The public nature of the legal system makes law firms particularly vulnerable to a growing number of cybersecurity risks. Law firms have unique access to highly confidential client information and as a result, face a growing number of federal, regional and industry data protection and privacy requirements.
On this episode of the Insider Series, I sat down with Mark Sangster, cybersecurity strategist and author of No Safe Harbor: The Inside Truth of Cybercrime and How to Protect Your Business to explore what’s changed in the legal industry, and how law firms of all sizes can bolster their cybersecurity strategy.
James Mignacca (JM): Over the last several years all industries have significantly shifted how they view and manage cybersecurity. You’ve advised countless law firms across North America - are law firms thinking about cybersecurity differently?
Mark Sangster (MS): Absolutely – perspective has certainly changed over the last half a decade. Five years ago, law firms had no idea about cybersecurity, because they didn’t really see themselves as ‘at risk’. They didn’t think they were a target.
But in recent years, we've seen some marquee breaches where law firms have been shut down, or they or their clients exposed as a result. For that reason, they’re beginning to adopt a slightly different posture and recognize the value of cybersecurity and managing their cyber risk.
Depending on the size of the firm, they may not have the wherewithal, whether that's expertise or funds. If they do have budget to spend on security, many don't really know how to direct money to adequately protect their business. LLPs in particular, with limited liability partnership share profits. That model means money spent on anything comes out of their pockets at the end of the year, creating an uphill battle for security firms to get the kind of funds that they need to protect the law firm.
JM: To that point – like most industries there is a wide security maturity scale that reflects the size of the business. Many smaller firms struggle with knowing where or how to start implementing security measures. What best practice frameworks can law firms leverage?
MS: NIST and ISO are two standards that get fluttered about but they're not particularly palatable for small firms. They're not bite-sized in any way. So, firms tend to go back to square one or they take a fatalistic stance in thinking, if it's going to happen, I've got backups and I have cyber insurance. But that's just part of the equation.
Smaller firms need to think of it in terms of aligning their spend to their firm’s risk. They can start by looking at their business’s objectives, understand what kinds of threats they face, what assets they have under management and what obligations come along with the management or control of those assets. That exercise produces a set of basic measures they need to take to protect the firm.
When it comes to law firm cybersecurity, ignorance is not bliss, it's negligence.
JM: Are law firms leaning into cyber insurance?
MS: Absolutely. Many firms get a policy, and everyone just sits back and says, OK, we're good. But assuming safety through insurance is another fatalistic view. How many of us would drive our cars recklessly with our seatbelts off and say - well, I have auto insurance. If I get in an accident and get injured, the insurance company will replace my car and cover my hospital bills. No one looks at risk that way, yet when it comes to business, unfortunately, we seem to do that.
From a DDQ (due diligence questionnaire) perspective, it’s gone from being a bit like the wild west in terms of getting coverage, to a more calculated process. Insurers ask fundamental questions. If those questions can’t be answered methodically then they (the insurers) send you back on your way for six months to get your act together before you can attempt the DDQ again.
Many firms don’t realize that now, they find themselves in a position where they’re not insurable. I've heard stories about this where firms who couldn’t get cyber coverage end up using things like professional malpractice insurance to cover losses when a client is affected by a breach.
JM: Do firms understand the types of threats they face and the technologies they need to defend against them?
MS: When it comes to prevention there’s a lot of cynicism. Firms look at it like – they’ve got antivirus and firewalls in place, but it isn’t stopping attacks, which is true.
But what they don’t quite realize is that when attacks against law firms happen, they don't appear out of nowhere. There are potentially hundreds of signs that something was going on in their environment before impact, like a ransomware system lockdown.
So, in terms of awareness, it’s still a process of educating firms to look at the points of entry that exist based on the data the firm has and the systems it uses. More actively, it’s looking for clues of nefarious activity, like concurrent logins, failed multi-factor authentication attempts, new users being created or accessing assets and data that always visible.
In the case of many breaches, it comes down to knowing what you’re looking at and being able to recognize it as smoke. Because where there’s smoke, there’s always fire.
JM: What are the types of data bad actors look for as it relates to law firms?
MS: Law firms actually have an unparalleled risk in the economy and that's because they operate at a crossroads. They're a juncture where investors and companies looking for money come together, and where banks, healthcare institutions and medical researchers all exchange highly sensitive information. Even family law practice or estate management has access to critical information that can be very damaging to the client in one way or another.
Firms don’t necessarily really recognize that, which is why we are seeing a bit of a downdraft from specific types of clients who are beholden to industry standards and regulations in how sensitive data is managed. Law firms have infinite amounts of valuable data, like financial information and personally identifiable information.
The big challenge that law firms have is that they have an inherent nature to be open. If you think about a court filing, like if you sue someone or someone is charged criminally, you can see that information in a court filing because you're supposed to be judged by your peers, a jury. That's a requirement of the judicial system, but it means that information is accessible. Any criminal can look at that and start to socialize and create a social engineering campaign.
The other piece of this is that by nature, lawyers are like hoarders. They keep information for reference or future client work like will or legal document updates. In more complex law, like litigation for businesses or whatever it might be, attorneys are doing the same thing, which creates a treasure trove of high risk information.
The reality is that when it comes to a breach, everyone thinks they're in control right up until they're not. The real challenge is that the underlying landscape is moving; tectonic shifts involving digitization. Law firms are migrating document management, moving from physical libraries and vaults into digital systems.
However, as they are, they’re opening the business up to a host of new risks. At the end of the day, all law firms need to see themselves as a target. They have to accept where they are today in terms of the data protection pieces they have in place, understand where they need to get to in terms of hygiene, and assess what they need to do to achieve more a robust security posture.
That all starts with knowing what assets they have.