The Current State of Law Firm Information Security
“Law firms are very attractive targets. They have information from clients on deal negotiations which adversaries have a keen interest in. They’re a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.”
- Harvey Rishikof, American Bar Association’s Cybersecurity Legal Task Force, as quoted by Bloomberg Business
Retail and financial data breaches are reported in the news regularly, while healthcare data breaches are also splashed across health IT publications. Breach notification laws require companies to disclose to consumers and patients the potential leakage of their personal, financial and medical data. But what about breaches we don’t hear about?
Law firms are notoriously unwilling to discuss data breaches, frustrating law enforcement and corporate clients, as the NYTimes.com reported (it’s also frustrating for journalists, I imagine). An internal Citigroup report directed at bank employees warned them of the threat of attacks on big law firms, despite the lack of reporting.
Attackers Target Repositories of Confidential Data
Law firms are obvious targets of attackers due to being repositories for confidential data on corporate deals, business strategies and other contracts. Citigroup also warned that information security at law firms are generally below standards for other industries, but they are targeted by similar attacks, including low-tech phishing attacks.
Even healthcare, which has been known to lag behind when it comes to technology and security, has a series of guidelines for data security, as well as fines if they don’t comply. Law firms, ideally, should be held to such high, if not higher standards, due to the type of data they deal with daily, including:
- Confidential client business information (current and/or future plans); privileged client-attorney communications
- Client intellectual property, like patents, copyrights and trade secret information that could give a company a competitive advantage in the market (may be of interest to international or state-sponsored malicious hackers)
- Personally identifiable information (PII) for employees, clients and third-parties (financial, healthcare or payment card information, depending on the type of law firm and case)
Attorneys in Scope of HIPAA Compliance
That last bullet is important, legally, as attorneys now fall under the federal healthcare data protection litigation passed in 2013, known as the final HIPAA omnibus rule. A press release from the Dept. of Health and Human Services stated:
The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors.
And attorneys are considered business associates under the law, requiring that they sign a business associate agreement that includes breach notification stipulations. Business associates must also comply with HIPAA compliance requirements to protect the security and privacy of health information.
The Business Case for Security
As I wrote about in Audits & Scrutiny Drive Law Firms to Seek Stronger IT Security Profiles, clients are the primary driver for law firms to adopt sufficient information security technology, as many are threatening to withhold legal work from law firms that refuse to strengthen their data security profile.
And the silence around law firm data security is becoming a problem for major banks that are now requiring more documentation and proof of data security practices within law firms before they agree to partner up. Even if there is a lack of industry regulation, law firms would still be wise to implement security measures to protect their clients’ private data, as they are not immune to intel-seeking attacks.
The NYTimes.com article also highlighted the Citigroup’s report on a few law firm security incidents back in 2012, including one that targeted a large firm in Washington with a phishing campaign in efforts to steal information about corporate clients that worked for military contractors and energy companies.
While some states require encryption of PII, including Nevada and Massachusetts, it may not be enough to keep attackers out. Phishing and other social engineering attacks effectively steal passwords and allow criminals to pose as legitimate users in law firm networks, giving them the ability to decrypt data.
“[Cybercriminals] efforts at espionage and theft are not simple-minded, poorly written ‘spam’ email attacks, but rather, well-researched ‘phishing’ efforts directed almost exclusively at selected individuals (very often of a high level) and law firms or other companies.”
- Joseph M. Burton, Duane Morris, LawPracticeToday.com
Choosing an authentication solution that protects access to applications with client data can prevent the success of a phishing attack as it requires physical possession of a mobile device to log in. Plus, it makes passwords less valuable to attackers. Learn more about Why Two-Factor Authentication?
The Current State of Law Firm Security
Last year’s International Legal Technology Association Survey (PDF) of over 450 legal firms found that most (96 percent) are running Windows 2008 servers for their network operating systems, which have many, many known vulnerabilities and security issues. Not to mention the fact that Windows Server 2008 reached its end of life date this past January, meaning Windows will no longer release updates to the OS (including those for security), and extended support will soon end in the next five years.
When it came to remote access software used at law firms, the report revealed that 60 percent use a VPN client on their attorney’s laptops, and another 29 percent use a VPN client on a mobile device. Sixty-eight percent use Citrix XenApp, a virtual application delivery tool for Windows apps, and 59 percent use an SSL VPN, such as those provided by Cisco or Juniper.
Not only are lawyers using remote access software, they’re also using cloud applications for private communication. According to a 2014 LexisNexis Report, 52 percent of lawyers surveyed used cloud-based filing sharing services like Dropbox and Box in order to transmit and share client-privileged information.
While convenient, these cloud apps can also offer up private data to remote criminals unless protected by strong authentication (learn more about strong authentication for enterprise cloud apps).
So how are law firms securing access to all of those remote access tools? Only 29 percent of law firms use two-factor authentication to secure access to their Citrix/VPN, and another 16 percent require the use of two factor to log into their Outlook Web Access. The survey suggests the use of an RSA key fob, but an easier method may be using an authentication mobile app on your smartphone, eliminating the need to carry around too many extra devices.
Only 10 percent conduct phishing and other social engineering tests of their users, which means attorneys may not be aware of the threat, and they may not be able to identify a phishing email when they receive one, putting their company and clients at risk. But it may be due to the fact that 55 percent of law firms don’t have a security awareness training program for users in place, and only 28 percent have an annual security assessment conducted by an external party.
Another factor may be budget - 44 percent of law firms report that their technology budget for capital expenses has stayed the same, with 20 percent reporting that it decreased. While threats and the number of attacks increase, it may be difficult to combat them with stagnant or shrinking tech/security budgets.
But when asked what the top three issues or annoyances within their firm was, respondents chose security and risk management as their most annoying issue, followed by users’ acceptance of change, as well as managing user and management expectations.
Dealing with change can be difficult, but selecting the right security solution can help ease the process of introducing your users and management team to new technology. Duo’s two-factor authentication solution provides a seamless deployment process for several application integrations, step-by-step documentation and an easy self-enrollment option that doesn’t require training.