The Verizon 2019 Data Breach Investigations Report says that 34% of all breaches in 2018 were caused by insiders or untrained employees clicking on cybercriminal emails making it to their desktop, and it’s only going to get worse.
Law firms, their clients, and all organizations, in fact, face an exponentially growing threat landscape, exacerbated by untrained employees, emerging technologies, interconnected and mobile devices, and new and evolving privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Most law firms are not employing the basics to protect their firm, and more importantly, their clients.
The bleak reality is that law firms have not committed themselves to basic foundational elements to improve their threat defenses.
So, how do corporate legal departments and law firms stop a committed, cybercriminal looking to steal information, or with malicious intent? Firms need to work extra hard to stay ahead of all threats, and its mission-critical to move beyond standard security controls when it comes to cybersecurity risks.
Law Firms and Legal Departments Are Exponentially Growing Soft Targets
As custodians of sensitive and high-value information, lawyers collect a massive amount of data about their own business and that of their clients, including regulatory filings, intellectual property, employment contracts, privileged communications, non-public personal information (NPI) and personally identifiable information (PII), to name a few. This is the exact information that criminals are working so hard to steal from firms.
Firms are, unfortunately, especially known in the cybercriminal world for not being able to protect this information. Almost a quarter of respondents to the American Bar Association’s 2018 Legal Technology Survey Report indicated that their firms had experienced a data breach—and these are just the firms that are aware they have been breached. Many firms never even report a breach, so real numbers are much higher than reported.
Former FBI director Robert Mueller said: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Given the increasing recognition of these risks, 48% of law firms had been subject to a data security audit at the behest of at least one corporate client over the preceding year.
But why are threats so dangerous? Because criminals concentrate on the easiest path to the data: the employees who have authorized access to it.
Criminals use phishing campaigns, malware injection, or lateral network movement and privilege escalation when dealing with employees. All they need is one employee clicking on one bad link in an email and they are in. From there, it’s all downhill.
To better secure your organization from all threats, you need to focus on the data. Below are three steps to reduce the risks of insider threats through better understanding and management of data.
1) Employee Full Employee Education and Threat Mitigation Services
Did you know that 95% of cybersecurity breaches are due to human error? On top of that, only 38% of global organizations state that they’re prepared to handle a sophisticated cyberattack.
And worse, as many as 54% of companies say they have experienced one or more attacks in the last 12 months. This number rises every month.
Social engineering is a current favorite tactic among cybercriminals—the psychological manipulation of victims to convince them to willingly or unwittingly surrender private data that is then subverted for nefarious purposes. Another prominent technique is phishing, where phony emails or links are spread to employees who then have their login credentials mined. In fact, 95% of cyberattacks are a result of phishing scams, so phishing awareness training is essential.
Alongside these two, malware is also a constant threat, with people downloading apps or software that are designed to compromise their devices or provide network access to hackers.
Your employees are your first and primary line of defense against online crime. That’s where cybersecurity awareness training comes into play, equipping your employees with the knowledge and skills they need to protect themselves from criminal elements.
Any employee with access to a work-related computer or mobile device should undergo thorough cybersecurity awareness training. This means pretty much everyone because anyone with private or officially registered technology can be targeted. Those personal cell phones may still have data on them that can be used to access corporate networks. Or, if the employee falls victim to identity theft, their unique info can be used to create false profiles that link back to your brand, allowing for a wide variety of fraudulent acts.
By bringing cybersecurity awareness and training to all your employees, you heighten the chances of catching a scam or attack before it is fully enacted, minimizing damage to your brand and reducing the cost of recovery.
2) Encrypt Sensitive Data at Rest
With encryption solely at the device level, sensitive information can still be viewed via a server, opening the door to unauthorized documents accessed by system administrators who have access to back-end databases. By encrypting individual documents at rest, users can close that door, ensuring that not even high-level administrators can gain access to document contents without authorization from established content owners.
Document-level encryption protects content both on-premise and in the cloud, and continues to protect content that is backed up onto external media. This protects back-up data in-house and ensures that content remains encrypted and inaccessible should a back-up device be stolen or hacked.
3) Employ Proactive Monitoring Tools to Detect Threats
Even authorized users can engage in unauthorized document access. That is the very essence of many insider data breaches. Proactive activity monitoring tools, such as those that reside within enterprise content management (ECM) systems, can detect suspicious access patterns and send customized alerts to designated individuals. This minimizes the time between improper data access and its detection, limiting the damages of such a breach.
These monitoring functions can also automatically lock down sensitive documents, preventing access when an authorized user attempts to violate a rule or engages in unusual activity, perhaps by deleting multiple documents or accessing documents outside of business hours. Finally, activity monitoring includes the creation of document audit trails, enabling organizations to reconstruct what happened during an attempted breach or inappropriate document access.
Proactivity Is the Watchword
With a growing number of data breaches initiated internally and an ever-widening regulatory landscape demanding stricter data protection requirements, organizations need to move from a reactive model—after sensitive data is lost and it’s too late—to taking preventative steps to mitigate the risk of criminal data theft.
Law firms, corporate legal departments, and other organizations that deploy these advanced technologies can enable better security at the document level, which is the source of growing insider threats. A more layered security approach, however, is critical to fighting off internal bad actors and reducing the risk of a catastrophic data breach. It’s crucial to also reinforce a security-conscious culture where there are security policies and protocols in place to help teams better detect suspicious activity. With this mix of the right technology and practices, organizations will be one step ahead in mitigating insider threats for good.