How Secure Are Law Firms’ Computer Networks?

Adapted from Catherine Dunn, Corporate Counsel, Law Technology News

The dramatic rise in electronic economic espionage against U.S. corporations came into full view with a report on the trend issued by the U.S. government last November. That same month, the Federal Bureau of Investigation held a meeting in New York City with some of the weaker links in the online spy game: law firms.

It’s an issue that should be getting the attention of in-house counsel, especially as they share sensitive — and potentially valuable — data with outside counsel.

Rich with client information, law firms are often much less equipped to fend off cyberattacks than the corporations they represent. Ergo “a hacker can hit a law firm and it’s a much, much easier quarry,” Mary Galligan, head of the cyberdivision in the FBI’s New York City office told Bloomberg. Likewise, in a series of blog posts on this issue currently running in Forbes, cybersecurity expert Alan Paller says: “The important files relating to clients’ international activities are usually much easier to find in the law firms’ files than in the corporate files.”

Digital risk consultancy Stroz Friedberg has advised both law firms and corporate clients on this growing problem. Firms need to take a risk-oriented approach to protecting client information, says company co-president Eric Friedberg, a former federal prosecutor and an expert in cybercrime response. At the same time, he says, there are important questions in-house counsel can ask about how their files will be protected (see Stroz Friedberg’s Security Questions Corporations Should Ask Their Law Firms, below).

“Attackers go where the money is,” says Friedberg. These days, law firms should assume that hackers will infiltrate their network, and they should identify which digital assets are most at risk and put the most security around those areas, he says.

Knowing what is of value to potential cyberattackers can help dictate a security strategy. Intrusions that are backed by state entities have been increasing, and state-sponsored agents are particularly interested in information that could prove useful in the mergers and acquisitions context, Friedberg says. So while a merger between two Chicago-based companies may not prove particularly alluring to foreign government hackers, major deals that involve a state-sponsored entity or otherwise affect the interests of a foreign country present much more risk, says Friedberg.

“We’re advising law firms to segregate that data, and put much more security around that data,” he says.

One common way hackers can infiltrate a firm or company is through a method called “spear phishing.” An email arrives from someone who appears to be a trusted source, and that email contains a link or an attachment that, when opened, gives a hacker instant access to the recipient’s computer and/or internal network. “Typically, the link appears to fail, or it takes you to some sort of innocuous material, and the user doesn’t think twice about it,” says Friedberg. “And now that computer is completely owned.”

And yet, he adds: “The disparity in the levels of security we’re seeing is startling.” Some law firms have a very strong culture of security, at or beyond that of their corporate clients. Others continue to prioritize the convenience of a flat, open network over the security of a network with more barriers.

“The issue ends up being that the lawyers are so oriented to the convenient use of computers,” Friedberg notes. “It presents real challenges to pervasively establish a culture of security, because convenience has to be subjugated to secure computer use.”

How can in-house counsel get a better idea of how secure a law firm is? Friedberg offers a dozen security questions that corporations should ask their law firms.

STROZ FRIEDBERG’S SECURITY QUESTIONS CORPORATIONS SHOULD ASK THEIR LAW FIRMS

1. Do the managing partner and the executive committee champion and drive a culture of security?

2. Does the firm secure email, remote access, and servers with RSA tokens or another form of dual-factor authentication?

3. Does the firm force complex passwords on workstations and servers; limit the use of IT personnel with highly privileged credentials; and closely monitor the logs of such highly privileged accounts?

4. Does the firm log access to its clients’ files, so who touched what file can be reconstructed?

5. Does the firm conduct regular anti-phishing training?

6. If the firm has offices in countries associated with state-sponsored espionage, how does the firm deal with the security implications of that fact?

7. Does the firm broadly grant users access to data on the network, or is access granted on a need-to-know basis?

8. Does the firm use secure enclaves, where highly sensitive data receives higher levels of security protection and monitoring?

9. Does the firm have state-of-the-art intrusion detection, session-recording, log-aggregation, and enterprise forensic tools?

10. Does the firm employ highly trained security personnel who are skilled in sophisticated incident response?

11. Does the firm have an incident response plan and pre-designated outside incident response providers?

12. Does the firm keep sufficient perimeter logs and monitor anomalous activity?