Compared to banks or tech companies, many might think that lawyers and law firms don’t rank highly on the list of top hacker targets. But experienced hackers know that successfully breaching a corporate law firm with high-profile clients would be a jackpot.
Attorney client privilege means that lawyers can know things sensitive to their clients without being legally compelled to reveal them: Things that hackers can ransom or steal, like trade secrets, family matters, financial dealings and more. The bigger the client, the bigger the data trove.
Other legal concepts like chain of custody – that no third parties can even access digital evidence if it’s to be admissible – make it crucial to consider cybersecurity and access management for law firms. Data and client information must be kept safely out of reach yet still in the law’s possession for the legal process to work, after all.
Cybersecurity is therefore becoming a hot new department in firms across the country, and top IT hires deploy a mix of technologies to protect clients and the law itself.
The problem with attorney client privilege is that information told to one’s lawyer no longer stays in his or her head. The modern lawyer files it into the digital system used by the law firm to help organize cases, collaborate with associates, store documents and more.
This means it’s hackable, and neglecting to secure systems like these means the risk of ending up like Grubman Shire Meiselas & Sacks – the high profile firm of stars like Madonna, Lady Gaga, and Robert DeNiro.
Grubman was successfully targeted by hackers who ransomed 756 gigabytes of email addresses, phone numbers, contracts, and personal information of the firm’s A-list clientele earlier this year.
To avoid a reputation-crushing event such as this, law firms should secure their internal data storage and case management platforms with an array of technology that stops unauthorized access both from outside and inside.
IT professionals tasked with protecting their firm will need to consider the following ideas if they want to minimize risk:
Sensitive client and case data must be segregated from other types of data, like information about lawyer salaries or office administration. Though it’s true this should also be kept away from hackers, it’s more important to identify which critical client data the firm keeps and where it’s kept.
Whether it’s on local drives or a third party cloud, this type of data should never be stored in the same place as the less sensitive stuff, or else the result could be ruinous.
To be able to easily visualize pieces of the network, including places where data is stored and how these sources connect to the firm’s SaaS resources, the firm’s IT team should prioritize software-defined networking tools that more easily integrate into the variety of solutions in place at the average firm.
This will enable them to micro-segment the network, and then with an accompanying access solution, create automatically-enforced rules that control exposure to client data.
Not all employees of the law firm should have the same degree of access to data. Secretaries and associates, for example, shouldn’t enjoy the type of accessibility that the managing partner does. This concept can be enforced after the firm’s network is segmented into pieces based on sensitivity, but also relevancy.
Few need access to whatever financial applications help streamline complicated billing processes, for example, so this would be one segment of the firm’s network that only relevant roles would have access to.
By implementing an Identity Provider and Single Sign-On solution to the firm’s IT bundle, network access rules have granular qualifiers such as role, device, and location to use when a new logon or access request occurs.
If a hacker was to breach the network through a paralegal, for instance, then it’s unlikely they’d get very deep into the good stuff because the network would have already restricted this role’s access privileges. Another key idea is that this reduces the prevalence of insider attacks as much as those from outside.
All firm data should be encrypted while at rest and while in motion. Top encryption measures like SHA256, in whichever protocol most suits the network infrastructure, should be enforced by bottlenecking network access through a Always On VPN client.
This extends to using standard email communication as well, especially as this is the medium by which most sensitive information is sent from one place to another. A stronger and more secure method of communication is necessary, and that means encryption plus a host of other solutions like 2-factor authentication.
Lawyers and law firms also require a method of tracking down breaches or attacks after they’ve occurred, which will help lead to some restitution or at least recovery. Monitoring software that watches and records traffic moving across the network helps retrace your steps, and more easily reveals where weaknesses are – even if they need to be exploited to discover them.
With proper network and security precautions in place, monitoring is almost never used in this way, but that’s how it should be. Lawyers must also recognize that the host of digital and mobile tools and devices that help them do their jobs are also a threat if not handled correctly.
Education of lawyers is crucial and so IT teams need to make it their job to motivate security hygiene from on high – if the board and managing partners want it so, then it will be so. This is how security must be handled for law firms to navigate the modern era confidently.