The Critical Role of Cyber Security in Law Firms

Cyber-attacks have escalated to the point where they threaten all businesses today, however, given the sensitivity and confidentiality of information at law firms they have been and will remain one of the largest targets. Whether the firm serves as custodians of clients’ intellectual property, commercially sensitive information or investigators of possible M&A transactions, the desire to hack into these deals can be and will continue to be a great risk.

I would go so far as to say that some law firms face an even greater risk than the typical mid-sized company, especially those who deal with Patents and Intellectual Property as they’re threatened not only by cyber criminals but also nation-state hackers that are after commercial secrets and patents.

Numerous studies in last few years have indicated that a law firm’s security is often relatively poor. Anecdotally, through my personal conversations with managing partners I’ve identified two likely causes for that. Firstly, they’re typically not threat informed which includes a lack of understanding regarding the potential impacts of a cyber-breach to their business and most importantly to their customers. Secondly they still perceive security as an expense while they should be viewing it as a future business opportunity.

Studies aside, let me point to a case I personally worked on. We’d been engaged by a prestigious law firm, one that was likely to have better security than most, to execute a red team exercise. In a red team exercise we mimic threat actor behavior with the purpose of obtaining the ‘crown jewels’ or disrupting the business operation. Long story short, in less than 48 hours we had full control of the network, all assets including servers and shares, and all of the users’ mail boxes. We managed to do this in three different ways or attack vectors: (1) we broke their WiFi encryption, (2) we used social engineering against the receptionist to run our malware, and (3) we used social engineering against one of the partners where he was convinced to open a malicious file sent via email.

Some of the ‘crown jewels’ in this case were all of the litigation documents related to the defense of a major car manufacturer. In a recall trial that was ongoing, that information by itself was potentially worth hundreds of millions of dollars. Mind you the effort required to get to that information wasn’t more than a few tens of thousands of dollars. With hackers for hire this was a worst-case scenario which could and does happen today.

I believe that it’s time for law firms to not only look at cyber security from an ethical perspective (ABA Model Rule 1.6(c) requires that “[a]lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ) but also as a business opportunity, one that leads as a differentiator within the industry. Given the justified buzz around cyber security and the growing attention given to the topic by executive teams and the boards, who often serve as law firms marquee clients, firms that are able to prove they’re taking security seriously are likely to win the meaningful business.

Doing it all wrong . . .

We’ve been doing it wrong for a while now, over the last 20 years or so we’ve kept the discussion regarding security highly technical. Unfortunately, our greatest achievement was to exclude the c-levels and the board of directors from the conversation and in doing that we’ve lost hundreds of years of organizational memory in problem solving, overcoming challenges, and mitigating risk. I’m arguing that Cybersecurity isn’t a technical issue, it’s a business issue with strong behavioral and cultural influencers. The flourishing of the Cybersecurity scene alongside the rise in cyber-attacks lends a certain credence to this theory. Yes, yes…one can argue that the increase in cyber-attacks is derived both from the shifting of conventional crime to cybercrime and the active participation of the nation sponsored threat agents in countless cyber-attacks. I don’t! To set the record straight, technology is crucial for solving the problem. Technologies involved in efforts such as sandboxing, deception, behavioral analysis, threat detection, cloud security, end point security, and many others are advancing by the day BUT they’ll only get us so far. The unstoppable race continues through and beyond the next technology; additional resources and budgets is forever incapable of yielding the desired results. As long as we keep looking at cybersecurity as a technology issue we’ll keep coming short in solving it. By the way, I think that we’re just in the pre-game and we’ve seen nothing yet, I predict that in the next 24 months (17 September 2017) we’ll see the first mega cyber-attack, and I wouldn’t be too surprised if that is aimed at critical infrastructure. Personally, I’m not fond of the term “governance” and what it represented over the last two decades in the security field – lame auditors with little to absolutely no understanding of security checking boxes. The same goes for “compliance” which is just a mean to enforce governance but if the governance is missing its true essence then what you get out of compliance is nearly worthless when it comes to actual security. I like the terms “Management Oversight” much better. If we want to yield better results we need to start addressing cybersecurity as a business issue, we need to deploy methods and disciplines used in other areas of the business “doing” and problem solving (e.g. game theory, applied mathematics, risk management, etc.)… The board has two primary roles, the first is to set strategy and the second is to oversee the executive team and the business operation. Hence, if you’re convinced that cybersecurity is indeed a business issue then the first step is to provide accessibility to the c-level execs and the board of the directors, and that would only happen after we transform the discussion to a business discussion, looking at and evaluating business parameters. The approach I’m suggesting is conceptually simple and potentially quite complex in its implementation. Think of layers and think of security-related technology (and products) as the first. Technology will continue to be fundamental in solving the problem, if only because humans are both slow and are liable to demonstrate poor judgment. I would like to say that the next layer is simply an industry-standard security framework (e.g., NIST, ISO, etc.) but they’ve proven not enough as they rely on old-school governance which is only partially effective. Traditionally, these don’t provide real guidance pertaining to the effectiveness of security infrastructure and systems but instead focus mainly on the existence of a security management system. The third layer is the audit and testing layer. I’ve strong reservations about typical audit functions because, much like compliance, they tend to be too theoretical, too forgiving… too soft. That said, supplementing tradition with a strong testing function which leverages red teams and war gaming and puts functions such as security operations, incident response, and crisis management to a real-life test would provide a realistic view on the level of security. The first three layers should be complimented by two additional layers, one which we explore earlier in management oversight and a final component – quantitative risk management. These are bi-directional in that both receive inputs from the first three layers, they complement and feed each other and provide output in a meaningful way which supports decision making. So, why quantitative and not qualitative risk management? That’s easy. When using qualitative risk management the assessment evaluates critical factors using qualitative scales (e.g., high – low, 1 – 5) leaving it to the mercy of an assessor’s mood on the day. At best, experienced security practitioners may be able arrive at similar scorecards when evaluating “high” and “low” probability scenarios. Experience and double-blind testing tells me not to count on it. Quantitative measurements and estimates flesh out the assumptions and they can be reviewed for accuracy over time. Back to “Management Oversight”, if we want to keep the executive team and the board of directors threat informed, and we aim to include them, the “Management Oversight” layer need to address their concerns and their questions: What threats are we facing? Which of these threats are we better prepared for and where should we make further investment? How resilient are we to a cyber-attack? What is the overall survivability of the organization through a major cyber-attack? How mature is our incident response and threat intelligence programs? Have we tested our crisis management function? Who do we inform? Do we have the right messaging? Who faces the media? How effective is our security framework and how compatible is our risk management framework to cyber risk? Are we under-insured or are we over-paying? To sum it up, cyber security has only been around for 25 years; in some areas of the discipline there is a great deal of maturity and in others… not so much. We’re going through an evolutionary process, and what we know about evolution is whomever manages to adapt when the circumstances change has the better chance of surviving