of their client’s requirements, they began to make investments in security-related technology, people, and processes.
- They took steps to encrypt data at rest and in transit, wherever possible
- They implemented security awareness training programs to educate users about the threats they face each day
- They conducted phishing campaigns on their users to provide further educational opportunities
- They locked down access to websites that presented significant risks, including web mail and social media platforms
All this and hundreds of other steps, large and small, are now part of the law firm's cybersecurity toolbox.
A community coming together
In 2013, the International Legal Technology Association (ILTA) launched the LegalSEC Summit in response to increasing industry demands. The annual event was devoted to helping law firms understand the risks they face, and the steps that are necessary to secure their clients’ confidential information.
LegalSEC provides great educational opportunities, and the opportunity for law firm security professionals to network with their peers.
In 2015, the Legal Services Information Sharing and Analysis Organization (LS-ISAO) was formed by legal IT leaders to share threat information across the industry. Cyber criminals are weakened when their potential targets share information about threats. The LS-ISAO continues to grow since it serves an ever-critical mission.
Later in 2015, a group of leading law firms worked together to address the need to perform audits on their own suppliers. Instead of all of them performing individual audits, they searched for a service provider who could deliver the information needed as a service. Prevalent’s Legal Vendor Network now provides an essential service to many law firms. They also simplify the audit response process for companies providing products and services to law firms.
Next steps in DLP
Law firms have recently started to adopt data loss prevention (DLP) technologies to prevent confidential information from getting into unauthorized hands. Insiders represent a significant security threat, whether they act purposefully or inadvertently. Firms are migrating to closed document management systems, instead of the traditional open models. They are adding DLP capabilities to the DMSs. They are also adding DLP capabilities to their email systems, such as Workshare Secure.
I recently attended the annual Futures Conference of the College of Law Practice Management (COLPM). The COLPM is a multi-disciplinary organization with members representing all facets of the business of running a legal services provider organization. I believe less than a quarter of the participants were “traditional” technology experts.
The conference was titled “Cybersecurity: This Way There Be Dragons!” There were many useful presentations, including those covering:
- The prevention of data breaches
- Communications in case of a breach
- The importance of maintaining legal ethics in light of cybersecurity threats
- The marketing value associated with security excellence
- The impact of AI on security
- The General Counsel’s view of law firm cybersecurity
There is a broad recognition that cybersecurity is an issue that is important to everyone in a law firm. It is an essential investment that all successful law firms must make.
Please, do me a favor. The next time someone tells you that large law firms are the weak link in the corporate security chain, politely tell them they don’t know what they’re talking about.