I had a great podcast yesterday. My guest owns is own Identity Management consulting firm, and we had a great conversation as to the procedures and steps that are required in order for an individual to be positively confirmed. It is important to keep in mind that Cybersecurity simply just does involve tearing down IT and Network Infrastructures to see where the weaknesses lie at.
It involves many other aspects as well (heck, one could make at least a 1,000 page book on all of this), and of the key areas is in making sure that your organization has the best tools in place to make sure that only authorized employees are accessing the resources they need to do their daily job tasks. This is where Identity Management comes into place.
By having a good system in place, not only can you thwart off external attacks, but internal ones as well, especially when it comes to Insider Attacks. When it comes to this, any business is prone to this threat, no matter how big or small it is, or even the industry that they service.
One prime example of this is the legal industry. According to the latest Verizon Cyberattack market survey (which is entitled “The Verizon 2019 Data Breach Investigations Report”) discovered that 34% of all security breaches that occurred back in 2018 were caused by Insider Attacks, many of them at law firms. Some of the reasons cited for this very alarming statistic are:
*Increased use of emerging technologies (such as Cloud hosted platforms);
*The interconnectivity of all sorts of wireless devices (such as Smartphones and Tablets, etc.);
*The emergence of new compliance laws, especially those of the GDPR and others which have been recently enacted in California and New York.
The study also discovered that many of the law firms polled only implement the bare essential controls in order to prove that they come into compliance and avoid the stiff penalties that are imposed. But of course, as we know, this is not enough, more needs to be done by the legal industry.
After all, just like the medical one, there is a lot of Personal Identifiable Information (PII) that are related to clients which lawyers store in their databases, and there is a ton of confidential documents (especially in the way of contracts) that are transmitted back an forth, that can be very easily intercepted by a Cyberattacker.
To further substantiate these findings, the American Bar Association through a survey that they conducted on their own (which is called “American Bar Association’s 2018 Legal Technology Survey”) even discovered that 25% of their member base had also experienced some sort of security breach.
Because of this, law firms are now coming under closing scrutinization in terms of data audits, at an alarming 48% increase. Thus, as mentioned, that is why they are just putting in the minimal levels of controls to escape punishment.
So fundamentally, why are Insider Attacks so easy to accomplish, and very often, go undetected? It all comes down to this very simple truth: The Cyberattacker has found a way in, and more than likely, if they have not, he or she could have conned an employee on the inside to give them access credentials through the use of Social Engineering. So, what can a law firm do to protect themselves from this kind of attack? Here are some key tips:
*Attorneys and their staffs have to know where the information/data resides at:
Whenever I attend networking events and meet with attorneys, one of the first questions I usually ask them is if their firm has been beached before, and how well protected all of their information and data is. Typically, the answer I get is: “I don’t know, we leave it up to our IT Department”. In a way I guess that is a valid answer, if that department is large enough to spread around the Cybersecurity responsibilities. But very often, these law firms have only one person managing all of the IT stuff, even those related to Cybersecurity. So, what happens if this person leaves for whatever reason? He or she then has access to all of this stuff, unless their Identity credentials have been immediately deleted. It is for this very reason why attorneys cannot simply say that they don’t know where all of this resides at. They don’t know have to know all of the nitty gritties, but at minimum, they should at least know who has access to it, as well as the controls that have been implemented so that in a worst case scenario, they can step in and protect their own clients materials on a temporary basis. A typical example of this is the usage of a File Analysis Tool, which has such functionalities as crawl data sources, that can analyze client files by their respective metadata. This provides insight into what has been moved, deleted, retained, exported and even archived.
*Employ high levels of Encryption:
For the most part, we have all of heard of this, but long story short, this is the science of scrambling confidential data into a complete undecipherable state that would be useless to a Cyberattacker unless he or she had the keys to decrypt them. While all information and data in a law firm should be encrypted, this is most important for those datasets that are considered to be “At Rest”. These are simply those confidential files that have not been used in a long time, primarily for the reason that these clients have not had an active legal need. I myself are an example of this. I usually meet with my attorney once a year to file my annual report, and that’s about it. So, in the meantime, my files are considered to be “At Rest” for the remainder of the year. Encryption of these files can also help seal off those backdoors that have not been found yet, and only let the authorized users in.
*Deploy Activity Monitoring Tools:
The main bread and butter for any law firm is of course all of the documents that they have in their hands, and which are transmitted back and forth, internally or externally. It is for this very reason that some sort of tool that can monitor document activity be implemented, so that alerts and warnings can be activated in real time in case there is any malicious or anomalous activity that is detected. If this happens, these respective files can be automatically locked down until the situation has been resolved. These tools are also very useful in creating audit trails, of who access what file when, so that if a security breach were to occur, this would provide a very detailed piece of evidence for any forensics examiner. In this regard, a law firm may even want to consider the usage of Blockchain Technology. We all have heard of this used in the Virtual Currency world, but in reality, it is a version control tool that keeps a lock on all sorts of documents, by making use of ultra-sophisticated Encryption algorithms.
My Thoughts On This
Well, there you have it. Three ways that a law firm can protect themselves from an Insider Attack. But just as a caveat, even those, if they are used, cannot provide any guarantee that this kind of threat vector won’t happen. As I have mentioned before, Insider Attacks are very difficult to detect and once if they are, they can be almost impossible to mitigate on time, because the damage has already been done, and will be too difficult repair.
This is true for any business. Probably only the best way to fend this off is to maintain some sort of 24-hour hotline in which malicious behavior can be reported in real time, so that the proper remediative actions can be taken. But as we fast approach into 2020, many legal firms will be especially at risk, especially those that prepare tax returns for both individuals and businesses alike, as this will be tax season.
This is probably of the seasonal times in which the Cyberattacker will come out to steal as much PII as possible. Not just from lawyers, but accounting firms and even the IRS itself. Finally, the Verizon report can be downloaded here:
The American Bar Association report can be downloaded here: