I was fortunate enough to speak at the Defending Law Firms from Cyber Attack Conference this week, with the speaking slot directly after Christopher Graham, the UK Information Commissioner which worked really well – as he provided a few stories, the government view on privacy and legislation old and new, and then I spoke about some of today’s threats and risks and more importantly what can be done to prevent them.
There was a great set of speakers from Law Firms, as well as security vendors and consultants. Drawing a conclusion on the headlines of the event, wasn’t too hard – it’s people. I have always said that people are your greatest security asset and at the same time the biggest risk, and this fact was echoed by many of the speakers.
We live in an age where anybody can be targeted, it is not just about governments and large businesses anymore – and as the attacks become more sophisticated, they are able to traverse the information supply chain to find the weakest link and therefore the easiest ‘in’.
Legal firms basically consist of critical information wherever it is worked on as a company intermediary. From Intellectual Property with a patent lawyer, or conveyancing on houses and commercial properties, to divorce settlements and business acquisitions. The information is critical. It is also time sensitive.
Typically the law firms I have worked with have a very flat structure, with all information available to all the partners, and often to the senior personnel (and also to junior team members). The reasoning is simple – if there is a need to expand the team or for a specific task to be completed, then the information is there. “We trust our people.”
Today there is a need to move the pendulum back from the open information sharing culture, to a need-to-know and really-really-need-to-know basis. And then have processes in place to on-board / off-board people to projects quickly and easily.
All employees, at all levels within an organization need education and awareness training in order for them to understand the advanced cyber-threats and associated risks that exist. This needs to be supported with policies and processes on how to handle information securely and what to do in the event of an attack, or a suspected attack. Building a culture where the employees work together will drive the risk posture down – “don’t shoot the messenger” needs to become a mantra. Finally there is a need for technology – technology can enforce polices and keep the people and the company safe; protecting the most critical of assets – the information.
I ended my session with four simple questions:
- What is the information you are trying to protect?
- Where is that information found?
- How do people access the information?
- Who has access?
Followed by the rhetorical question… “If you don’t know, how can you protect it?”
So, if you understand the information that is ‘critical’ and as I said before, for Legal Firms, that’s the whole spectrum. If you can control the number of places where it exists (how confident are you that it’s not in a Dropbox, personal email account and the likes?), means of access and who has access – then protecting it becomes a much more manageable problem to solve. Ultimately, keeping you and your client’s most critical of information – secure.