Reputation matters more to the success of law firms than for most other industries. Securing it reasonably and cost-effectively requires that law firms have a robust cyber strategy.
Cybersecurity of Large & Small Law Firms: Big Must get Small, Small Must get Big
Small law firms have limited resources; they might never know they'd been breached. Their security through obscurity is diminished with high-visibility cases. To better mitigate risks, they should form collectives with others to buy high quality managed services to administer and secure all of their IT; the small must get big.
Large law firms have resources to implement sound cybersecurity practices. They can also waste a lot too. Like all other industries, enterprise cyber spending has increased year after year for years, yet the breaches continue. The reason for this is that they are embracing the wrong strategy or paradigm.
Cybersecurity Strategy for Large Law Firms: Follow the Money
Roughly 70% of successful enterprise breaches began at an endpoint. Look at your resource allocations in terms of endpoints:
● Prevent (before compromise)
● Detect (after compromise)
Most of your tool and labor spending is in layers of different tools, teams, and processes detecting intrusions after an endpoint has been compromised. Your EDR or Behavior Analytics agents on the same endpoint rely ever more on post-compromise detection. Your network IDS, SIEM, and other tools enable legions of your analysts to monitor and investigate alerts after one or more endpoints are compromised. Adding more tools, specialists, and workflows increase the costs and effort required to operate as a system. The costs of each of these 'pieces' depend on what happens at the endpoint. Your numbers will show you that the value of an ounce of prevention exceeds that of a pound of 'detect and react.'
Cybersecurity Malpractice: Don't Worry, Be "Reasonable"
Generally, law firms need to be able to show that they took "reasonable" measures to avoid a breach when one occurs. The courts don't want to second-guess the business decisions of what a law firm must do to protect it and its clients' interests. Compliance or non-compliance with industry standards ultimately demands that the court do just that. Plaintiffs are at a disadvantage because they must show that the law firm acted in bad faith when it came to protecting client information. Non-compliance with some standards alone does not amount to "bad faith." Law firms need only demonstrate they made "reasonable" efforts to secure client information.
But Reputation is Not "Reasonable": Risk-based Prioritization should be "Personal"
Your law firm is at far greater risk from a lost reputation than from cyber breach litigation. Client information possessed by law firms can be extremely personal. After people laugh at the humiliating revelations of an individual, they imagine what the same might hold for them if a law firm breach exposed their secrets. The human mind is associative. The name of a breached law firm can be emotionally anchored in a person's memory. Reputation is everything.
'Detect & React' Dwell Time Equates to Client Data Leakage
According to "Cost of a Data Breach Report 2019", Ponemon/IBM, July 2019, average enterprise breach detection was 230 days, plus another 84 days to contain. This data does not pre-date the deployment of cloud-based EDR/Behavior Analytics tools; they're included. These vendors can show numerous examples of detecting attacks in milliseconds or hours. A lot of client information and law firm reputation can leak away in 230 days. Pursuing a more preventative solution that will provide real-time countermeasures is essential to sustaining reputation.
Why the C-Suite Must Tackle "Fear" in their Corporate Culture
Executives rely on others to solve technology problems. However, some cybersecurity problems are rooted in people.
An enterprise penetration test at a large law firm illustrates this point. Knowing that social engineering tactics don't rely solely on exploiting misplaced trust, the pen tester exploited the other major lever: "fear". He knew IT/Sec-Ops people are often bullied in some organizations. He skillfully terrified the IT/Sec-Ops person on the phone who gave him a Windows credential that would enable the fake lawyer to install the software he needed to do his job. It turned out to be a Windows Domain Admin credential, the keys to the entire kingdom.
The C-Suite can make 'fear' harder to exploit by ensuring no one feels they can bully IT/Sec-Ops personnel. Diagnosing and treating this condition is a people problem. Eliminating it mitigates considerable law firm risk.
Phishing Attacks: Something you don't Know
Along the lines of the old adage, a different tool for a different task. Make a distinction between phishing attacks that compromise endpoints with malware versus those that use fake websites to trick end-users into revealing info. Very different tools can be used to mitigate these various risks. Conformance-based endpoint tools can block malware. But nothing may ever take the guessing or false negatives out of whether a website can be trusted or not. The best remedy for mitigating the 'watering hole' attacks is end-user cyber training.
Ransomware: Prevent or Pay
Ransomware typically only dwells for minutes to hours before it strikes, not 230 days (i.e., average breach detection). The impact can be extraordinary, as DLA Piper found in 2017. They detected the attack in 20 minutes. But they could not react quickly enough to block the spread and damaging actions of the malware. Their Sec-Ops were better than most, labor-intensive, exceptionally mature, and quite costly.
All 'detect & react' cybersecurity strategies hinge on some form of recognition. The most effective tools of a preventative strategy succeed simply by keeping things within their respective swim lanes, no recognition required. When this occurs at the endpoint, overall, Sec-Ops cost far less. And reputation is more secure.