Law firms in the security cross-hairs: how cloud security can level the playing field.

lawLaw firms are a back door to clients’ confidential information,” Business Week.

As corporations have become more aware of threats to data, hackers and other fraudsters are quickly discovering a new, softer target to attack and siphon highly confidential corporate details, proprietary personal information, and trade secrets. Even as stewards of trust for their corporate and private clients, law firms have traditionally been slow to embrace new technologies. Cloud computing has been no exception because many mistakenly believe the cloud is less secure than traditional on-premise resources. This is a regressive philosophy that is as porous as some firm’s IT environments.

“As financial institutions become stronger, a hacker can hit a law firm and it’s a much, much easier quarry,” said Mary Galligan, head of the cyber division in the New York office of the FBI.

Unlike the strict requirements that bind many of their financial, healthcare and retail based clients, there is no direct regulatory compliance oversight that mandates certain data monitoring and access controls for private legal organizations.  This is not to say that law firms do not take pains to try and ensure the confidentiality of client data, but because of the slow technology adoption rates, perceived costs, resources and the prevalent usage of conveniences like smart phones, more and more law firms increase their risk of data leakage and exposure.

It is understood that IT is not a law firms’ core competency. This is why you’ll find an inordinate number of them operating with very strict budgets and considerable personnel limitations. Unfortunately, this often means they incur more risk than necessary.

The cornerstone issue is this limited oversight creates an unnecessary vulnerability. And unnecessary vulnerability leads to breach. Do you know if the legal secretary accesses his/her personal Yahoo account and unknowingly opens an email that unleashes a DDoS bug or account spoofer? Do you know who is logging into a system after hours and accessing client data and from what device? Do you know how and when any asset within your IT environment changes? Can you tell the good guys from the bad guys? Even if you can, do you have a process and the immediate bandwidth to eradicate any perceived threat? If it can be proven that a breach occurred because of any lax in data security, a client might sue a firm for millions. Beyond the fact of any compounded loss of business, loss of trust and reputation, an equity partner can be personally liable for the mistake.

It is this conservatism that puts a firm at more risk. According to 2012 American Law Tech Survey 91% of firms have not adopted cloud technologies for security reasons. As late adopters, they may not realize that individually they are in the already cloud whether they know it or not.  How many attorneys are glued to their smart phones and tablets…sending emails (with confidential document attachments!) using Office365, accessing Lexus Nexis accounts or using them for personal habits like social media sites or getting a restaurant reservation through Open Table?  How many of those devices (BYOD) are managed and controlled by a firm’s IT? Again, according to the survey: a paltry 8%. The issue is these important productivity tools share personal information and can easily be used as back door entries to a firm’s IT environment-and ultimately to private client data.

Firewalls and malware detectors simply are no longer strong enough to deflect the constant barrage of attacks. It might have been enough ten years ago, but the business environment has prolifically changed in that time. And so have the tactics of those seeking to steal information, stall productivity or create chaos.

Lawyers and law firms can no longer afford the luxury of broad data security initiative. Firm systems have been routinely targeted by those seeking business advantages.  Last year, it was discovered China-based hackers rifled one secure computer network after the next; eventually breaching seven different law firms. That’s just one instance. Another is recounted here. According to Mandiant, it is estimated that 80 major U.S. law firms were hacked last year.

So short of tripling the budget and adding an army staff of security analysts, what can a law firm do and still take the necessary steps to ensure the security of confidential information…especially those of their clients? They can trust  the cloud.

Law firms and the legal community are quickly discovering that the cloud must be an integral part of their future. Specifically cloud-based security (security-as-a-service) removes the burden of day-to-day administration and the oppressing capital expenditures while still providing the level of protection afforded by the most progressive enterprises. Many naysayers make the mistake of equating a cloud computing application with cloud security. Even though many cloud-based applications have security parameters that far exceed those in any given firm, the capabilities of a cloud security deployment incorporate and monitor not just the virtual applications, but monitor and regulate the on-premise and legacy application as well.

This levels the playing field. If a firm can incorporate an equivalent data protection program including, but not limited to, continuous monitoring in real time (SIEM & Log Management), instant system-log analysis alerting, credential/identity authorization administration (IDaaS) and application access control (access management), they will not just close vulnerability gaps, but create an advanced and secure culture of trust.

A retail outfit is entrusted with credit card information. A healthcare organization is directly responsible for the security of patient records; all very sensitive selections of data. These companies have already moved into the cloud and are benefiting from the values it espouses..including …including security solutions. It is considerably more affordable. It is scalable based on scope and size. It provides the behind the scenes expertise and forensic analysis to identify and remediate threats while ensuring the ongoing viability of a valuable IT environment.

To stay competitive, firms must adopt new technologies. Firms will need to reduce costs and allow for a more mobile workforce, all while protecting client information to a greater degree than ever before

Law firms will not be capable of surviving the next 10 years in unless they take steps to re-think how cloud technologies can improve firm productivity the way it has improved productivity for so many other businesses. Cloud security should be one of the considerations.

The defense rests!

Kevin Nikkhoo

Tags: , , , , , , , , ,