In the last two years two major data breaches made headlines worldwide. The two data breaches were the Panama Papers and the Paradise Papers. While law firms have traditionally implemented extensive measures to protect client data. However, when it comes to cyber security, specifically insider threats, many firms are not as secure as they need to be in today’s world. Thankfully in the last two years, due to client demand, law firms have been increasing their cyber security efforts. While many law firms think that the legal industry is in the crosshairs for malicious actors. Despite this overwhelming acknowledgment, law firms have consistently had massive shortcomings in meeting their own cyber security policies. While many firms are well suited to handle external threats, insider threats have become the more significant concern for businesses.

Law firms have implemented extensive measures to protect client #data - but when it comes to #cybersecurity, specifically #insiderthreats, many firms are not as secure as they need to be. - Click To Tweet

Insider Threats Overview

An insider threat is a threat to an organization that originates from within. Insiders include employees, managers, vendors, or contractors. Essentially an insider is anyone inside of your organization who has access to sensitive information. In the legal industry, insider threats have been an ongoing concern, well before the rise of the internet. Some of the high profile motivations for malicious actors in law firms has included: sabotage, espionage, insider trading, activism, and black market exchange. Law firms are at greater risk to cyber attacks due to the value of the sensitive data they hold for their clients. By attacking a law firm, insiders and external partners are able to gain access to data that could cause harm to many people, industries, and markets.

Last year in May a law firm Partner and his neighbor was charged by the SEC with insider trading. Together with his neighbor he made more than $1 million illegally. He did this by accessing sensitive documents on his law firm’s network that gave him exclusive knowledge that he used to base his trades on. None of the client’s data that he accessed were cases that he was assigned to. This case demonstrates that anyone can be an insider threat, including partners. Incidents like the one described above can ruin a law firm’s reputation with current and future clients.

While the case above was one involving insider trading, there has been a sharp rise in hacktivism. In hacktivist cases malicious actors will attempt to sabotage a firm’s reputation or infrastructure due to their political beliefs. The cases involving both the Panama Papers and Paradise Papers had far reaching political and economic implications. The firms that were the victim of the data breach have also suffered severe reputation damage. One cyber attack is all it takes to bring a law firm down.

While insider threats are no doubt scary, there are measures you can take to prevent insider caused data breaches. While there are technical measures that must be taken, the most important measures are management related. Subtle changes to processes, policies, and software can make a world of difference to your internal security position.

Stronger Access Management for Privileged Users

Law firms are no stranger to the idea of confidentiality and privileged access to information. However, when it comes to people with the titles of Partner, Executive Officer, Director, or Administrator access management begins to decline. Privileged users have the ability, access, and oversight to get around being malicious in law firms. Privileged users with a more technical understanding of systems can even tamper with system logs and reports. The case earlier that involved insider trading was from one such privileged user. It is for this reason that the implementation of stringent access controls and monitoring policies are very important.Thankfully, there are a few things you can do that will protect data on your network from unauthorized access.

One of the first steps that you need to take is to conduct a review of each account on the network and determine if their access to specific data is appropriate for their job. Users should only have access to the data relevant to their work. If any data needs to be accessed beyond the scope of their job then multi-factor authentication needs to be in place for authorization.

Multi-factor authentication is a means of reducing your data’s exposure to risk. With multi-factor authentication a user will, in addition to a password, require either some specific knowledge, access token, or role to access data. While multi-factor authentication can be completely technical, you will add a layer of security by integrating it with an administrator or another Partner(s). For example, if a privileged user seeks to access files that are unrelated to any cases they are working on, then they will need to acquire approval from three other Partners to access those files. Other examples may include an administrator approving a request for access each time a user seeks data outside of their role.

Data Classification

For law firms the most important asset is information. Not all information is equal, and cyber criminals understand this. When a data breach happens often malicious insiders are seeking classified information. Data typically falls into four categories: public, internal, classified, and regulation. Often with law firms both classified and regulation-required data are the types of data targeted. It is in these two categories where most of your security resources should be dedicated. Your law firm needs to identify where your confidential data is stored, what channels the data moves through, and who has access. Operations do not exist separate from the flow of data in your organization. With every process data is required to be transmitted, stored, or generated. Understanding how data moves in your law firm will help you identify all possible methods that an insider could use to gain access to sensitive data.

Insider Threat Program

Management plays a critical role in mitigating insider threats. Due to the devastating impact that one insider caused data breach can have on a law firm, it is important to have near flawless coordination for insider threats. Insider threat mitigation requires a specialized team and resources to address the problem. This is where an insider threat program comes in. Insider threat programs help establish a centralized source of relevant information, set of protocols, and mechanisms to better detect, prevent, and respond to insider threats. Insider threat programs must be an organization-wide effort or else it will fail. Management must absolutely take the lead on the development of one. Typically insider threat programs have around thirteen components including: (1) formalized definition of program, (2) organization-wide participation, (3) specialized training, (4) compliance board, (5) reporting mechanisms, (6) incident response plan, (7) prevention infrastructure, (8) civil liberty protections, (9) communication framework, (10) supportive policies, (11) data analysis tools, (12) vendor management program, and (13) risk management integration.

Together these components should increase your ability to coordinate, communicate, and prevent insider threats from happening throughout your firm. If insider threat mitigation is left only to your IT department or vendor, then you may face continued exposure to risk. Current processes, access controls, work environment, and communications all play a part in how much of a concern insider threats are in your organization.

You can learn much more about how to design an insider threat program at the CERT Institute’s blog for insider threats or the guide for insider threats that was put together here.

Incident Response Plan

When Appleby suffered a data breach there was a rush to understand what happened, secure other data, continue operations, and manage the public outrage. Appleby even had to develop a “Media Statements” page on their website which only contain posts related to the data breach. The actual data breach happened in 2016, but was only brought to light last year, 2017. This high profile case is an example of why maintaining an incident response plan (IRP) is important. While many things in this world are uncertain, data breaches are for sure going to happen eventually. In the event of a data breach you want a process to initiate that covers communication, mitigation, operational, and investigation needs. The purpose of an incident response plan is to limit the scope of damage done and recovery to normalcy quickly.

An incident response plan should have the following components: mission, strategies/goals, senior management approval, firm-wide approach for incident response, communication framework, incident response key performance indicators, maturity model for incident response, and company integration. Each component is critical to have in place in order to effectively respond to a data breach. These components are based on the NIST cyber security framework. If you would like a detailed guide to developing an incident response plan you can view the guide put together by the National Institute of Standards and Technology.

Fighting against insider threats for law firms is becoming a more pressing concern day by day. Security is no longer just about securing the perimeter but also about securing your data and information from trusted people around you too. You never know when motivations will change, it is best to be prepared now against those threats. Click below to learn more about Teramind.Insider Threat Detection