Back in March of 2012 I had some very harsh things to say about law firm security in my post, When Good Enough – Isn’t. I tried a humorous tact, providing “helpful” suggestions for Responses to a Breach of Client Data. At the beginning of the year I suggested a resolution for CIOs in Security: Let’s Start with Education in 2013.
I will be the first to admit that getting senior law firm management to develop a security conscious mindset can be tough. Many leaders have the attitude that “it won’t happen to me.” It is often seen as costly insurance or an unnecessary expense. Worse still, it’s seen as useless, as an impedance to work, an unwanted inconvenience. But times are changing. Security and awareness must change too.
Password Protection an Uphill Battle
As sad as it might sound, one of my first major security “battles” with attorneys involved increasing password complexity and expiring passwords. After a long campaign of education and awareness, backed up with relevant research and statistics, plus a report that listed about 98% of the firm’s passwords cracked with a freeware tool, I got most of what I wanted (but a name partner would be excluded from the password expiration policy).
My next battle was more with attorneys than senior management. While I had the full backing of the Managing Partner and the Executive Committee, the rank and file attorneys simply didn’t want passwords on their BlackBerry. I even had one very irate attorney yelling at me on the phone, “Do you know how difficult this password thing makes using my BlackBerry when I’m driving?” Now there is a whole lot wrong with that statement – too much to go into in this article. Users grudgingly accepted passwords because senior management was insistent on their implementation.
“Grudgingly” seems to be a key adjective in the law firm security acceptance game. Once some key law firms implemented mobile passwords, the rest mostly fell in line. But this is one of the simplest of security precautions; something that doesn’t require negotiation in the corporate world – it simply happens. So how do we move security forward in legal? Why should law firms be interested in investing in IT security? It starts with the fact that it just makes good business sense.
The Real Cost of Poor Security
The Ponemon Institute is a think tank dedicated to privacy, data protection and information security policies. For those that complain about cost, the Ponemon Institute estimated that the organizational cost of a data breach in 2012 was $5.5 million. How’s that for the cost of not having proper security!
The same 2012 study found companies which employ a chief information security officer with enterprise-wide responsibility can reduce the cost of a data breach by as much as 35%. While still early, it looks like law firm security is moving away from nonexistence, or a tertiary thought, to finally gaining the predominance it deserves. I see more and more law firms with people whose titles would suggest that they are dedicated to the role of security. The titles are all over the board and at all levels, but again, it is an encouraging start.
Mounting Pressure From Clients
Recognizing the value and importance of security, corporations are requiring more answers from their outside counsel via security audits. Brief and sporadic to begin with, audits have become more frequent, more common and in some instances, much more complex. The first client security audit I ever answered was back in the early 1990s. That audit was nothing compared to the ones of today.
Some firms like White & Case and Bond Pearce have achieved ISO 27001 certification and now use that as an aid in answering these complex audits. They also use it in their marketing, as a differentiator.
Security Breaches on the Rise
Public reporting of law firm computer breaches has been virtually nonexistent in the past. That no longer holds true. The FBI and MI-5 have low opinions about law firm security and have spoken to top firms about cyber breaches and other issues.
In 2011, it came to light that several Canadian law firms were targeted by Chinese hackers and breached in order to gain information about impending mergers and acquisitions. A Pittsburgh law firm was breached by someone claiming to be from the hacking group Anonymous. Virginia-based security firm, Mandiant, identified four other US law firms attacked, also from a Chinese source.
Many firms are unaware they’ve been breached and once they realize it, few firms are willing to admit it. The evidence of law firms under direct attack is getting harder and harder to ignore.
Read Part 2
Part 2 of my Firmex article explores how the attitude toward law firm security is changing, and how your firm can join the movement.