Expert insights: How to mitigate the security risks of sharing data in the legal sector

Security should be a priority for any organisation, regardless of the size of the company or the sector they work in. Within the legal sector, however, keeping your data secure and free from corruption is of the upmost importance. Whether it be client or internal information, it’s imperative that it is always secure. Unfortunately, remaining secure when sharing data isn’t always as simple as it seems, and numerous law firms are still putting themselves, and their clients, at continual risk. 

We spoke with three industry experts, asking them what the biggest risks of sharing data in the legal sector were, and how best to mitigate these risks.

Stu Sjouwerman
CEO, KnowBe4

“The legal sector faces quite a few risks when sharing data. It’s different types of risks, depending on how you share the data. The legal profession tends to attach a Word file to an email and send it over, which is pretty much the same thing as printing it in the newspaper and putting it on the front page - from the perspective of confidentiality and security. You would have to have an end-to-end encrypted platform to make sure that confidential legal documents don’t go astray and end up in the wrong hands.

Email is a notoriously unsafe platform for confidential information, and especially legal confidential data. You have to keep in mind that the internet and email was not built with security in mind. You need to have an infrastructure where you have a secure line. You need a secure line to communicate legally confidential documents and would need to safeguard attorney and client privilege. You have to have an encrypted document end-to-end, with keys that allow the sender of the document to have encryption and the receiver to have information to unencrypt, and in a way that is usually friendly but also secure. 

You have to be double careful and truly invest in a IT security budget in the legal and accounting sectors. So I would strongly recommend the legal profession review their IT security budgets and understand that they need to be doubled or tripled to make sure the correct measures are taken to prevent hacking attacks on not only them, but also their customer base and their clients."

Bio: Stu is the founder and CEO of KnowBe4, provider of one the world’s most popular integrated platform for security awareness training and simulated phishing testing. Stu's LinkedIn and Twitter.  

Adam Boone
CMO, Certes Networks

"The top attack vector in the wide range of data breaches over the past two years has focused on exploiting secondary targets, the services companies who work for the primary enterprise data breach targets. And it happens that the legal sector is particularly vulnerable to be part of this attack chain. Enterprises in all sectors have digitised their critical business processes and documents for easy sharing and collaboration across a range of networks inside and outside the enterprise. The idea is to become a “frictionless” enterprise, to streamline processes and get work done much more efficiently.

An enterprise’s legal firm will possess a treasure trove of the most sensitive data related to that enterprise. For example, a legal firm will often be working on the details of intellectual property, legal proceedings, mergers or other financial matters that are not yet public. The IT security issue is that this information is digitised and shared on email or via file transfer, in collaboration applications and many other forms. Hackers know all this. So they go after legal firms and other professional services firms as secondary targets, when the real primary targets are the enterprises whose data these law firms are handling.

In this environment, the basic security requirements for legal firms are two-fold. Number one - Plan for the worst and assume that your systems will be penetrated. How do you segment networks and applications in order to contain the scope of hacker access and limit breach damage? Number two - Ensure your clients are using strong cryptography for shared applications and enterprise information, and that access controls and credentials are carefully managed. If one of your firm’s employees falls prey to a phishing attack and loses log-in credentials to a hacker, you do not want that credential to be part of the vector for breaching your enterprise client."

Bio: Adam is the CMO of Certes Networks, a leader in software-defined security. He has 25 years of experience in marketing, communications, strategy, media, and start-up success. Adam’s LinkedIn and Twitter

Ahsun Saleem
President, Simplegrid Technology, Inc

"Information governance is a very big topic of concern for law firms today, as they strive to fend off the constant attacks they are facing, and do their utmost to uphold client confidentiality and protect client sensitive data. A breach can be catastrophic for a firm, as they can lose their client's trust, which will lead to loss of business. In fact, many firms are asking their attorneys to assure them that they have the proper safeguards in place against cyber security threats. Unfortunately, many law firms are not doing their utmost to protect their client's data. It really is a ticking time bomb.

The biggest risk that attorney's face is the loss of client sensitive data. This can happen both electronically, and could also happen through an employee - both maliciously and inadvertently. Depending on the document, this data can include client names, social security numbers, birthdates, addresses, FEIN's, etc.

All client sensitive data/communication should be sent via an encrypted channel. Email can be sent encrypted to clients. Documents can sent over the same encrypted channel. If the client site doesn't support encryption (for example, a high net work client that uses a Gmail account for email correspondence), then that document should be shared via some secure file sharing program. Attorneys should never use a public email system such as Gmail or Hotmail for client correspondence. Law firms must also train their users to be aware of suspicious attacks. Training and other methods should be used to keep the employees aware of suspicious threats and how to deal with them."

Bio: Ahsun is the president of Simplegrid Technology, Inc, an IT consultancy serving the legal and healthcare verticals. He's been working with law firms for the past 15 years and has consulted for many of the AMLAW 100 firms. Ahsun’s LinkedIn and Twitter

Post a Comment

Add your comment