With the Panama Paper incident and other noteworthy recent law firm security breaches top of mind (see, “Hackers Breach Law Firms,” Wall Street Journal (March 29, 2016)), law firms in the U.S. and around the world are increasingly concerned about being hacked by cybercriminals (see, “Cyberattack Exposes Law Firms’ Weak Spots,” Wall Street Journal (Dec. 29, 2016). In response, many firms have significantly upgraded their perimeter security systems to ensure that only authorized and authenticated users can access their systems. Yet perimeter security is only one part of a comprehensive legal data security strategy and by itself leaves open a weak spot — attackers who, using phishing or other methods, are able to bypass strong perimeter security systems, and once inside find themselves able to access a firm’s emails, documents and other work product.
But law firms do not just have to live with this weakness. With a strong information governance strategy, law firms can restrict access to sensitive work product to employees who need this information, and also quickly and accurately identify potential attacks that have bypassed perimeter security systems. Such successful law firm information governance strategies secure work product on a need-to-know basis so that all users do not have broad access to information that is not immediately relevant to their business purpose. They also encrypt and protect work product using multiple authentication mechanisms, so that if any employee is compromised, access is still not easily provided to the hacker. Finally, they can detect threats and identify attacks, helping law firms stop attackers from securing client information, and enabling them to alert clients when their information has (or has not) been compromised by an attack.
Law firms can implement such a strong information governance strategy by following six basic steps:
- Educate and train users;
- Store work product in governed locations;
- Use strict security models;
- Share files in a secure fashion;
- Develop and enforce data retention policies; and
- Use information governance analytics.
By following these six steps, law firms will be able to implement a strong information governance strategy that, in combination with strong perimeter security systems, allows them to not only fend off most cyber attackers, but also prevent or at least limit any damage from attackers that do find a way through their perimeter security systems.
Education and Training
The first step in implementing a strong information governance strategy lies in education and training, since even the best security technologies can be defeated if a firm’s employees are not trained to use them properly. As demonstrated by the hack of the Clinton campaign’s emails through a phishing attack on the campaign’s chairmen, even senior and sophisticated users are susceptible to social engineering-style cyberattacks that allow cybercriminals to bypass perimeter security systems.
Classes and other training activities are a necessary and good starting point for user education. Nonetheless, the lessons from such training are often easily forgotten. Strong information governance strategies complement training with “fire drills” — for example, fake phishing emails that “test” users and see if any of them take the bait and click on the link in a phishing scheme. Such experiential educational activities provide users with “real-world” examples of how such attacks might work, and make it more likely that they will be rigorous about adopting best practices.
In addition, education programs need to inculcate an incident reporting culture that encourages users to report incidents. Such a comprehensive education program not only arms users with the knowledge they need to avoid phishing and similar attacks, but also ensures that all users recognize the firm’s commitment to protecting their clients’ work product, encouraging habits and other behavior that puts this knowledge to use.
The next key step in any strong information governance strategy is to store sensitive work product in governed locations. One needs to take particular care of work product that might be shared outside the firm via file sharing or unencrypted email. For this governance to be effective, access to these locations should have multi-factor authentication in place.
In addition, all such locations should also encrypt information both while it is at rest and while it is in motion, in order to add an additional layer of security. Finally, these locations should use technology that creates an audit trail that tracks access and other work product activity of all users. Such audit trails enable the law firm to know what has been compromised after a breach has occurred, allowing them to proceed with the next steps needed to minimize the damage of the breach — including informing clients whether their information has (or has not) been compromised.
Strict Security Models
Another way that law firms can strengthen their information governance strategy is to implement strict security models. Such models make sensitive information available to only those who “need to know” — the members of the specific project, deal, or matter team. By limiting the amount of work product any particular user has access to, they reduce the impact if a cybercriminal secures that user’s credentials, and the overall risk associated with any successful cyberattack.
Such a shift can be difficult for firms used to providing more open access to work product to their users. However, given the security benefits, and the fact that clients are increasingly demanding that their law firms adopt such models, law firms would be well served to begin implementing strict security models.
Another way in which law firms can implement strong information governance strategies often involves a change in user behavior — the adoption of secure file sharing processes and technologies — to replace current policies that use unsecure email or other file-sharing services to collaborate on work product. As part of their job, lawyers need to be able to securely share and collaborate on work product with third-party consultants, partner firms, their clients and others outside of the firm.
Traditionally, they have used email or consumer file-sharing services such as Box or Dropbox for this, but these technologies are not secure tools for such collaboration. Using email to collaborate results in sensitive work product residing in the users’ or the collaborators’ Inboxes or other mailbox folders — potentially for years if an email retention and deletion policy is not in place. As a result, this work product can be hacked by anyone who gets their hands on your users’ (or their collaborators’) credentials.
As an alternative to email, many law firms or individual users use consumer file-sharing services. Yet while such services are easy to use and set up, these consumer solutions often have weak governance structures in place, if governance structures are even used at all. The way to address these vulnerabilities is for law firms to find and use sharing and collaboration tools that combine the ease of use of consumer tools without compromising on the information governance features needed to protect this data.
While the switch from old email and file-sharing technologies and processes can appear to be difficult, once the transition is made, work product sharing and collaboration is much more secure, while the actual file-sharing process is as intuitive and easy as it was previously.
No cybercriminal can access sensitive information that has been deleted. That is why another key component of any strong information governance strategy incorporates a robust data retention policy that includes comprehensive tracking, retention, and, when appropriate, deletion of a law firm’s work product and other information. Law firms will not want to delete everything; some work product needs to be retained due to potential future legal demands for information or other reasons. Nonetheless, data retention policies that simply delete any work product that is no longer needed can significantly reduce the firm’s risk exposure from a breach.
Moreover, even if a firm’s data retention policy leads it to retain almost its entire work product indefinitely, content that is no longer needed for any immediate work can be archived to a location that is secured to a few select users, again reducing the chances of any cybercriminal being able to access it. Ultimately, even if the amount of work product deleted is low, implementing and enforcing a robust data retention policy can significantly strengthen a firm’s information governance strategy.
Unfortunately, even law firms that follow all the steps above can be breached. That is why it is key to incorporate analytics that monitor and alert administrators to unusual activity, as doing so can significantly minimize the damage from any breach. However, not all analytics are created equal. Weak analytics tools can produce many false positives, alerting administrators to “improper” activities even when such activities are normal. Fortunately, new advanced big data analytics can build an individual pattern of behavior for each user, and use these patterns to reduce false positives.
In addition, and perhaps more importantly, such advanced big data analytics also improve identification of attacks in progress, helping law firms minimize the damage from these attacks. While advances in technology have helped cybercriminals, they have also resulted in new technologies that can assist law firms in thwarting such criminals, and law firms should make sure they are using them.
With the six steps described above in place, law firms can complement their perimeter security systems with a strong information governance strategy. In doing so, they can dramatically decrease the probability of a successful breach, and minimize the damage of any attacks that are successful.
Will this make the law firm completely secure? No. Total security is a myth, and law firms must be constantly diligent, always seeking to monitor, upgrade and enhance both their perimeter security systems and information governance strategy if they hope to stay one step ahead of cybercriminals. However, by deploying security in depth — with both powerful perimeter security systems and a strong information governance strategy — law firms can at least ensure they have done their best to put in place the defenses they need to not just survive, but thrive, in an increasingly threatening cybersecurity environment.
***** Ian Raine is head of product management at iManage, responsible for iManage’s suite of information governance products for law and other professional service firms. He has 25 years of experience building information governance, records management and other enterprise software products.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.