In a world where cybersecurity risks are growing every day, law firms of all shapes and sizes need to step up their game to thwart attacks and prevent the disastrous reputational and operational damage that can result from a cyber-breach.
Those threats are more sophisticated than ever — and there are more of them. “What we’re dealing with is a qualitative shift in the nature of these threats, and this requires a much more sustained effort, focus and accountability within organizations to mitigate the risks associated with these threats appropriately,” says Adam Kardash, a partner with Osler, Hoskin & Harcourt LLP in Toronto.
And law firms offer a tempting shortcut to cybercriminals who realize that “sometimes the best way to get to a target is through a service provider or someone who has intimate knowledge of the target because they may be more lax in what they are doing,” says Carolena Gordon, a partner with Clyde & Co. in Montreal. “So, they may see law firms as a method to get to high-profile clients.”
Lawyers are bound by a mix of ethical, legal and contractual obligations to keep client data confidential. They have an ethical obligation under rules of professional conduct to hold all information concerning clients’ business affairs in the strictest of confidence. Law firms should be aware that “more generally, [they] are subject to applicable private sector privacy legislation,” Kardash says. And clients may impose commercial requirements to protect their information, adds Kevvie Fowler, partner, advisory services, with KPMG LLP (Canada) in Toronto.
All of this makes a data-governance program critical. In larger firms, this should involve striking a multi-stakeholder committee comprised of individuals from the departments responsible for data in their custody and control and the development of policies, practices and procedures to deal with the lifecycle of data from the moment it’s acquired or created to the moment it’s destroyed, Kardash says.
This includes implementing measures to ensure that technology used in the law firm is protected. “That means going through and making sure machines are up to date, that people are using [secure] passwords, that staff understand the different dangers and take precautions to make sure the information is secure, especially if it’s on a device that gets taken out of the office,” says Dan Pinnington, vice-president, claims prevention and stakeholder relations with LawPRO in Toronto.
As more lawyers use laptops, smartphones and tablets, mobility poses one of the greatest challenges in the data-protection landscape; protection must be in place when lawyers work on critical information outside the office. “Many devices now have built-in encryption right in the operating system,” Pinnington says. “It’s fairly easy to turn on and it provides another layer of protection in case the device is lost or stolen.”
Cloud-based solutions are another option, Gordon says, noting that many lawyers don’t store anything on the laptops they take from the office. “It’s just basically a vessel through which information will flow. So, when I get home or the destination of my choice and login to the internet, I use my token or my key to get into my system. I’m then on an encrypted safe line to obtain my documents or my information. Those are the things that clients now expect us to do.”
This underlines the importance of protecting the information sitting on law firm servers. “At a minimum, firms require proper firewall protection that’s constantly updated,” Gordon adds. “The IT department or consultant has to update it regularly and adapt to what’s happening out there because one virus can bring down a whole network.”
Even better, law firms could and should have an intrusion prevention system (IPS) in place that “scans traffic within a network trying to identify malicious traffic patterns based on a list of known signatures,” Fowler says. But even that is not enough these days; savvy organizations are using extrusion detection.
“The problem with [IPS] is that we don’t know what all of the bad signatures look like,” he adds. “So, organizations that are being very aggressive are focusing on extrusion detection. This means they’re still looking at preventing the bad guys from coming in but they realize that some bad guys are already in the network. With extrusion detection, they’re trying to detect when the bad guys find sensitive information in the network and try to transfer it outbound.”
However, even the best security measures in the world won’t work if users aren’t properly trained and educated.
“Anyone involved in cybersecurity will tell you that the biggest risk is the user,” Gordon says. “If users don’t know what they’re doing and they’re not conscious of the risks, then that’s the point of contact at which [cybercriminals] will penetrate.”
The commitment to taking cybersecurity seriously has to come from the top. “Leaders have to set the tone for the whole organization,” Kardash says. “It’s well-understood that effective data governance works only if there’s real buy-in from the top, not just lip service.”
That means making a commitment to cybersecurity by dedicating the appropriate budget and resources and sending the message that firm leadership takes it very seriously, Gordon says: “Partners should show their associates and junior lawyers at the firm that we are vigilant about cybersecurity. In the same way we show them by staying behind our desks for nine or ten hours a day to get things done, we have to model for them what good cybersecurity is so they can see that this is part of being partner.”
Finally, be aware that there’s no one-size-fits-all solution to data protection. “There isn’t a simple, silver bullet answer: ‘Do this and your firm is protected,’ unfortunately,” Pinnington says. “This is very complex and there are all sorts of different things you need to do.”
Data protection on a budget
Small law firms and sole practitioners face the same cybersecurity challenges as their bigger brethren, but they have limited resources for data protection. Here are some tips on staying safe without breaking the bank:
• Hire an IT consultant to review your network and devices and establish proper firewalls and data-protection measures. Getting advice is crucial.
• Develop a basic set of rules on how and when information should be accessed, including via a cloud-based network. Sample security policies are available online at low cost.
• Implement encryption on your network and on all your devices.
• Check YouTube for basic security-awareness training videos that staff and lawyers can watch for free.
• Don’t hesitate to implement quick fixes to make sure things are running more safely.