CISOs and IT security leaders often have to be concerned with protecting their own corporate data as well as the data of customers, partners and employees. Nowhere is the threat of 3rd party data breaches felt more strongly than law firms due to the amount of highly sensitive client data they have on hand. Consider the far-reaching implications of the Mossack Fonseca data breach and what affect it may still have in financial and corporate circles in the years ahead. While most law firms are not dealing with heads of states or titans of industry, every individual and company’s data is just as important to them as it is to those named in the Panama Papers.
While the idea of a law firm staying offline and making the move back to stone tablets is good for a laugh, society’s expectations for responsiveness and efficiency demand that enterprise IT systems and endpoints strive for security and productivity in equal measure. Even though news like the large scale insider trading hacks of firms like Cravath, Swaine & Moore and Weil, Gotshal & Manges should give everyone cause for concern, business is electronically conducted at the highest levels today, making it imperative that law firms of any size perform their due diligence in cybersecurity and stay in front of criminals and regulators alike.
With 2016 LegalSEC Summit next week, it’s the right time to highlight three ways that law firms can prevent a successful cyber attack and ensure clients’ confidence in the confidentiality of the relationship.
1. Go Back to Basics (then Go Beyond)
If you follow the trends of the cybersecurity industry, you’d think that one of the biggest threat is highly sophisticated zero-day exploits that can defeat any solution. While the cutting edge of cyber crime is very real, and growing rapidly, 85% of successful attacks come from the top ten known vulnerabilities according to Verizon’s 2016 Data Breach Investigations Report. This is like not locking your doors or leaving a window open in your house because even basic security can be enough to deter criminals who are looking for easy targets.
There is no room to be a laggard when it comes to cybersecurity because criminals are always looking for the easiest targets. Unfortunately, dealing with known threats requires constant patching, updating and monitoring with traditional signature and behavioral-based detection solutions because the library of known threats changes by the minute. Next generation solutions like ReSec take a different approach that eliminates the need to know and detect a threat in order to prevent it from being successful.
2. Address the Human Element
While we’re all focused on the vast network of evil hackers plotting and planning, many incidents trace back to mistakes that employees make. One of the most popular attacks involves spearphishing, or targeting employees via email to get them to open an attachment, click a link or send sensitive information to the wrong person. These types of campaigns increased by 55% in 2015 according to Symantec. Why? Because it works far too often. Verizon says 30% of employees open the emails and 11% click the attachments they shouldn’t have opened or clicked on.
Employee training has shown promise in helping to increase awareness of what to look for in a suspicious email – and what not to do. Adding additional layers of security to protect employees as they use email and websites in their daily activities can also help disarm threats before an employee can activate them.
3. Don’t Be Guilty of Saying No
There was a great piece in Dark Reading last week that discussed how CISOs and their teams can’t just say no to new innovations in the name of security. There’s a balance to be found between security and productivity, but it’s important to remember that it’s not a 50/50 proposition. There should be a goal to be 100 percent secure and 100 percent productive, with a focus on finding solutions that provide one without undermining the other. With the right network segmentation, perimeter defenses and endpoint management, the door can still be open for some of the newest innovations that drive efficiency in the workplace, such as enterprise webmail or collaboration tools.
We’re looking forward to joining our colleagues in the legal and security industry at theLegalSEC Summit in Baltimore. If you’re attending and want to schedule a meeting, please contact me via LinkedIn. The ReSec team will also be attending the Gartner Security & Risk Management Summit outside of Washington DC from June 13-16. Hope to see you there!