The following article is by Doug Caddell, a Senior Advisor at Adam Smith Esq. and a former Global 50 CIO. He is a certified Information Governance Professional (IGP) and a Certified Information Systems Security Professional (CISSP).
As I sat down to write this article I thought of all the other cyber security articles that I’ve read. Usually the first few paragraphs are commentary and examples on how the security “sky” is falling. While these examples are good to hear, they get old after a while, so I promise not to do that. Besides, if you don’t realize by now that security breaches can be deadly to a business, and that includes your business, then it’s time to remove your head from the sand and start to understand business risks in today’s environment.
Ignoring information security risks as a law firm manager was typical four or five years ago. Heck, we’re just a law firm and who wants our stuff, and besides security just gets in the way and I don’t want to get our lawyers mad with some IT policies. Spending time and money on something as intangible as cyber security was a hard sell, but you can’t ignore what’s in the our daily news. Even the Houston Astros were hacked; a recent discovery, but with intrusive activity going back to 2012 without notice.
It’s not necessarily about who wants your stuff. Obviously the recent theft of millions of employee records from the U.S. Office of Personal Management is more dangerous than the corporate espionage theft of Astros’ player statistics. But the danger to a law firm is not just about your data “stuff,” it’s also about keeping your law firm running and your lawyers and staff working, and of course – it’s about your reputation.
First, your data
The data that you keep on your computers is important, whether it’s the firm’s business data or confidential client data. So, your data “stuff” does count. In addition to confidential client business data and litigation strategies, firm computers contain some amount of personally identifiable information (PII) and often personal health information (PHI). The moral and ethical requirement to protect this data is now well recognized and becoming more regulated.
Clients are becoming more concerned and more insistent when it comes to their law firms maintaining the confidentially of their information, especially over the past three or so years. Six years ago while I was CIO of an AmLaw 50 firm, we would receive annual security questionnaires from a few bank clients asking general questions about our systems and related security. These were about three pages long with mostly tick the box answers.
Beginning about 2012 we received dozens of security inquires and nothing so simple as the prior requests. These inquiries were up to 80 pages in length and often were accompanied by requirements to meet with the client’s security auditors. Why the change? Regulations – anyone in a regulated business is now required to attest to not only their security practices, but that of their downstream vendors and providers – law firms. In the Spring of 2014, SEC Commissioner Luis Aguilar stated that board members are responsible for the cyber security posture of their organization. This is not just a US phenomenon, it’s also become routine in the UK and elsewhere.
So I should protect my “stuff.” I get it, but I don’t have any clients in regulated industries, so why should I care? It’s not just the theft of data.
Second, simply being able to function as a business
Everyone recognizes by now that a business can no longer operate without computer technology, and this includes law firms. Sure a lawyer can talk to a client on his or her cell phone, but the practice and business of law requires more than ad hoc conversation. Shut down email, calendaring, docket, lit support, electronic filing, and word processing and a law firm can’t operate. Anyone still have typewriters on the shelf as a backup? Even your desk phone is probably computer controlled.
Third, your firm’s reputation
A hacker doesn’t need to have malicious intent to cause damage and interrupt your ability to conduct business. Often hackers are just messing around and not industrial spies. But whether the damage is to your systems or the theft of information, the damage is real. It’s not just direct damage, but damage to your reputation too. Especially if it’s just your firm. How do you explain to clients that you compromised their private information, or that you can’t work on their matter today because your computers were hacked and it may take days to recover?
It’s been long said that there are two types of businesses—those that know they have had a cyber-security intrusion and those that don’t know they’ve had one. In short, it’s generally accepted that everyone has been hacked to some degree at some point. It’s virtually impossible to completely eliminate all chances of being hacked unless you completely remove a network from all outside connections, especially the Internet. But of course, then it would be hard to conduct business. So we install firewalls and other device barriers on our cyber doorsteps, but like taking vitamin C during flu season, it only provides some protection.
Cyber security is based upon prevention, detection and remediation. For years we have relied on prevention – having the IT staff install and continuously maintain electronic firewalls and other prevention methods and policies. We now know that prevention in not enough, and that detection of breaches and subsequent remediation (including a breach notification strategy) is required.
Cyber security is no longer just an IT problem.
In the implied words of Luis Aguliar, it’s a strategic concern. Our goal, the C-I-A of information security: Confidentially of the information for which we are custodians, the Integrity of that data (has it been altered, accidently or by intent), and Access to our systems and data. How does this work its way into law firm management? It’s about managing risk. Some aspects of managing cyber security risk is regulatory driven, and some is client driven, but regardless of what brings information security to the boardroom table, the resulting mitigation strategy is based upon risk to your firm. And risk will be dependent upon your firm and how you measure the various risks to your business.
We can’t protect every aspect of our systems, so we must prioritize our security dollars based upon our organization’s objectives and risk vectors. The first step? Get educated – talk to your CIO and risk counsel – and look for part two of this article where we will review some initial options to consider, and reveal the greatest threat to your security posture.