Enemies at the Gate: The Threat of Law Firm Cyber Security

Published for Thomson Reuters Legal Executive Institute on June 9, 2015

The Legal Executive Institute’s 5th Annual Law Firm CFO/CIO/COO Forum in New York last week was devoted entirely to cybersecurity—and for good reason. The risk of cyberattack is one of the most important and urgent issues law firm leaders face today.

All organizations are vulnerable to an invasion of their data. Target, Sony, and last week’s hacking of US Government personnel data are highly publicized examples of what can happen to anyone who maintains stores of data. More than 1 billion data records were reported stolen in 2014. And those were just the reported incidents. The unreported and undetected incidents were exponentially greater.

In the information age, data has value. Some data has huge value. If you maintain data, you are akin to a Depression-era bank: there are countless Bonnie & Clydes roaming the cyber-countryside looking for someone to rob. But these 21st century Bonnie & Clydes are more diverse and better equipped than their 20th century antecedents. Some are just plain crooks, but many are sophisticated cyber-criminals with substantial resources, parties acting for adversaries of clients, or agents of foreign governments, including intelligence agencies. This is serious business.

Traditionally, law firms have been very effective at maintaining the confidentiality of client information. But they are as vulnerable to cyberattacks as any other organization. In fact, law firms are particularly vulnerable for at least two reasons. First, they maintain significant amounts of highly valuable data about their clients, as well as other data they have assembled in the course of representing those clients. To paraphrase Willie Sutton, hackers target law firms “because that’s where the data is.”

It would be hard to overstate the magnitude of the risk law firms face. The likelihood that they will be targeted approximates 100%. And the damage that would be caused by a data breach—financial, strategic and reputational—could be devastating.

Second, law firms are regarded as easier to hack than their clients. The bad guys know that law firms lag behind their clients both in the timing of their cybersecurity programs and the resources that are devoted to them. Not only are law firms where the data is, they don’t have the most effective guards protecting the vaults.

It would be hard to overstate the magnitude of the risk law firms face. The likelihood that they will be targeted approximates 100%. And the damage that would be caused by a data breach—financial, strategic and reputational—could be devastating. There is much that law firm leaders can do to address the risk of cyberattack. It will not be simple, easy, or inexpensive. Here are some headline action elements:

Recognize the Risk

Law firm leadership must take stock of the nature and magnitude of the risk that cyberattacks present. The details will vary from firm to firm, as will the appropriate responses. The starting place is a genuine understanding of the threat.  And this recognition must truly be genuine.

These issues are different from the ones law firms normally face. Addressing them will require changes in behavior that will be unpopular and sometimes seem contrary to the culture of the firm. And there will be no positive feedback from clients or the public for doing a good job; this is purely defensive. A firm’s cybersecurity policy will be noted only when it fails. What’s more, a commitment to cybersecurity will be expensive. If firm leadership does not recognize the risk, it won’t agree to deploy the resources that will be needed.

Adopt an Effective Cybersecurity Program

While the particulars will vary, all law firms must have a thoughtful and detailed cybersecurity program, with three fundamental dimensions:

• prevention;

• detection; and

• response.

Designing and implementing the appropriate program for a given firm requires a combination of cybersecurity expertise and an understanding of the firm’s practice, clients and culture. It must be based on an understanding of how the real world of cyberattacks works and the tactics that can best manage risk and mitigate damage. It must also realistically assess the behaviors that can be expected of the firm’s personnel.

Lead

If there was ever an issue that demanded true leadership, this is it. This one can’t simply be managed. Law firms need to cause all personnel to embrace a comprehensive cybersecurity program and do what it requires, even when no one is looking. A single firm’s defense against cyberattack will only be as strong as its weakest link.

A cybersecurity program will require procedures that make it harder to access information and otherwise make everyone’s day-to-day experience less convenient from password changes to limiting access. It will also involve procedures that appear to reflect a lack of trust. The natural tendency of people will be to find a way to circumvent the procedures. In addition, the tactics used by the hackers will be creative and effective at duping personnel into dropping their guard. Everyone needs to be alert to the risk, and prepared to adapt to new tactics that will be employed.

Firm leaders will need to express clearly, effectively and consistently to all personnel why the new procedures are being implemented and how truly important it is that they comply. Everyone must become a true-believer. They need their own personal image of a virtual Bonnie and Clyde intent on stealing their data.