Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Amid the barrage of recent data breaches, an increasing number of corporations are demanding that their law firms demonstrate they have the safeguards in place to protect their crown jewel: the sensitive data.
In fact, according to the New York Times, “Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.”
These new requirements are the result of an increase in cybercrime across many industries, including healthcare, finance, education, and law. Law firms hold vitally important information for their clients, but often lack the necessary security measures to protect it. As a result, hackers exploit this weakness, frequently without the law firm’s knowledge. According to Vincent I. Polley, a lawyer and co-author of a recent book for the American Bar Association on cyber security, “A lot of firms have been hacked, and like most entities that are hacked, they don’t know that for some period of time. Sometimes, it may not be discovered for months and even years.”
So what can law firms do to prevent sensitive client data from getting out, especially when business success depends on it? Below are five recommendations any law firm entrusted with valuable client information can and should take immediately to protect their clients and the firm.
1. Conduct an Assessment to Identify Where Sensitive Data is at Risk
Clients are going to ask what their firms’ security configurations are, so it makes sense to perform a thorough review of the environment to identify gaps where confidential client data, including information contained on mobile devices, could be at risk for exposure. Having a clearer picture of where the data might be at risk will allow the firm to focus on improving those areas.
Thankfully, firms do not have to conduct this risk assessment on their own. There are proven services that can quickly point out all the places where client sensitive data lives within the firm and how the sensitive data is being used. Additionally, there are some basic rules that law firms can follow to ensure their sensitive data is being protected, such as creating unique and complex passwords, watching out for phishing attacks and paying close attention to the data that different levels of personnel can access on the network.
2. Avoid Relying on the Traditional Approach of Focusing on Network Security
Almost all large law firms have security programs that start and end “on the network.” In other words, firms simply try to keep the bad guys out of their system. Why? Because it’s easier – trying to keep cybercriminals out is less difficult than defending the data once the criminals make it inside. Yet the IT teams in these firms spend almost every day plugging holes in the network, which is typically defended through antivirus software or firewalls. Despite all the work that can go into fixing the security gaps, holes in the network are inevitable, and will always be vulnerable to attacks.
3. Instead, Focus on Protecting the Data with Data Loss Prevention Solutions
There are several, proven solutions that ensure that even if a cybercriminal gets into the network, they can’t leave with the data. Called Data Loss Prevention (DLP), these solutions require classification of the data and a usage policy for it that is strictly enforced. While it may seem like extra work, DLP is no longer optional for any firm that must protect sensitive client data to keep their competitive advantage. This is the reality of the hacking environment we now live and conduct business in. If it is fractionally harder to steal sensitive client data or render the data useless once outside the network, hackers will move on to other, easier targets. When implemented correctly, DLP should have minimal impact on the law firm’s workflow, and should increase the strength of the organization’s security by leaps and bounds.
4. Consider Using a DLP Managed Security Provider
One possible solution to challenges associated with implementing DLP is to hire a DLP Managed Security provider. DLP Managed Security providers offer subscription-based security services for organizations who do not have a dedicated IT staff or regular access to security experts. The services come at a substantially lower cost than other data protection approaches, making it easier for law firms of all sizes to mitigate security risks. The best DLP Managed Security providers have deep DLP expertise and proven infrastructure that law firms can harness so they can concentrate on their business, not security. Managed Security providers can also help improve law firms’ security posture much faster than if a firm implemented DLP on its own.
5. Go Beyond Traditional Security Training with Positive Social Engineering
Employee security awareness is a critical step to protect client data. The key to effective employee security training is to go beyond slideware and once-a-year training. Innovative companies are using the prompting functionality in DLP solutions to help employees self-correct data use issues. After six months of using real-time, pop-up dialogue box prompts, employees at one healthcare provider reported seeing an 85 percent decrease in data use policy violations.
As more and more sensitive data is stored online, it is important to think about how that information is being protected from sophisticated cybercriminals. Corporations will continue to demand that their law firms show proof of their ongoing security and monitoring to protect sensitive client data. By following these steps, law firms will not only be able to demonstrate how they’re protecting clients’ data, they’ll be in a position to use their advanced security posture as a differentiator with new clients, too.
