Herewith the second installment of Doug Caddell’s essay on cyber-security.
We closed part one of this article by stating that improving your cyber security posture was about managing risk, and that risk will be dependent upon your firm and how you measure the various risks to your business. We also said that we can’t protect every aspect of our systems, so we must prioritize our security dollars based upon our organization’s objectives and risk vectors. We do this by conducting a Risk Analysis, the first step in most prevention, detection and remediation processes, and certification programs such as ISO 27001 certification.
What is your cyber security risk?
I’m not going to bore you with definitions and methods for performing a risk analysis, other than to say that information security risk may be expressed as a combination of probability and consequences. What is the probability that a security event will happen, and what happens to the business (and your clients) if it does? Information security assessments also identify vulnerabilities. And subsequently threats that could exploit a vulnerability causing harm.
The next step is to determine the impact on your business and the cost to mitigate the threat verses the firm’s ability to tolerate that particular risk. Often we can accept a certain level of risk or transfer it to others, such as by obtaining insurance. Regardless, knowing the risks that you face and understanding if you should mitigate a vulnerability, defend against a threat, or accept a level of risk, is a key management decision where your participation is required.
There’s a lot of talk about ISO 27001 certification.
The ISO 27001 certification was first published by the British Standards Institution as BS7799 in 1995. So, should I care, and does our firm need this certification? Yes you should care, and maybe you should be certified, and maybe not.
If you are a large firm with clients in regulated industries you should seriously look at ISO 27001 certification which focuses on the implementation and continuous operation of a Information Security Management “System.” The ISMS is the concept and foundation of how you – management – address and manage your organization’s cyber security posture.
When some people look at the outputs from a ISO 27001 certification project they only see the paper policies and procedures. But the real result is the processes supporting organizational changes that create the foundation of a culture of security. These organizational and cultural changes are most critical to improving your security posture, and the most critical aspect is that it is management driven. Management support is nice, but to be truly effective, top managers – you – must be outspoken proponents of a culture of security, and the associated fiduciary and ethical responsibility.
If I don’t have regulated clients should I care about certification?
Maybe. It’s not cheap and if you are doing it just to get a “one-time” certificate for your marketing materials don’t waste your time. You need to believe that your firm is at risk – and all firms are to some degree – and that good security is important for your business. For a large firm the cost can be near $100,000, but it can be a key to improving your security posture and can clearly demonstrate to clients and prospective clients that you care about your responsibility to them.
Can we do this ourselves without spending a fortune? Yes you can, but unless you have someone on your team who has done this before it will be difficult and take a lot of unfocused time. You need not certify the entire firm or IT organization. In fact, most organizations limit certification to those areas of the organization with the most risk impact. For law firms, this includes areas and systems that contain client information, such as the document management system.
Can I use the ISO guidelines and process to improve without getting the certification? Sure, and for some firms this works well. It comes back to the risk analysis, and impact on reputation.
If we get certified what does ISO 27001 require? It requires that senior management:
Systematically examine the firm’s information security risks, accounting for threats, vulnerabilities, and impacts
Design and implement a coherent and comprehensive suite of information security controls and / or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
Adopt an overarching management process to ensure that the information security controls continue to meet the firm’s information security needs on an ongoing basis
What if hackers get past our cyber security door?
“Easy” fixes include the encryption of laptop computers, and also the encryption of data located in your data center. Encrypting data anywhere it resides, such as mobile thumb drives is also an excellent idea, but I will focus our attention on laptops and data center storage.
If you are not encrypting the disk drives in all of your laptop computers you are behind the curve – not by a little, but by a lot. Since Microsoft included BitLocker with Windows 7 there is no reason not to protect your most vulnerable data –that which is mobile and easily misplaced. If you don’t use Windows, alternative encryption software is readily available. Why should I do this? Because you don’t want to be in a situation that one large firm almost found itself in back in 2005. The firm had a dozen laptop computers stolen from one if its offices (It was discovered within days that the cleaning crew were the thieves. Not sure why they thought that the police wouldn’t look at them?).
The morning after the theft one of the major local TV stations found out and contacted the firm for comment. The station was looking forward to an evening headline, “National law firm loses laptops with sensitive client data!” That morning there occurred a lot of high-level discussion at the firm on how to respond to the reporters questions. However, once the reporter was informed that all of the laptops had full disk encryption the station dropped the story and it was never aired.
Encrypting your data is easy to do and you have a lot to lose – literally and figuratively. This also applies to data stored on servers and storage drives in your data center as well. While not as easy and inexpensive to encrypt, the security benefits are the same. We said above that everyone gets hacked as some point. But if all they can see is gibberish then you are in a much better position to meet you fiduciary and ethical responsibilities.
The Need to Know
Another change underway is looking at document security from a need-to-know basis. I know that this sounds like a line from a spy novel, but it’s real and taking place now. Since document management systems came to be, most law firms configured them to allow everyone in the firm to have access to all documents. This was done to foster an atmosphere of collegiality, along with the idea that having access to all documents would create a firm with shared knowledge, or built-in KM – which never happened.
While trust within a firm is usually taken for granted, there have been instances where firm personnel have accessed client or internal firm information for unsavory purposes. The bigger issue is what happens when a hacker gains access to an attorney’s or staff member’s account. All of a sudden your internal and client data is exposed. Some firms have limited access to documents to only those working on a specific matter, those with a “need-to-know,” and more and more firms are now changing to that information security model.
Allen & Overy was the first large global firm to improve their document security, making the change in the mid-2000’s. The last two years have seen an increasing number of law firms make this change. Why? In part because some clients are now requiring that only those with a need-to-know have access to their data.
After doing all we can to protect ourselves, what happens if we do discover a breech in our security controls. The main thing is to be prepared, don’t wait until it happens to ask yourself this question. Part of preparing is understanding the laws in the jurisdictions in which you operate. Federal and State laws vary and are ever-changing. Those laws are the drivers of actions that you should be prepared to take – including required disclosure.
Also contact law enforcement, including the FBI. Depending upon the situation they may be able to provide valuable assistance. What happens in the case of a breech should be part of the early discussion with your risk management team. Cyber security is not just an IT problem, it’s a strategic risk management responsibility.
Regardless if you call it a fire-drill or a test, periodic validation and verification of your post-breach plan is a critical management step not to be missed. Like all emergency planning, dusting off the planning document after the fire starts is a sure way to get burned.
What is our greatest security threat and what is easiest to fix?
To quote the parody in the Pogo comic, “We have met the enemy and he is us.”
It is well documented that a key risk within all organizations is our own people. I’m not talking about intentional theft or destruction, but unintentional actions that result in outside hackers gaining access. What can you do? One of the easiest and most effective security activities you can do is awareness training.
Nobody wants to be the one to create a bad situation, but most of us aren’t aware of what we should or shouldn’t do, and what to do if we see a problem. The worst thing to do is not report it to the IT team. There are companies who know and effectively deliver this training, including those who work specifically with law firms and lawyers. To be effective, security education should be reinforced yearly, and don’t forget new hires.
The above is only a primer on law firm cyber security and I hope that you will have more discussions with your CIO about improving your firm’s security posture. Please include your vocal and visual support of these organizational changes that create a culture of security and improve your firm’s security posture. Your active participation is vital.