Legal practitioners hold, store, and transfer critical, privileged and highly sensitive information entrusted to them, which by default, makes them prime targets for hackers.
Implementing and or enhancing security controls while finding new ways to secure and store client’s information on the firm’s network is imperative for any law firm hoping to avoid becoming the next data breach headline. A single data breach will have a significant impact on a law firm’s reputation and potentially place then on the wrong side of the law, or worst, put them out of business.
The legal community needs to ensure that sensitive data and communications remain “blacked out” except to authorized users, even if traditional perimeter defenses are breached. As legal professionals seek to reduce costs through decentralized cloud computing environments, the risks associated with the current methods of protecting critical data from cyberattack and exploitation are becoming increasingly apparent.
Compliance is mandatory; security is essential, and not an option. The consequences of a data breach include:
- Loss of Competitiveness - Cybercriminals, and even honest mistakes, can circumvent information technology Defense systems. Regardless whether or not intentional, valued privileged communications can be exposed and dramatically weaken a firm’s ability to compete.
- Compliance Breaches - If a firm is not protected from privileged communications breaches, then compliance with relevant policies and mandates becomes and immediate and serious issue. Privileged communications breaches can lead to fines, lost business, malpractice and a host of other penalties and challenges.
- Damaged Reputation - Client trust and access to new business continue to be precious commodities. A single communications breach hitting the headlines can quickly erode these hard-earned assets. Estimated losses from companies that have been breached have ranged upwards of $200 million dollars for a single event.
- Lost Productivity - The repercussions from the loss of privileged communications may cost a firm its competitive advantage while efforts at damage control sap resources from conducting daily business.
So, what are some of the ways a law firm can begin to ensure it is both secure and compliant? The first step is to recognize its key vulnerabilities. Below are five areas to examine closely to both mitigate as well as avoid potential data breach liability.
1. The Best Defense is a Good Offense
The phrase "the best defense is a good offense,” as it applies to cybersecurity is the premise that “new ways to secure data” are required to enhance and support existing defenses. Data-centric security solutions are required that protect both “data at rest as well as data in motion,” even when a security breach of an existing network and or data storage infrastructure occurs.
Data security must be all-inclusive and support the full range of operations from internal and external communications to financial transactions, client records and other data in storage. On a global basis, the legal community is facing an ongoing challenge of how to safely store and transmit data securely while still being able to access it quickly without interrupting their everyday business practice
2. Commonly Utilized Encryption Is Not Enough
Until now, bulk encryption combined with firewalls has been the most effective solution for protecting data and other assets from internal and external threats. Encryption is the process of transforming information (referred to as plain or accessible text) into an unintelligible scrambling of code (referred to as cipher-text). It utilizes a secret key with an algorithm and is known as “ciphering.” The cipher-text (encrypted data) is designed to be decoded, transformed, and restored back into its original readable and understandable form by utilizing the original cipher algorithm and a secret key. The intent of this process is to secure and protect critical information from theft and exploitation.
It is a proven fact given the plethora of current breaches that these defenses were not enough to protect the myriad of Fortune 1000 organizations from data loss. In order to solve these types of security gaps, a next-generation data security solution that virtually eliminates the loss of sensitive information is imperative. New forms of technology such as those offered by the use of MicroEncryption technology that uses MicroTokenization to encrypt each file individually down to the byte can prevent the mass data breaches that have made headlines almost daily.
3. Unsecured Email
Today, various forms of email continues to be the primary method utilized for business communication. Over time, the high level cyber experts have learned that securing email is a complicated challenge. By default, email is “open” as it maneuvers through the Internet and intranets. Email, not encrypted or protected in a secure manner, can potentially be read, intercepted or altered while in transit. To stop these exploitations from happening, end-to-end encryption of email was introduced and widely adopted in the business marketplace. Because email protection is a critical requirement for most business, the decision is not whether to implement email protection services, but rather what the best methodology is and how quickly it can be best implemented with the least amount of effort and business interruption.
4. Mobile Device Hacking
The portability of laptops, tablets and smartphones provide vulnerabilities that can result in the complete loss of protection afforded by traditional network facility solutions. Today, a Wi-Fi hacking device can be purchased for less than $100 and allows access to a vast majority of wireless local area networks within seconds. A hacker with very little experience can gain access to a device within 30 feet of a coffee shop, restaurant, airport, or while driving down a highway or street. Recent studies found over 56 percent of laptops were broadcasting the name of their trusted WiFi networks and 34 percent were willing to connect to highly-unsecure WiFi networks. Wireless Intrusion Prevention Systems (WIPS) offer some defenses, however, few companies make use of them. Additionally, if a firm utilizes a cloud-based file sharing service of sorts, the best practice to mitigate risk is to utilize a solution that is certified by both the PCI Security Standards Council and be HIPAA compliant.
5. Unsecured Text Messages
By sending a simple text message, hackers are gaining the ability to access information and change control settings, and the user would have no indication a breach has occurred. A firm specializing in mobile security recently highlighted this vulnerability in a demonstration using just the information found on a typical business card.
Understanding where potential weaknesses lie is a critical step in protecting any law firm. Ensuring, at minimum, that these five areas as listed above are addressed can go a long way towards preventing devastating data breaches. Ensuring that the proper levels of cyber protection are implemented and continuing to be vigilant to keep up with the times of the newest technology is key. There are third party sources such as PC Magazine that can assist your decision-making process regarding the best platforms to be looking at and implementing.