Every industry has its own particularities when it comes to data security risks, depending on the type of information being stored and processed, as well as on how many people have access to this information and the technologies that use it. For healthcare, patient medical records are what make the headlines when an organization is breached, and for financial organizations, bank accounts details are chased by attackers. For law firms, the trade secrets, patents, copyright details and attorney-client privileged communications are the most vulnerable. None of these industries is immune to external attacks or to insider threats. Moreover, data breaches usually occur where they are least expected because attackers have more sophisticated methods, often getting to the primary target by obtaining a set of data from other companies.
Privacy and confidentiality are essential values for law firms. In 2015, the American Bar Association found that one in four firms with more than 100 attorneys experienced some kind of data breach with different causes: lost or stolen computer or mobile device, website exploitation and others. End-users’ computers are the weakest link in law firms because of negligent or careless employees that click on harmful links in e-mails, sending confidential data to unauthorized individuals or websites.
What are law firms supposed to do in this context?
1. Involve lawyers in decisions related to data security
Senior and managing partners should be involved in the IT-related decisions and should have a say in what technologies are handed over to employees and what data should be secured. With the most experience, they are the ones who best know the workflow and what constitutes confidential data. If there isn’t a lawyer specialized in data protection laws, then the first thing to do is to bring in an expert.
2. Surround your perimeter with strong fences
Check the perimeter defense measures and make sure antivirus, firewall, and spam filters are patched and up to date. To complement this, make sure you educate employees about social engineering and other harmful techniques.
3. Control portable storage devices
If law firms aren’t already controlling what data is being copied to portable storage devices, they should implement a device control solution. In recent research we conducted during InfoSec Europe 2016, we discovered that 65 percent of employees still use portable storage devices to transfer sensitive company data. At the same time, 74 percent of organizations allow employees to use USB devices in their networks, but only 35 percent of them force employees to use encrypted ones. Data leaks can be prevented by only authorizing the use of encrypted devices. Device control solutions can offer visibility into which devices are connected to the company network, and can block malware infection by denying access to removable devices. This can be extended to remote employees and the controls remain effective.
4. Carefully monitor data shared on the cloud
The next layer of protection should focus on cloud apps and online services used for collaboration and legal tools like e-Discovery. Firms should assess what content is being shared with and within these apps and who transfers it. This level of control can be obtained with data loss prevention solutions. They are designed specifically to secure data against insider threats, like users sending e-mails with sensitive data to the wrong person by mistake, uploading confidential details on unauthorized platforms, or sending trade secrets to people that impersonate managers with authority in the company like it happened in the Snapchat case. For any organization in the legal industry, DLP is an essential layer to stepping up their data protection game and maintaining a solid reputation.
5. Don’t ignore the mobility wave
Mobile devices are the most recent threat vector due to unmanaged connections. Most employees connect their personal tablets or smartphones to company networks and sync their work e-mail without informing the IT department. This creates a deficient environment, with an additional input point for malicious apps, and output point for sensitive data. This is where Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) solutions come in, providing capabilities to make sure users have strong passwords, to remotely wipe data in case of device loss or theft, or to enforce policies according to the device location. The sort of control that MDM offers completes the data protection implementation, covering the modern working tools that increase productivity.
6. Integrate wearables in your corporate policy
More and more wearable devices, like fit bits or smartwatches, are making their way into the workplace, with an estimate of one in five people owning one in the US, according to a report from PwC. The personal and business data being transferred between wearables and smartphones makes law firms vulnerable to data breaches. For example, smartwatches can be manipulated to become listening devices due to their ability to record audio and then transfer and stream the recording. Since the technology is rather new, vendors do not invest many resources in making the products secure, but rather focus on enhancing features for user convenience. To address these risks, legal organizations should enforce restrictions, or have delimitations for wearable use, like allowing their use in the workplace but only with the strict supervision of the IT department. Apps that are used in connection to wearables should also be monitored to track what data is collected and to make sure they do not bring malware into the network.
Data security threats are now overwhelming for organizations. The IT department implements a solution for a type of threats, while many others emerge. The most vulnerable environments are the ones that underestimate how valuable is their data and get relaxed after they apply some basic security solutions. It is the case of many law firms, especially small and medium ones which are more focused on developing their customer base and neglect that their reputation is one of the most important unique selling points, which they fail to maintain. Acknowledging the risks that they face and applying the previously mentioned solutions, they are one step ahead of the competition and business development can be done in a sustainable way.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.