Law Firms Need to Prioritize Privilege to Protect Client Information
September 5, 2019 | Security and Risk | Corey O'Connor
It’s well understood that law offices have access to extremely valuable client information and secrets – just look at the case of the Panama Papers, which implicated many high profile individuals and political leaders with tax fraud and other illegal activities.
There are many ways in which a law firm’s client data can become compromised, but being in the business of privileged access security, we will focus on the importance of locking down the privileged access pathway to protect the valuable data that law firms are entrusted with protecting. But first, a few observations:
- When it comes to securing confidential data, law firms are often not held to the same standards as other service providers.
Some regulations and standards covering confidential data security do not specifically include law firms in their purview, instead referencing them under generic “covered entity” or “business associate” categories. The Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and a few others, do cover law firms and rule that they must maintain certain controls to safeguard sensitive information.
But, is that enough? And what checks and balances are actually in place to ensure proper safeguards are maintained? Many of these regulations and standards do not actually require law firms to do anything to demonstrate compliance or to make any kind of self-attestation. Many are not subject to regular audits.
Of course, attorneys have a professional duty to make all reasonable efforts to protect and maintain the confidentiality of client information. A law firm entrusted with client data must follow ethical and professional conduct rules when handling the data, which includes an obligation to keep the client’s information secure. However, is an ethical obligation and some loosely enforced requirements enough when it comes to something as important as protecting highly valuable client information and data? Probably not.
- Outside counsel and outsourced professional services often slip past InfoSec.
When an organization invites outside counsel into its network or provides access to confidential information, it introduces third-party risk. Most organizations don’t do enough to secure third-party vendor access and outsourced legal counsel is often overlooked by InfoSec teams, which significantly increases the security risk.
A large law firm with more than 4,000 attorneys who service some of the largest organizations around the world fell victim to the NotPetya attack a few years ago, disrupting services and costing them millions. Better endpoint protection is needed as ransomware continues to be a threat to law firms both large and small. When it comes to access rights, Law firms need to be treated the same as any other remote third-party vendor.
- The average law firm frequently uses outdated technology.
Many law firms, especially the smaller ones, lack adequate IT and security awareness and resources. This can lead to them continuing to use old and outdated tools and technology or staying on unsupported and outdated versions of software and ignoring security patch updates issued by their technology providers. These types of environments are prime targets for attackers to exploit.
For instance, in the case of the Panama Papers, the firm Mossack Fonseca suffered a SQL injection attack on one if its subdomains, which provided access (via an outdated plugin) to a content management system that had a known vulnerability that the firm never patched. From there, the attackers lifted credentials from a database that Mossack Fonseca’s security had left in clear text.
That was the beginning of the end. Without adequate security resources to protect client’s personal information, law firms not only bring into question their ability to comply with ethical and professional conduct rules, they also become vulnerable to a potentially devastating cyber attack.
Why Privileged Access Security Matters
One of the most common strategies used by malicious insiders and external attackers is to attempt to gain privileged access in order to execute a successful attack. Privileged accounts are everywhere – in every networked device, database, application and server on-premises and in cloud and hybrid environments. Nearly all advanced attacks involve the compromise of privileged credentials.
These credentials provide anyone who gains possession of them the ability to control an organization’s resources, disable security systems and grease the tracks for providing fast access to vast amounts of client information and other sensitive data. In the wrong hands, access to this data can cause significant business disruption. Consider the types of client information and documentation these firms have standing access to:
- Business dealings
- Trade secrets
- Personal data
- Health care information
- Proprietary information
- Material non-public information
To mitigate the risk of a serious cyber attack, law firms need to adopt a proactive security solution that specifically addresses their privileged access exposure. For instance, in the event that the InfoSec team approves access for outsourced counsel or legal services, they will often issue mandates that require the law firm to maintain tight privileged access security controls and robust audit capabilities to ensure that the confidential data they are entrusted with remains safe.
It’s Not Just About Securing Confidential Data; It’s About Securing a Reputation
There are many factors that contribute to a firm’s poor security posture, such as access to security expertise and depth of resources, trained personnel and low IT budgets. Many small to mid-size firms only have a few employees in their IT departments. With the overwhelming number of security solutions out in the market to pick and choose from, figuring out where to start when developing a cybersecurity strategy is a daunting task even for a well-staffed IT security team.
One effective way to work with limited staff is to prioritize cybersecurity risk in order to better align with available resources. Firms should evaluate security solutions based on their ability to mitigate the most risk per dollar spent, with low up front and ongoing cost. In other words, look for a solution that has minimal operational overhead and is easy to implement and maintain with limited IT staffing resources.
For law firms, reputation is everything. Doing what’s right for clients and protecting both brand and reputation is an achievable outcome. CyberArk Privilege Cloud is a Software-as-a-Service (SaaS) solution that provides foundational privileged access security capabilities. The solution provides organizations, including law firms, with a simple way to securely store, rotate and isolate credentials, monitor sessions and quickly deliver risk reduction to the business.
Download the CyberArk Privilege Cloud datasheet or request a demo today to see how to gain the confidence of clients by securing privileged access to their most confidential information and sensitive data.