I reflect today on two online article headlines that recently captured my attention – “Legal firms prime target for cybercriminals warn experts” and “500 law firms targeted by scammers”. I wonder how an industry that has been historically known as the stalwarts of client privilege and protection has come into the crosshairs of cybercriminals.
The legal sector holds some of the most sensitive and rich data across all industries, including evidence, case proceedings, and detailed client information. Content management systems, discovery tools, email, and the increased use of cloud environments enable greater agility and productivity through sharing of this. When this highly-sensitive data isn’t properly protected, you’re essentially leaving the doors of the bullion vault unlocked for cybercriminals. A laptop left in sleep mode while in a car when the owner is absent; devices left unattended in a courthouse; confidential files sent inadvertently to a client – all are enough to give even the most calm IT pro a bit of anxiety. So what’s the best protection for data?
Encryption has arguably been long seen as the bedrock of data security. It provides the best guarantee against data breaches. The 2016 American Bar Association’s annual TechReport survey, however, reports that only 15% of firms have adopted full disk encryption, lagging well behind the healthcare and financial industry who both report 55-58% encryption adoption rates. In terms of barriers to adoption, ‘perception of complexity’, ‘lack of organizational buy-in’, and ‘lack of staff’ consistently rank as the top three reasons why organizations are not implementing encryption. Reducing or disproving these barriers is therefore a critical step to assisting in improving the legal industry’s security readiness.
The Myth of Encryption Complexity
Throughout my career I regularly hear of ‘perceived complexity’ as a barrier of entry of many technology solutions. I often wonder if it’s the industry and its marketing teams that are to blame. We portray the complexity of a solution; the engineering wizardry that only our counterparts will likely understand. Tech speak that often confuses the end customer, who doesn’t necessarily care how the solution works, just that it does. Most tenants or owners don’t worry about sensible heat ratios or net blower pressures for HVAC systems in your building. You just want assurance that the system will distribute hot and cool air to where it appropriately needs to be.
Should you then worry unnecessarily about the behind-the-curtain complexity of an encryption solution? No. You simply need assurance that it protects the data on all your devices, regardless of the device type or operating system. That the solution ensures you’ll meet the growing list of regulations and compliances that your firm is subject to. That adding the solution to your IT environment isn’t going to cause unnecessary disruptions to your daily workloads. That the solution will be easy to deploy, manage, and administer. The best data protection solutions do just that – they allow you to focus on your business, with full confidence that you’re protected.
Achieving Buy-in through Leadership Involvement
Struggling to get leadership buy-in for data protection? Appeal to their common end goal – ensuring the success of the company. That success is a direct result of the firm’s reputation. And they can kiss that stellar reputation goodbye, as well as thousands if not millions of dollars in fines, if your firm suffers a major breach,
“We should treat personal electronic data with the same care and respect as weapons-grade plutonium – it is dangerous, long-lasting and once it has leaked there’s no getting it back” — Cory Doctorow
‘‘Lack of skilled staff’ is often deemed a barrier to data security adoption. You can lower this barrier by educating staff on why the firm is implementing the policies and solutions, the risks associated with not protecting client data, the roles and permissions granted to them, and their role in contributing to a secure work environment through adherence to the policies. Increased education leads to both decreased risk and a decreased need for support.
Educating your Attorneys and Staff on Risks and Preventative MeasuresDespite this risk, leaders have gambled with their security, believing a breach won’t happen to them. Unfortunately, for 62% of law firms last year, that gamble didn’t pay off – having fallen victim to cybercriminals. Facing growing regulatory and compliance legislation, class action litigations, and other data protection guidance, legal firms no longer can delay the need to affirm clients’ data is protected. Leaders need to take an active role in data security. For some organizations, that even means appointing a Security Lead, or forming a Security Committee.
Next, make sure your chosen solution is easy to deploy and manage. The solution should require little effort on the part of your IT team to deploy, with configuration settings being simple and template-like. The solution should be frictionless and transparent to your end-users. Look for solutions that have management tools that give you visibility into security of all your endpoints, and easy auditing and reporting controls, when needed. By reducing human intervention, you’ll ultimately reduce the need to hire and staff – saving time and money.
Regardless of your firm’s organization’s size, data security is critical. As you explore options, seek those that have experience in working with firms similar to yours in scope and size. The solution needed for a 3-5 person real-estate specialty firm will be much different than a large firm with a roster of clients with international interests. Ultimately, there is a data security solution out there for all needs, so make sure you don’t leave your data and business unprotected.
