Jun 26, 2013

Too Many Systems, Not Enough Security
Law Firms Are A Major – Yet Poorly Defended - Target
Five Hours And A Lot Of Coffee Later
One Mega-Merger, Nearly Hacked In Two
Have An Information Security Policy In Place, Before You Need It
What To Ask When Choosing A Vendor
Don’t Ignore Basic Data Hygiene
Hire An Outside Firm To Conduct A Security Evaluation And Penetration Tests
Experience Counts

As the taxi from the train station pulled into Jack Hucknell’s driveway, his wife Larissa rolled over and looked at the clock. It was past midnight, again. This merger had better wrap up one way or the other soon, she thought to herself, or it will kill Jack.

He opened the door to the bedroom gently and said, “I’ll bet you’re even more tired of this merger by now than I am.” Larissa grinned sleepily and yawned, “If we had the money I’d buy both companies just so I could get some sleep.”

Jack laughed. “The banks in this merger are global giants. Nobody has enough money to buy both of them. Schmidt, Green & Wasserman has done big deals before, but this? It’s on an entirely different level. Just trying to wrap our heads around the due diligence data is insane. We’ve had to lease dozens of new servers to process it all.”

As Jack was hanging up his suit jacket, the phone in his pocket buzzed. He looked at the number – it was Burton Schmidt, the founding partner of his firm.

Jack steadied himself. “Burton, hello. Is everything OK?” Silence. “Burton?”

“Jack, are you home yet?” Burton’s voice was shaking. “On second thought, I don’t give a damn where you are – just get back here NOW. We’ve had a major security breach.” Jack said “But we just got done checking our systems.”

“Well I guess the hackers quadruple-checked us Jack.” Burton spat. “They hit us and hit us until they found a weak spot. If any bank documents were involved…” His voice trailed off. He didn’t want to say out loud what would happen. Nobody wanted to say out loud what would happen.

Jack turned white and started putting his suit jacket back on. “I am on my way. I’ll bring the entire team in with me. Yes, Burton. Yes, I understand. We’re in permanent full crisis mode until you say we’re not. Yes sir, I’m on my way. OK, bye.” He clicked the phone off.

Larissa looked at Jack. “Bad?”

Jack kissed her and said as he raced out, “I wish it was only bad. This is Armageddon."

While the story being told is fictitious, the issues that it highlights are very real.

TOO MANY SYSTEMS, NOT ENOUGH SECURITY

As Jack raced to the office, his mind was racing too. How could this have happened? What did we do wrong? Which system failed? How much data got out? How much of it was about the merger? Is the merger in jeopardy?

His law firm’s recent growth had been spectacular, pushing new cases through IT at breakneck speed. There wasn’t a whole lot of time for double-checking, but Jack had asked the IT team to come back last weekend to do just that. Jack personally paid for steak dinners for the entire team when their internal testing showed that security was strong.

It was a smart investment, he thought, to make sure all the data was safe. But with all that growth, the system had long since expanded far beyond the law firm’s four walls. Tonight’s data breach could have been at any one of a half dozen recently contracted outside vendors. How good, Jack wondered, were those companies’ security policies? How carefully had we vetted them before placing our trust – and our clients’ data – on their servers?

LAW FIRMS ARE A MAJOR – YET POORLY DEFENDED -- TARGET

Corporate espionage is rampant, and no important merger or acquisition is done without extensive legal work. Law firms should be painfully aware that they are prime targets for hackers. Yet few law firms have the robust privacy policies or data security protection they need.

Not too long ago, sensitive client information at a law firm was safely locked away under multiple layers of physical security. Guards downstairs, locked elevators, locked offices and then locked filing cabinets inside those offices made for a formidable defense system.

Today, with the proliferation of cloud computing and a wide range of devices, sensitive client data can be at a lawyer’s fingers instantly. This is a powerful asset for law firms, but it also opens them up to risks they are often unaware of until it’s too late.

These risks can include such things as:

  • Negligent or malicious insiders;
  • Poor passwords;
  • Improper use of the “cloud”;
  • Disposing of obsolete data without properly securing it;
  • Social engineering;
  • Lost/stolen laptops, computers and mobile devices;
  • Hackers.

In addition to the usual suspects who might want to hack into Schmidt, Green & Wasserman’s system, there were plenty of other groups that would have good reason to break in. As the firm grew it took on more and more clients who were in the news. One of the firm’s big name retail clients had been publicly fending off Manitou Value, an activist hedge fund that was demanding a major change in strategy and bigger payouts to shareholders. Finding insider information on that retailer alone could be worth a lot on the stock market.

Yet Schmidt, Green & Wasserman, like so many law firms, had incredibly lax data policies and internal controls. The company’s policies had last been updated in 2008, when the company was only 45% of its current size. And apart from Jack’s instinctive internal check, the prior weekend, no routine surprise checks or challenges to the system had been performed since 2010. The policies manual was silent on third party technology vendor requirements. Talk about letting the fox into the hen house!

Just last year, Burton Schmidt himself sent a memo around – the FBI was warning that hackers were using law firms as the back door to gaining access to valuable data of their corporate clients. There was vigorous agreement about the need to do something, but… not much was actually done.

FIVE HOURS AND A LOT OF COFFEE LATER

Once Jack and the team got back in the office, it was a race against time. The team immediately focused on the hosting company that had reported a breach. Within a few hours it was traced to a South African cartel and was shut down. Jack breathed a sigh of relief. A lot of sensitive data had been leaked – there was no denying that – but nothing truly catastrophic and nothing that seemed to be related to the bank mega-merger.

Across the office, a voice from a far-off cubicle said “Uh-oh. This is weird.” Internet message boards were buzzing with rumors about the impending merger of two of the biggest banks in the world – somebody, somewhere had found the information.

What nobody at Schmidt, Green & Wasserman realized was that another unencrypted data repository in the law firm’s technology center had been compromised. Their firewall had holes in it from an open videoconferencing system. Hackers got it weeks ago and through code injection opened a back door to send all the sensitive data inside to the hackers.

The hackers replaced Schmidt, Green & Wasserman’s website with a message from an anarchist group saying “We have entered the rat’s lair of this law firm to disrupt the unholy marriage of two criminal mega-banks.”

ONE MEGA-MERGER, NEARLY HACKED IN TWO

Schmidt, Green & Wasserman were fired. The mega-merger was scuttled for nine long months as both banks worked tirelessly in PR to rebuild their corporate images.

The merger eventually happened. But Schmidt, Green & Wasserman – and Jack, who managed to hang on to his job – learned a painful and expensive lesson.

Whether you’re a large or small firm, don’t be lulled into a sense of security and think you’re not in a hacker’s cross-hairs.  If you do anything at all in M&A, contracts, corporate product launches or any litigation, rest assured that you are a target.

Similarly, don’t think that because your data is stored off-site with a third-party vendor, any breach is their problem. Law firms have a Duty of Competence (ABA Model Rule 1.1), which requires attorneys to know what technology is necessary and how to use it. Additionally, the Duty of Confidentiality (ABA Model Rule 1.6) is one of the most important ethical responsibilities for an attorney.

Make sure you conduct annual reviews of your “trusted” vendors that in one form or another have access to your client’s data. An unbiased evaluation like a SAS70 or SSAE 16 type audit report is a must for any law firm who uses others for processing or hosting information.

HAVE AN INFORMATION SECURITY POLICY IN PLACE,  BEFORE YOU NEED IT

Without a plan, precious hours are lost that can make an enormous difference.

A clear, written Information Security Policy (ISP) that everyone in the firm understands is a critical asset for any law firm.

What job function (not just which individual) is responsible for information security? What information needs to be protected? How will the firm manage sensitive information that arrives in multiple forms (text in emails, PDF and PPT attachments, faxes, regular mail, etc.)?

Rights and privileges are equally critical.  For example, client data should be seen by their attorney’s eyes only; be sure that your read-write privileges are set accordingly.

Vendors, including data storage businesses, can act as extensions of internal systems. But extra care must be taken to ensure that these vendors have security policies as tough – or tougher – than the law firm’s own policies. Independent testing should be performed regularly to be certain that those policies are being enforced and updated as needed.

WHAT TO ASK WHEN CHOOSING A VENDOR

  1. Do People You Trust, Trust The Vendor?
    Ask employees and trusted colleagues which vendors they have worked with in the past. Do they know a company -- or an executive -- in the business with whom they have a trusted relationship?  Are there companies or people they would avoid? Choosing a vendor is like hiring staff. Slow down and be as careful about references as you would when hiring someone to work directly with you.
  2. What Safeguards Does The Vendor Have In Place?
    Even if a company has an excellent reputation, it’s important to be rigorous about understanding what safeguards they have in place. Don’t be shy about asking. Companies with first-class safeguards will be happy to talk about this in depth because it’s a strong selling point. Be wary of salespeople who try to gloss over this (“we're industry standard, just like everyone else”) or change the subject. If they try to avoid discussing safeguards they may be trying to hide a weakness.
  3. Are The Vendor’s Security Guidelines The Same As Yours?
    Think of your vendor as an extension of your own internal capabilities. If they are the weakest link in the security chain, you can be sure this is where hackers will strike. It’s critical that your vendor’s security guidelines are at least as strict – if not more strict – than your own. This also allows for decision-making to be easier in the future. If the vendor’s security guidelines are the same as yours, it’s possible to make changes without the risk of inadvertently creating a security hole at a vendor’s company.
  4. Does Your Contract Allow The Vendor To Outsource Work To A Third Party?
    If so, ensure in writing that these third parties will be bound by the same security safeguards and guidelines as your vendor – and that the vendor will indemnify you for any breaches that happen at the third party company. You must always know where your data is going, and how it will be protected.

DON'T IGNORE BASIC DATA HYGIENE

The IT administrators at any law firm need to make it clear what job function (again, not just which individual), is responsible for basic data hygiene. Are all virus prevention programs up to date? Have all the necessary software patches been made?

Just as most houses are robbed when windows and doors are left open, most successful hacking attempts aren’t exotic. Most often, they are straightforward cases of people failing to maintain basic security.

HIRE AN OUTSIDE FIRM TO CONDUCT A SECURITY EVALUATION AND PENETRATION TESTS

The most important asset a law firm has is the trust its clients have in its partners. This trust takes years to build but can be lost in a matter of minutes. It’s important to remember that updating security is always less expensive than cleaning up after a breach. Don’t let systems go un-patched and untested. Have them audited and penetration-tested by an outside company that’s trained to see gaps that insiders may miss.

EXPERIENCE COUNTS

At Capsicum Group, we offer security services such as:

  • security evaluations
  • vulnerability assessments
  • penetration testing
  • incident response

We’re acutely aware of the special risks faced by law firms and have the experience to protect your clients’ sensitive data and your hard-won reputation. We’re ready to help if you need us.