Whether your law firm relies on modern Cloud Computing, or on the more traditional Client/Server network configurations, odds are that it has already put in place the requisite tools to prevent common cyber attacks, and is reasonably well-defended against external intrusions, hackers, viruses, malware, worms, ransomware, and other common scourges of the 21st Century (should that not be the case, you should immediately stop reading this article and attend to that issue, as studies show that law firms are a top target for hackers, and are continually under attack).
However, the vulnerability we wish to discuss here is not external and anonymous, but rather internal, identified, and (surprisingly) often authorized. The topic at hand is defending a legal practice against attacks occurring from within, typically involving trusted data and application users.
All firms handle sensitive, confidential data. Be it a corporation’s innermost secrets, an individual’s Protected Health Information, personal financial plans, private tax information, or a family’s turmoil and strife, the requirements to maintain data privacy and security are well-documented and enforced, via HIPAA, SOX, PCI, CFPA, and many other members of this regulatory alphabet soup. And all have stringent guidelines and requirements regarding securing data access, password controls, and the like.
What to look out for?
The real complexity starts when we seek to defend data from privileged users inside the organization, who may cause any one of the five following headaches:
Compartmented Data Access: Except for firm-specific information (such as an accounting system) the vast majority of records stored are client-centric. When law practice system users “snoop” and view such data, client confidentiality may be breached. And while it is difficult in a busy, multi-tasking firm to manage access to all documents on a “need-to-know” basis, steps should be taken to ensure that requisite privacy, whether mandated ethically, legally, or contractually, is maintained.
Negligence: It is an “Article of the Faith” that the most expensive Information Technology (IT) asset, with the highest replacement cost, is data. Conversely, damaging or destroying it is dirt-cheap. Consequently, it is imperative that users who inadvertently harm, corrupt, or otherwise disrupt the firm’s data operations are rapidly identified so that corrective action may be taken, to prevent even costlier reoccurrences. This includes entirely innocuous activities such as overwriting files or not following pre-established procedures.
Third-Parties: Part-time, short-term, and project-specific engagements are quite common in the legal industry, especially when current staffing or expertise is at capacity. These engagements invariably require access to internal IT resources, presenting opportunities for inadvertent data breaches and intentional mishandling of sensitive information. You have invited external actors into the sancta sanctorum, now how do you ensure that they don’t depart with key data files?
Data Departure: Surprise departures of firm professionals, from any level of the practice’s hierarchy, have become quite the norm, as they move on to other opportunities within the industry. Unfortunately, it has become quite common for such individuals to amass existing client documentation and expensively-developed legal templates in advance of their exit, creating serious, highly consequential data breaches.
Data Exfiltration:Lastly, but by no means least, is the nightmare scenario: An internal, trusted, privileged user engages in intentional data theft of confidential information for the explicit purpose of either financial gain (such as advance knowledge of an upcoming Merger or Acquisition) or under the mantle of “Hacktivism”, a noun which is defined as “The practice of gaining unauthorized access to a computer system and carrying out various disruptive actions as a means of achieving political or social goals.” (Think SONY, The Panama Papers, or anything coming from WikiLeaks). This type of Data Leak is quite common, with recent studies estimating that 31% of all data breaches emanate from willful actions from within.
Law firms are reporting increased demands from corporate clients to provide solutions for these situations, especially as pertaining to the Healthcare, Financial, Intellectual property and Real Estate segments.
DLP’s to the rescue
Fortunately, the impact of the above-described scenarios may be readily mitigated (and even eliminated) by the implementation of a privileged-user internal monitoring system where automated tracking combined with alert generation and usage analysis drives improved data security and regulatory compliance. Such a system will, in a transparent and unobtrusive manner, achieve three core goals:
- Alert law firm leadership of unauthorized, unanticipated user activities.
- Create and secure a definitive record of the monitored event.
- Adhere to external guidelines, best-practices or contractual obligations to take measures defending your practice from data leaks.
Moreover, merely the general knowledge by the firm’s IT users that their activities may be monitored is, in itself, an important deterrent to any nefarious actions.
The confidential data accumulated in your practice over the years is quite possibly your firm’s most valuable asset. Implementation of a Data Loss Prevention (DLP) system will help you defend it from within.
This post originally appeared as an article in our Put Into Practice newsletter, the original post can be found here