As we saw from last week’s WSJ and NY Times articles, hacking and breaching law firms are not new (at the time of writing this, we’re just hearing about the massive leak of data from Mossack Fonseca). This begs the question: How should law firms effectively detect a data breach? Most firms do have data security and privacy teams and even counsel clients on cyber security best practices from a legal perspective.
In practice, law firms are no different from other third party vendors with one critical exception — they hold the most valuable market moving information of many companies. A standard vendor due diligence business toolset applies to law firms but drilling further by asking some really difficult questions related to data security and privacy is warranted.
As a corporation responsible to your shareholders, stakeholders and employees you should have a checklist of business and technical questions ready for your law firm. Here are few due diligence security areas to review with your law firms:
- What protection is used for document collaboration — such as rights management? (Law firms share massive amounts of documents internally and with clients.)
- What were the results of external and internal penetration tests? How frequently are these performed? When was your last test performed?
- How are networks and systems monitored? Is monitoring 24/7?
- Does the law firm have forensic capabilities or does it have a contract with a vendor to provide Incident Response service with short SLA-defined response times?
- Did the firm engage in any threat assessment that would audit the current system for indicators of compromise? What’s the ongoing frequency of this assessment?
- What compliance or industry framework does the law firm follow? If certification was obtained (like ISO or SSAE16), what is the technical and operational execution path?
The new cyber ecosystem assumes that any system is hackable. The best enterprise teams can detect an attacker quickly and rapidly eliminate the threat. This requires expensive human capital and products that are constantly used in such emergency operations. Such combination of talent and smart engineering is what successfully combats cybercrime.
Digital systems are constantly probed for intrusions by adversaries. AlienSpy is a great example of this type of bad actor. Being a part of many forensic investigations, I can attest to the fact that all organizations can be better prepared.
The standard business practice is to perform a test to determine if any intruders are on the network — these are commonly referred to as threat assessments. Technical review of the systems along with technical training sessions to educate not only employees, but IT professionals as well, should be performed at least on a quarterly basis. In my next blog I will expand on the checklist of cyber items to explore with your law firm. Stay tuned.