Law firms have unique data security challenges, and keeping sensitive information protected is increasingly difficult.
With the exponential growth of data that companies have to handle, the risks have also risen. Security breaches can have devastating effects, including hefty fines and damaged reputation, on law firms and any company that has confidentiality at the heart of its business.
In this month’s live Security Briefing, we focused on the unique challenges that the legal industry faces and presented how Data Loss Prevention (DLP) tools can help to better protect confidential information and prevent data breaches.
This time our speakers included Tim Deluca-Smith (Chief Marketing Officer at CoSoSys), Chris Roney (Data Security Specialist at CoSoSys), and Daryl Craig (Director Information Technology at Lenczner Slaght), who has over 25 years of experience in legal IT. They have discussed the threats law firms need to be aware of, data types they have to protect, and best practices to successfully deploy a DLP strategy.
Key insights from our Security Briefing
Here are some of the most important highlights from the Security Briefing.
More than 50% of data breaches are still caused by employee negligence.
While from the news, we might get the idea that malicious outsiders are the ones who usually cause data breaches, the reality is that over half of the security incidents happen due to malicious or careless employees.
“Once a company that was breached hits the news cycle, it usually appears as some kind of malicious actor did it. In reality, a lot of times, it’s an employee who was careless with a USB drive, or maybe they were disgruntled when they went somewhere else,” Chris said.
Many times data loss can happen due to simple, everyday actions, such as copying sensitive data to an unsecure USB drive, printing it, sending an email to the wrong person, or sharing it over instant messaging apps.
“Not all things are nefarious intentionally; they could be accidental. The majority of these insider-caused events are accidental. But it’s very hard to get really good data on that. We’ve got this data that says that more than 50% are insider breaches. That number might be even a lot higher, but it’s hard to know,” he added.
Security focus has moved from where data is stored to exit points.
Usually, when we think about data, we think about files. However, this perspective is changing as data travels more and more both within and outside companies. Thus, it’s getting vital to think about where sensitive data can go and which are the possible exit points.
“The sheer amount of applications that we use in our daily lives now that we’re using our laptops means that the flow of information is a frictionless experience, and it’s very easy to share information. So, I think less about actual data and more about potential exit points,” – Tim mentioned.
These exit points include emails, external drives, cloud storage, printers, collaboration tools such as Slack and Microsoft Teams, copy-pasting information and sharing it with a geographically dispersed team, and more.
“Many law firms accelerated the rollout of Microsoft Teams when the pandemic hit. It’s one of the common standards for law firms now. And many organizations didn’t have a DLP that could actually monitor the data shared in Teams. Systems weren’t designed to secure Teams,” – Daryl added.
And the goal of a DLP solution is precisely this: to protect your firm from data loss or data theft through these possible exit points by giving IT admins the control they need.
Law firms are unique from a DLP standpoint.
Every industry has different challenges and requirements in terms of data security. As Chris resumes, law firms “have different expectations of privacy, trust, flexibility, and the ability to do things”. All of the above make them unique from a DLP standpoint.
Law firms need to be aware of and safeguard three main types of sensitive data. Besides confidential client information that is typically unstructured and Personally Identifiable Information (PII) protected by laws, there is a third type of data that businesses often forget about: Intellectual Property (IP).
“Companies don’t necessarily consider it sensitive information, although they usually work very hard to differentiate themselves. This intellectual property – whether it’s employee training guides, how they onboard clients, the processes they use – is directly associated with profitability and often is the kind of data and information that leaves the company,” – Tim highlighted.
When deploying a DLP solution, it’s essential to get more people involved, such as board members, and conduct focus groups and pilots. And it’s just as important to take things slowly.
“Put DLP in monitoring mode first. Turn it on for 3, 6 months and track everything and then slowly lock things down. For example, we didn’t turn on much at first, and we didn’t even block the actions. It was just a warning that this action is monitored and tracked,” – Daryl explained.
DLP tools for law firms need to have the ability to control things but also provide granularity and allow employees to perform their duties. For these firms, it’s also vital to have the option to monitor and control devices even if they are not connected to the internet and offer the possibility to manage printers.
Watch the Security Briefing and learn more about:
- What is DLP and why it’s more important than ever before for the legal profession [3:33]
- The potential exit points of sensitive data [9:39]
- The types of data that need to be protected [18:01]
- Key security challenges in the legal profession [21:52]
- How to deploy a DLP strategy successfully [30:07]
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
