These days, with data breaches making international headlines, data security and privacy is on everybody’s mind. Are you doing enough to protect your client’s sensitive data?
* ABA TechReport 2020
** ALM Intelligence Cyber Security and Law Firms Report
“Law firms may not only be soft targets, they may also be attractive targets—if they are known to have a large corporate
client base, an attacker may be drawn to them, like a bee to honey. While the corporate clients themselves may have sophisticated computer security defenses, their law firms’ defenses are probably weaker.” (ABA Cybersecurity Handbook)
The legal sector is custodian to the sensitive data of its clients. Besides the potential damage to brand and reputation, breached data can cause financial damage and create legal complications. IBM's Cost of a Data Breach Report 2020 estimates the average cost of a data breach at $3.86 million, or $150 per record that contains PII, or "personally identifiable information". Make sure your firm takes industry-standard steps to protect against data breaches.
Ransomware attacks have been on the rise for years, with attacks paralysing businesses, organisations and even cities all over the world. Ransomware can be delivered through various vectors including emails and web applications. Keeping a robust cybersecurity posture is critical in defending against ransomware.
Business email compromise ("BEC") occurs when an attacker gains access to an email account trusted by the employees of an organization - for example, the email account of an employee or business partner. The attacker then utilizes this account to communicate with unsuspecting employees within the target organization - often to have them unwittingly wire money to the attacker's account.
As part of the global business ecosystem, law firms face security risks similar to other sectors. Yet their specific mission and structure often means that otherwise common threats and require a customized approach.
The first step in understanding your risk is knowing your corporate environment. It is critical to create and maintain a comprehensive and up-to-date asset list so you know what it is you need to protect. Keeping track of assets also ensures that no endpoints or other assets exist on the corporate networks without your knowledge. This is especially relevant if your organisation utilises the cloud, where assets can be spun up relatively easily, and not always in coordination with the security team.
This category is usually broken down into three subgroups: 1. Amateur hackers, also referred to as script-kiddies, who generally utilize low-skill attacks against the lowest-hanging fruit. 2. Organized criminal groups which have the human and capital resources to target higher-value targets. 3. Nation-state actors, also generally referred to as Advanced Persistent Threats (APTs), with the infrastructure and personnel to plan and execute months- or years-long offensive campaigns, often utilizing custom-built hacking tools and zero-day vulnerabilities.
According to the 2020 Verizon Data Breach Report, internal actors accounted for approximately 30% of total successful data breaches. Insiders include disgruntled employees, as well as ex-employees whose access to company resources has not been terminated in a timely manner.
When you bring in a vendor and give them access to company networks, systems or data, you are also onboarding their cyber risk. The Solarwinds mega-attack is the latest and gravest example of this risk vector. With the proliferation of cloud-based services, a company can easily have tens of third-part service suppliers. Third-party risk assessment and evaluation can help mitigate this basically unavoidable risk.
For a small to medium size law firm, there is a lot to do, but budget, manpower and time are usually in short supply. Building out a dedicated security team, or hiring a full-time Chief Information Security Officer (CISO), is usually not an option – nor is it necessary. Our entry-level Essentials plan is designed to provide your organization with the basic building blocks of a comprehensive security program.
Start developing a relationship now with a seasoned security expert, who will get to know your company and its unique security requirements. Through regular meetings, your dedicated vCISO will understand your threat landscape, allowing them to advise on both strategic and tactical security matters, as well as manage longer-term projects.
An organization has different security needs at different stages of growth. We’ll help ensure that your security posture improves in line with your overall organizational maturity, through the development of a structured and documented security program which aligns with major international standards such as ISO 27001.
Within the security industry it is well known that weakest link in a company’s security is usually its employees. We’ll help you train employees to recognize phishing and other social engineering tactics through interactive learning and simulated phishing emails, based on real-world malicious phishing campaigns.
Once a security program is set in motion, and security awareness begins to be integrated into organizational culture, the next step is building out a “Security Operation Center (“SOC”). A SOC consists of a team of dedicated security engineers and analysts who, equipped with an advanced security intelligence platform (next-gen SIEM) and other tools, provide real-time monitoring and analysis. The foundation of a SOC is visibility.
Security Operations I
Vulnerability assessments are performed by penetration testers (ethical hackers) utilizing the latest tools and techniques of real-world malicious actors, allowing you to see how your organization looks from a hacker’s perspective, and providing you with a full post-testing report including recommended remediations.
Security Operations II
24/7 continuous security monitoring provides an integrated 360-degree perspective of critical assets in your corporate network and infrastructure, enabling detection, investigation and remediation of anomalous and other potentially malicious activity.
Security Operations III
Securing employee endpoints – desktops, laptops and mobile – is especially critical when the workforce is dispersed and no longer sitting together in an office. Many classic security measures, such as securing the office network perimeter, become less irrelevant. The employee endpoints is the new security frontier, and visibility and proper controls are crucial.
Security Incidents are bound to occur, even at the best-defended organizations. No defensive measure can reduce an organization’s cyber risk to zero, and even the ubiquitous “onion-model” of security – a foundational model based on the idea of layering several diverse security measures one on top of the other – cannot guarantee a company will not experience an incident. BrothersKeep will be by your side to assist in the various stages of incident response. We’ll help to coordinate the forensic investigation, and steer toward getting you back to business as quickly as possible. We’ll also help you make sure lessons are learned and integrated.
Responding to incidents in a responsible and systematic manner will leave your company stronger.
Multi-factor authentication is one of the simplest but most effective ways to increase your organizational cybersecurity. It is hard to overstate the security benefit which comes with requiring a secondary step, such as an SMS message or authenticator app (Duo, Google) response. Make sure to enable multi-factor authentication on every system your employees utilize. While it is true that MFA is often initially perceived by employees as a nuisance, a potential attacker experiences this slight inconvenience as an extremely significant hurdle.
Make sure a licensed antivirus product is installed on every computer. Why is it important for the product to be licensed? Generally speaking, there are two kinds of antivirus. The classic antivirus programs most of us are familiar with utilize signature-based malware detection. A “signature” in this context is a unique string of characters, generated by a cryptographic function performed on a malware’s source code. Because new malware is regularly found in the wild, signature-based antivirus applications need to be updated with new signatures on a regular basis – hence the importance of ensuring your license is up to date.
One of the shortcomings of signature-based antivirus is that if even one character of malware source code is altered, the signature changes as well. A newer form of antivirus, often referred to as “next-gen” antivirus, attempts to address this shortcoming by analyzing the behavior of a suspected malware, instead of relying on recognizing it by its source code. Among various advanced capabilities, next-gen antivirus attempts to detect anomalous or otherwise suspicious behavior on a user’s system in order to isolate potentially dangerous malware-based activity. Next-gen antivirus generally requires more management, tuning and monitoring to be effective, as opposed to classic antivirus which usually works right out of the box.
The first step in thinking strategically about your organization’s cybersecurity is knowing exactly what you need to protect. Proper asset inventory is critical. This is especially true in the age of the cloud, where assets can more easily be spun up by someone on the team and forgotten about, increasing the organization’s attack surface.
Make sure to have a password poicy which includes a minimal password length of at the very least 8 characters. You can find general password policy advice from Microsoft here.
Business continuity planning is a large topic which can get quite advanced. But the basic principle is building the resilience needed to get back to business as quickly as possible in the event business-critical systems are unavailable – either due to a cybersecurity incident, or any other unpredictable event.
The foundation of building resilience consists of making sure all business critical systems are regularly backed-up. A policy should be in place determining which systems should be backed up and at what frequency. And no less importantly, at least once a year the organization should simulate a fail-over to the backup systems to ensure the backups actually work in a real-world scenario.
Make sure you have a policy in place regarding the processing of outgoing payments. Such a policy should include mandatory review and validation steps, commensurate with the payment amount, before any significant sum is sent out.
