Form a Phalanx: Law Firm Lessons on Managing Cyber Security through Talent and Culture

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

As law firms continue to appreciate the significance of creating an understanding surrounding security and risks, this starts with a sharp focus on talent and culture.  The first component that the panel discussed during the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, surrounded protection and prevention methods.

Protection and Prevention

Barry Strauss, COO, Elegrity; Curt Cunningham, CIO, Fragomen; Michael Lewis, CIO, Hogan Lovells; Ramound Umerley, CDPO, Pitney Bowes had a very engaging discussion about how firms can best protect their data.  In the beginning stages firms should prioritize their assets.  What documents, emails, IP, databases, software, and services are most important?  As new data arrives, the firm should exam the process.  How is data stored, transmitted and deleted?  The process for each aspect needs to be examined carefully.  The firm has to be mindful of both structured and unstructured data and in addition, understand and follow the rules for national and international compliance of this information.

Several of the panelist suggested that every firm should conduct its own network penetration tests.   Michael Lewis, of Hogan Lovells recommended firm’s design phishing emails to see which employees are actually clicking on those links.  Another aspect he mentioned was to review data retention policies.  Are these policies industry standard?  Michael Lewis also advocated that firms take a baseline network traffic reports from all offices.  Once established, that can be compared to any unusual traffic on your network setting off alerts to anomalies and a possible compromise.

Some other protection and prevention methods:

  • Use encryption everywhere that you can; email, documents, databases, SAN
  • Web Application Vulnerability Testing
  • Mobile Device Management – separate data on their BYOB
  • ISO certification and accreditations

Incident Response

Another critical aspect of firm culture is incident response.  The panel discussed the need to have a cross functional team in place for when the cyber-attack occurs.  This group should include many of the following groups; Communications, HR, BD, HR, Managing Partner, IT, Audit, and Info Security.  A suggestion that hit a cord with the audience was accessibility to your vendors.  That is the ability to contact a vendor no matter what time of day or night.  Get the phone number to a real person who is accountable.  They emphasized that this should be negotiated and arranged in the contract.  Lastly, once an issue is complete conduct a retrospective of the attack and defined learnings for the next event.

In an age where law firms are clearly in the sights of cyber criminals there is a need to act. Law firms are aligning their understanding of security and risks directly with the need for a sharp focus on internal talent and culture.  Protection, prevention, and incident response methods are a major component of safeguarding the firm’s assets.  The panel closed with their three most important take-aways;  prepare technologically, educate your staff, and create clear processes.

From Russia (and Asia) with Love: Cyber Warfare and the growth of State-Sponsored Hacking

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

The scope of the threats to law firm data is global.  In this panel discussion at the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, a country by country breakdown of dangers were discussed while the audience absorbed the magnitude of the panels concern.

Eben Kaplan, Senior Consultant, Control Risks; Josh Goldfarb, CTO, FireEye; Jay Healey, Senior Research Scholar Columbia University; Robert Knake, Senior Fellow for Cyber Privacy, Council on Foreign Relations; Daniel Sutherland, Associate General Counsel, Homeland Security demonstrated that each entity had various motives and techniques for cyber-attacks.

Who, Why, and How?

Who: China – They have a defined plan with tactics and procedures.

  • Why: They are primarily seeking intellectual property with a new focus on firms that retain such information, especially those with newer IP clients (Target: Silicon Valley – DC based firms)
  • How: They focus on social engineering
    • Text messages, Spear fishing
    • Looking for the weakest link at the firm – someone who will click a link
    • Watering hole attack – In this tactic, China compromises a trusted third party site so the primary target would not suspect it and then in turn it becomes infected. Example: A famous Think Tank’s website is compromised – Big Law firm goes to the site and gets infected… the target was the Big Law firm and they got infected indirectly.

Who: Russia – They are one of the most experienced countries at hacking.

  • Why: Money, but increasingly they are focused on IP, so law firms should be aware of this.
    • They are quieter and more careful than China
  • How: They are using more BotNets, worms and malware than China

One interesting concern expressed on the panel is that Russia is very worrisome for the United States at the moment.  The rule of thumb was that countries which could hurt the US years ago did not because they did not have a desire to do so.  On the other side, those who wished to do harm did not have the bandwidth.  This has changed.  Putin is leading Russia down the road of an attack on the US, and they have the skills and bandwidth to do significant harm.

Who: North Korea – They are still new in this arena but improving quickly.

  • Why: Political
  • How: Uniquely North Korea is buying its capability to attack from the Dark Web, or hackers for hire. They used black hat hackers to launch the Sony attack and it was very successful.
    • They are brazen in their approach but until recently have not been as interested in law firms.

Who: Iran – They too are improving quickly

  • Why: Political
  • How: They have started leveraging worms that were used on them by other countries like Israel.

The Saudi Aramco Wiper Worm was a virus/worm supposedly created by Israel and launched on the Saudi company’s network.  It reportedly wiped clean 75% of the world’s most profitable company’s computers and left only an image of a burning American Flag.  Iran may have adapted the worm from something that had been launched on them years before by Israel.

The thrust of the panel discussion were that the threats to law firms are far and wide.  While some nation states have not traditionally sought out law firms, there is keen interest in IP and M&A information.  In closing Josh Goldfarb, CTO, FireEye mentioned some startling statistics.  While they were installing hardware on their customer networks, many of which were law firms, they found of 1,216 customers tested that 97% of them were compromised.  Even more fascinating was that 25% of those compromised networks were by other nation states.  This underscored the importance of understanding who is knocking at your firewall and what they are seeking.

 

 

Enemies at the Gate: Responses to Data Security Threats at Law Firms

By Joseph Raczynski

The 5th Annual Law Firm CFO/CIO/COO Forum

In eerie silence, law firms could be easily breached like JPMorgan Chase, Home Depot and Sony by cyber criminals.  The difference with law firms, few would know the sensitive data was absconded.  While law firms do not have to report such penetrations we learned at the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum that they must increasingly stay vigilant to avoid such a plight.

In the first panel discussion of the day with Mike Marsilio, Director of Security and Compliance, DTI; Mark Connelly, CISO Thomson Reuters; Steve Katz, Board member Glasswall Solutions; John Masserini, CSO, The MIAX Exchange; Mark Olson, VP and CISO, Iron Mountain, they focused on a few key data security topics.

What keeps them up at night?

John Masserini expressed several concerns which were mutually shared by the panel.  Simply put, employees create significant anxiety.  What are they downloading?  What links are they clicking?  Are they using dirty unencrypted jump drives on their computers?  All were in agreement that internal employee’s actions can cause the most harm to a network.

Other concerns expressed:

  • Regulatory requirements
  • Not having enough skilled people
  • Complexity of vendors systems and vendors who are not mindful of the security concerns

Answering some of these issues Mark Olson of Iron Mountain offered a few suggestions.  There has to be processes in place.  Enact physical requirements on your data rooms, e.g. isolating buildings and spaces.  In addition have vendors escorted into your buildings.  Knowing that you have to trust some vendors, log absolutely everything.  Do not allow jump drives unless cleansed by your security professionals.  Ultimately the mantra of the day was educate, test, create and follow process and procedure and retrain constantly to guard against breaches.

How do you speak with the partnership about security?

The panel discussion also touched how best to convey the magnitude of security and risk with the firm partnership.  One distinction they made was that the Chief Information Security Officer (CISO) must show that their investment in IT is directly related to retention and new business.  If there was a breach the harm to the brand could be irreparable.  When explaining security they suggested staying away from tech talk and painting a picture that non-technical people could understand.  Partnership tends to lean-in regarding financial discussions from the CISO.  When they do IT should state it in a fashion that “they know you know” the business is about making money.  The concept driven home was that security and risk is not a cost center rather a retention and new business play.

As the panel closed the session they emphasized that law firms are in a precarious position.  They are brokers of sensitive and important information (think IP and merger information), and to that end they are a massive target.  It is the responsibility of the Chief Information Security Officer (CISO) to put in place process, procedure and pound the drum for employee education and awareness.  The unseen enemy is really those employees that are uneducated, unaware, and unwilling to properly care for the firm’s tools and technology; thus exposing the firm to the outside attacks.