Latest couple of years saw a significant increase in the number of attacks on specialized service industries that handle clients’ confidential data. If you are working in law firms, healthcare, or educational institutions, chances are, you have experienced cyberattacks or data breaches in the last couple of years.
Law firms in particular present a very attractive target not only for hackers, but also for malicious insiders. Beginning of this year saw another attorney of a high profile US law firm prosecuted for insider trading. The firm in question is Fox Rothschild LLP, and prosecution of its employees is only one incident in the string of many similar cases, where employees misused sensitive information for personal gain. Incidents, that involved such firms as Holland & Knight LLP, Thompson Hine LLP, Hunton & Williams LLP, and many others.
Not to mention the most highly publicized leak this year, - the so-called Panama Papers, - involved a law firm and was potentially caused by malicious insider. While there are still some debate on who exactly was responsible for leaking Mossack Fonseca’s most sensitive data, the lesson that other law firms should take from this is clear – whatever protection you have, it is probably not enough, and if you’re not paying enough attention to insider threats, you’re making a big mistake.
The questions are then how to provide reliable protection for clients’ personal data, and what law firms are currently doing wrong? And, same as everything regarding security, the answer is not really that simple. However, the key element is the approach the firms take to formulating and implementing their legal data security strategy, as this approach is what ultimately defines their security posture in the end.
Compliance and risk assessment – taking the right approach to security
Law firms face more challenges than any when it comes to compliance regulations. Depending on the firm’s specialization, it may need to work with various types of client’s sensitive data, including their financial and healthcare information. Each of these types of data have their own security regulations attached, that the law firm needs to follow. Regulations such as HIPAA, SOX, and PCI-DSS can come into play when it comes to handling client’s information, not to mention additional complications for international cases, where additional international standards apply.
Failure to comply with some of these regulations may prove fatal for a law firm. Not only may it lead to legal trouble and investigations, it also damages firm’s reputation and may ultimately cause loss of clients. As a result, firms do whatever they can to tackle the problem, while minimizing the number of resources spent on it. This often results in a so-called compliance-based approach to security, where companies are simply ticking off boxes on the list of all law business cybersecurity compliance requirements that the firm should follow. As practice shows, such a formulaic approach to law industry IT compliance does not provide reliable security.
Personal data protection is a very complex and layered issue. Risks and challenges that each law firm faces are very unique and so should be their approach to protecting from them. Only by conducting a thorough risk assessment, company is able to actually identify all weak points in their current defenses and all potential vectors of attack. This allows to formulate a strategy for achieving compliance in such a way, as to convert the money and resources spent not only into the list with ticked off boxes, but also into an actual reliable security that will help you protect your data from both outsider and insider threats.
Best security practices for a law firm to follow
Taking the right approach and formulating security strategy is only the first step in providing reliable law firms cyber security. There are many other best practices to consider, including secure handling of passwords, data access control and user monitoring. Most of them are covered by compliance regulations, thus requiring law firms to implement them.
Put a response plan in place. Upon formulating a security strategy, a proper response plans should be put in place. This is where the combination of risk-based and compliance-based approaches to formulating security strategy will benefit the firm the most, as understanding your risks and weak point will allow you to create a proper effective plans for the situations that your company is most likely to face. On the other hand, many companies that follow only compliance-based approach will often find themselves not prepared to respond to certain incidents at hand.
Do not store more data than necessary. Another great lawyer cyber security advice for law firms is to not store data that they do not need to store. This particularly concerns old leftover information from previous cases that is stored by some firms. Storing data longer than absolutely necessary is just inviting trouble, as it widens the potential attack surface and allows an attacker to get much more data at the end of the day.
Encrypt data and handle passwords with care. All sensitive data at rest should be encrypted. It is also best to encrypt any communication channels used to share of transfer data. Access to sensitive data should be protected with a unique complex password that should not be written down or shared between employees. Any default passwords should be immediately changed.
Educate employees. Employees are often the weakest link in a law firm security. While deliberate attacks by malicious insiders are very dangerous and hard to deal with, inadvertent mistakes can also easily cause major damage. Employees, unaware about the latest best practices when it comes to cybersecurity often handle sensitive data in an unsecure way, thus making it easy for hackers to access it, not to mention the fact that they are especially susceptible to phishing attacks. Therefore, it is necessary to educate your employees on the latest security practices and rise their awareness about the threats such as phishing, that they can potentially face.
Privilege access management. One of the most important security practices when it comes to protecting confidentiality of personal data is privileged access management. Most compliance regulations require companies to restrict access to sensitive data and control it. There are many specialized privileged access management solutions available on the market, but they have their own limitation. The big one is the price – not many smaller law firms will be able to afford one. Another problem is that many such solutions do not give a proper answer as to what happens when the user has gained access and already working with the data, thus requiring a separate monitoring solution to be put in place.
Let professionals handle your IT security, but keep an eye on them. For many law firms, smaller ones in particular, all written above can seem overwhelming. It can be very hard to dedicate enough resources to actually provide reliable defense and achieving compliance. It is simply not feasible for many of them to have their own full-time security departments and to invest money in all the necessary security solutions. The best way to deal with security for a law firm is to outsource it to a qualified security company, that will be able to bring knowledge and experience on board, protecting from incidents, issuing quick responses, and saving you money as a result. However, it is important to note that third party with an access to sensitive information is an additional risk in and of its own. In order to mitigate that risk you need to monitor security personnel and make sure that they are not committing any malicious actions themselves.
Affordable user monitoring with Ekran system
As mentioned above, user action monitoring solutions are very important for law firms. They make controlling layers and staff and making sure that they are not misusing any documents for their own benefits easy, not mention control over third party subcontractors. But the most important thing is that user action monitoring solutions are the only tools that provide you enough visibility to distinguish between malicious actions and everyday user activity, allowing you to detect incidents and issue timely responses. There are many specialized user action monitoring tools available out there, but, predictably, many of them are prohibitively expensive. While larger firms will be able to afford one, most smaller and medium sized organizations will not be ready to make such an investment. Solution then is to find the user monitoring system that is both powerful and affordable. One such solution is Ekran System.
Ekran System is an agent-based user monitoring solution, specifically designed for both large and small businesses alike. Ekran System comes in two versions – regular and enterprise one. Regular version employs a flexible licensing scheme charging only for the number of agents in use, which is based on the number of monitored endpoints, thus making deployment cost-effective for small and medium sized companies. Enterprise licensing scheme is similar to what many other user monitoring solutions are doing, and allows large companies to receive additional features such as high availability, built-in database management tools, advanced SIEM integration and one time passwords, by additionally buying a management panel license.
Agent-based architecture allows Ekran System to receive a very large amount of information from any single monitored end-point. Moreover, a single agent, installed on a jump server can be used to monitor the whole network, albeit with less information provided from each endpoint as opposed to installing an agent on it. Ekran System provides indexed video recording of everything user sees on their screen, including mouse movements, and couples it with relevant metadata, such as includes names of active windows and opened applications, keystrokes and visited URLs, etc. All recordings are easily searchable, allowing you to quickly review any particular episode and verify whether any malicious actions took place.
Privileged user monitoring. Ekran System is protocol and application agnostic and provides full privileged activity monitoring. Unique agent protection prevents privileged users from disabling the recording.
Third party monitoring. Ekran System can provide third party vendor monitoring, allowing you to make sure that your partners and subcontractors do not misuses data. This is very useful, when outsourcing security services, as it allows to monitor employee activity and control that they are not using sensitive data for their own gain.
Additional authentication. Ekran System can distinguish between users of shared accounts via an optional additional authentication, thus allowing to concretely attribute any recorded session to a particular user. Optional one-time password authorization can be turned on for additional server protection.
Alerts and notifications. Ekran System provides a set of default alerts, specifically designed to detect the most widespread malicious actions. You can also create custom alerts, covering particular needs of your firm.
Session and USB blocking. Upon suspicious event, notification about an alert will be sent on an e-mail. You will then be able to watch session live, if it is still ongoing, and block the user, if necessary. Ekran System also has USB blocking functionality, allowing to detect and automatically block USB connected devices, such as mass storages, thus eliminating the need to invest in expensive USB blocking software.
Both compliance requirements and particular susceptibility to insider threats make affordable user monitoring solutions, such as Ekran System, a very welcome addition to the arsenal of security tools that every law firm should employ. However, as mentioned above, the task of providing a reliable protection is very complex and requires a complex approach to make it work. By employing law firm data security solutions and best practices, described in this article, you will no doubt be able to greatly strengthen security posture of your law firm.
Read also about 10 best cyber security practices to follow.