The Confession, or Well... It Could have Happened
I have written a fair amount of late about law firm information security. I know what many law firms' security is like and it's not pretty. I want to see law firm security improve. Not just a few selective biglaw firms, but all firms, down into the AmLaw 200 and below. I want to see initiatives like ILTA's LegalSEC continue forward, because "championing an initiative to deliver a set of best practices and a framework that firms can adapt to their needs to build or enhance their information assurance/security programs" is something the industry desperately needs. Right now law firms are the weakest link the chain with their clients.
So how did the story come about? I was actually reading some Above the Law posts that included leaked memos and was inspired. It came together very quickly (too quickly perhaps) and sadly the typos are all mine, as there was no actual OCR involved. For the FBI (who I understand was sent a copy) and for the NSA who I am sure had a copy of the article before it was posted, I admit, there was no law firm breach, I made the story up.
As I said to Sharon Nelson via email, I have attacked the law firm security angle in multiple posts from multiple angles, earnest education, humor, etc. but there are still firms that are barely moving or not moving at all. Security is not an interesting topic. Good security involves education and training initiatives and behavior (dare I say cultural) modification, something law firms are not known to be good at. I've experienced it myself as a CIO and had many conversations with my colleagues over the fact that many security initiatives take a back seat to partner convenience. I'm on the record as stating that I think too many firms relaxed security standards, yielding to the pressures of BYOD. I am glad to see that many firms are now playing catch up and installing mobile device management solutions that should have been part of the equation from day one.
I should probably pause and thank all the people who wrote and called after the post appeared. While it was nice to catch up with some of you that I haven't spoken to in a while, overwhelmingly, everyone wanted more information. Did I think it was real? Who was this firm? One good friend, who knows me perhaps too well, sent congratulations, "Well written, but bogus. Good way to make the point. I bet you had fun writing it." I did enjoy writing it and I hope all of you take it in the way it was intended. Adam Carlson tweeted me, "maybe a little 2 real sounding." Well I was doing my best to image a plausible scenario and equally potential and plausible reactions. I'm sorry if it got a little too real. I was pleased to hear back from some firms that are actually pretty advanced in their security procedures, process and personnel. But they are the exceptions not the rule. I would encourage these CIOs to take up a legalSEC banner and raise up their fellow CIOs.
So back to the post. My fears were confirmed by the large number of you that read it and accepted it as possible. That tells me that you know your security procedures, processes, monitoring and educational programs are not what they could be or even what they should be. It also tells me that you think most of your peers are in the same boat. What I laid out COULD happen and you know it. That's the scary part.
I think we can all agree that law firms are a lot like herd animals. They pay attention to what other law firs are doing. Sometimes too much. It's not just with technology either - it is starting salaries, bonuses, office sizes, and the list goes on and on. I am sure every staff person in a law firm can attest to the first question they get whenever they're looking to launch a new initiative, is "What are other firm's doing?" I had hoped that a story about a big law firm who suffered a significant penetration would catch the herd's attention.
I pointed the finger at mobile devices, possibly file sharing issues. I pointed the finger at password hijacking via spear phishing. I suspect no one argued any of these points because they know they don't have a full handle on the many phones and tablets that access the firm's data. They aren't sure their "No Dropbox" policy is really being adhered to. They're not confident that their users would take a suspicions email to IT to get it verified before clicking through. It is tough for a CIO these days to say with any credibility to the managing partner or to a client, that they have a 100% handle on that client's data. If you are a CIO and feel you can say that with a straight face to a client, call me. I want to hear more.
I figured a story about a massive breach would get everybody buzzing, trying to figure out the gaps. You could infer a large law firm, international in footprint. The firm was theoretically caught flat footed. A big long term client was lost (Taken from Bank of America's associate GC, Lani Quarmby, commenting on a law firm breach, "We wouldn't work with them again.") You assumed the materials were sensitive enough that the client was truly pissed. Matters were transferred away from the firm even as the investigation into what materials the firm had was under taken. Loss of confidence and harm to a once respected reputation. One might even assume that the client is considering a malpractice suit, but weighing that against the press coverage they would get as a part of making that public.
The steps taken to combat future breaches would bubble up and a conversation would start. Who could it be? What did they do wrong? Are we doing the same thing? What do we need to do different to prevent us from being next. I used the recent King & Spalding example, doing something that hadn't been done before, and required a little inconvenience on the part of the users and ran with it. Should popular BYOD policies be reversed? Should client information only be accessed by firm-owned and controlled assets? What about a policy that business email can only be used for business related things? How about some mandatory training? And the one that I thought pushed the limits of credibility, real time content monitoring.
I am not saying those are the solutions for all firms. I just wanted to throw some outside the box ideas at everyone. For some firms the article was the first time IT and management engaged in a security conversation. That was my goal. So here is something that happened to a firm - real or imaginary. Could it be a vehicle to take up the conversation up inside your firm? Perhaps bring some of those back-burnered initiatives to the forefront? At a minimum, provide a little education to management?
I'm sorry if I made the post a little too convincing. All that means is you know it is possible. This breach didn't happen. But I am confident that a real post along this line is in our future unless we make some changes.
Copyright © 2023 Legal IT Professionals. All Rights Reserved.