Last week, I had the opportunity to spend a day at a Legal Services Information Sharing & Analysis Organization(LS-ISAO) workshop in New York City, hosted by a leading law firm. Close to 100 security professionals from law firms around the country participated. While most law firms have small dedicated security teams, what was apparent from the beginning was that the challenges ahead of them were not small.
These firms are facing many security challenges that are not unlike what financial institutions have been facing in the past few years. Requirements from clients, regulators and the American Bankers Association are driving law firms to make rapid strides in improving security.
The goal of the workshop was to discus topics that were not only relevant but also were practical enough that participants could leave with specific actions they could take back to their firm to improve security right now. The organizers had developed a well curated set of topics and content for the workshop. A very good indicator of the strength of the content was the active participation from all attendees during the final breach detection session that capped off the day. From the day, it was clear that for law firms there are three key IT Security trends emerging that are driving new priorities in their security strategies:
Insider threat security focus is driven by clients
Law firm clients are asking, during their periodic evaluation process, what firms are doing to protect their confidential information. Law firms are a great source of information on impending mergers and acquisitions, bankruptcies and other corporate activities. In the hands of a malicious hacker, this information can lead to profitable trades. For clients, their concern is that hackers may be willing to pay a lot of money to insider to provide such information, especially since law firms tend to have very flat and open networks and trust their employees. Hence the desire to understand if unusual activity can be monitored. Law firms are still grappling with balance between privacy concerns of their partners and the desire to ensure that their reputation is protected. Participants agreed that getting executive approval, engaging their employees in the security fabric and tools that automatically responded to threats could help them address the problem to a large extent.
The Deep Dark web has malicious attackers focused on law firms
Over the past two years, according to an expert from a threat intelligence firm, they have identified multiple hackers who have created malware and toolkits specifically targeted to law firms. As has been common in healthcare and in financial firms, hackers have built tools that are for sale with payment accepted in bitcoins. For example, it is possible to find specific toolkits for compromising remote desktops with the RDP protocol. These are frequently used in law firms for their mobile employees. There were engaging discussions around how much information to share with law enforcement and how to productively engage with them to ensure that they received the relevant information as quickly as possible.
3rd and 4th party risk
Many of the questionnaires coming from their clients are explicitly requiring information on the security of 3rd parties vendors providing services to law firms. This is especially true of firms whose clients are financial enterprises. As participants explored the number of vendors they deal with, some realized that they had over 500 vendors that had access to data, the network, or some sort of relationship that had impact on their business. That was sobering. Many are now beginning to build processes and employing tools to address the potential threat to security from partners who may not take security seriously or may have been breached.
Many of the topics discussed came together during the simulated breach scenario session at the end of the day. What was interesting was there were many different perspectives to addressing challenges as more information became available during the exercise. It gave participants a good sense for how difficult such incidents could be. Dealing with limited information, with limited time and understanding the impact of what started as a simple issue on a single server and spread across the fictitious network. Participants provided their perspective on how they would deal with such issues as the simulation progressed leading to discussions around the role of security, employees, law enforcement and clients. It was a learning experience for almost everyone.
My informal poll at the end of the day was almost uniformly positive. Taking a day off from their already busy jobs is not something they take lightly. But what they learned and the practical steps they could take right away to address some of these threats was what they had signed up for. And that is what they received.
Learn more about how to Eliminate Insider Threats