Blog Posts

NYT Pours More Salt on Law Firm Security Wound, but Misses the Point

According to the New York Times, a CitiGroup cyberintelligence report warned employees and clients that law firms were at “high risk for cyberintrusions” and their data security standards are typically lower than they are in other industries. Was that news to anyone?

The article mirrored the industry’s fixation on the fact that law enforcement and clients have been frustrated by law firms’ unwillingness to disclose breaches. This frustration is compounded by the knowledge that cyber criminals see them as low hanging fruit because their security is weak. Yes, their active participation in information sharing is imperative, but let’s acknowledge the obstacles.

They Can’t Disclose What They Don’t Know

Given the fact that many firms lack advanced intrusion detection, security analytics tools and data loss prevention programs, they are not in a position to detect a sophisticated compromise, let alone report it. Even Fortune 100 enterprises discover security breaches months after the fact. The reality is many security breaches are never detected. Once companies like Target, Sony and Anthem discover they’ve been compromised, look at the resources they commit to figuring out what happened. It’s not uncommon for large organizations to bring in multiple incident response teams. Yet, look how long it takes to get answers.

Often No Clear Obligation to Disclose

Even the banks will admit that they do not disclose every network intrusion that occurs. Absent a contractual or statutory obligation to notify, few companies see any value in disclosing an incident. Unless an organization feels there is a likelihood that a third party will detect and disclose the breach, most companies will keep a “non-reportable” intrusion event quiet. Since law firms typically do not possess significant quantities of data that would trigger a legal obligation to disclose and client contracts are often vague or even silent on the topic of incident disclosure obligations, firms tend to stay quiet about events they do detect. Even private disclosure of a security breach has an uncomfortably high probability of becoming public, and this would not only damage the firm. It could put legal matters at risk and cause financial loss and reputational damage to clients as well.

Information Sharing Mechanisms Are Undeveloped

Wall Street law firms are looking to establish an information sharing group that would be affiliated with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and allow firms to share information anonymously. However, as the New York Times reported, “… the two groups wouldn’t necessarily share information with each other.” Firms would just have access to some financial center resources. Also, it seems this group would consist of only Wall Street firms, leaving the rest to fend for themselves.

Industry ISACs and other sharing groups are valuable and necessary, but there are still some crimps. ISAC criticisms are numerous: too much threat data and no context make it impossible to act on the information; members aren’t sure they can trust each other, which inhibits sharing, and often members don’t act, even when the information is actionable. Furthermore, these sector-specific groups, of which there are many, don’t share with each other!

So while the promise of information sharing is enticing, until practical and legal hurdles are overcome, it is unlikely that large-scale information sharing among firms will occur. One solution to accelerate law firms’ security development is to implement a managed security solution that takes into account the unique culture and business requirements of a law firm.

Hardware, software, maintenance, risk profiling, continuous monitoring, threat hunting, incident responding, malware analyzing, forensic investigating…. achieving a defensible, actionable and security program is best achieved with the help of managed services. However, most services align with the same siloed approach that has been hamstringing companies for decades.

The headlines (and case law) clearly illustrate that cybersecurity is no longer just an IT problem; it’s a Legal problem. So firms need to ensure their cybersecurity programs facilitate real-time collaboration with internal Legal stakeholders, as well as client stakeholders (both legal and infosec).

Law firms would do well to find a managed security service provider possessing sufficient domain expertise to design a security program around the complexities and limitations inherent in the law firm environment, while bridging the gaps between cybersecurity and Legal, and between firms and their clients. I wonder where one could find such a firm?