When Organizations Fall Short on Cybersecurity, Do Law Firms Pick Up the Slack?

The business world seems to be in the learning phases of cybersecurity expertise, building knowledge today to help them meet the challenges of tomorrow. Yet if the results of a new BakerHostetler cybersecurity report are to be considered, then tomorrow already came long ago.
In its third annual rendition, BakerHostetler’s 2017 Data Security Incident Response Report said “phishing/hacking/malware” account for “the plurality of incidents for the second year in a row” (43 percent), according to an April statement announcing the report’s release. The results of an analysis of over 450 cyber incidents handled by the firm’s cybersecurity practice area in 2016, the report also noted that the amount of phishing/hacking/malware incidents is up from last year by 12 percent.
Why are companies seeing an uptick in such attacks? Ted Kobus, leader of BakerHostetler’s privacy and data protection team, attributed the increase in malware to “a dramatic increase in ransomware.”
“That is driven by a couple of factors: the availability of ransomware as a service, the operational disruption ransomware causes and the panicked reaction by a company when it is hit by this type of attack, especially less sophisticated businesses,” he told Legaltech News.
Yet nefarious outside actors aren’t the only threat to an organization’s data. Coming in second for incident causes was “employee action/mistake” (32 percent), a finding that the report says reinforces “the ongoing need to focus on effective employee awareness and training,” as well as “that a defense-in-depth approach is necessary because even the best trained employees can make mistakes or be tricked.”
Known as the insider threat, employee missteps with data are widely known as a security concern. Joseph Abrenio, vice president of commercial services at Delta-Risk, went as far as calling “human error and negligence” the “most prevalent” cost of data loss.
For this impacts legal organizations, he told LTN, “Lawyers, paralegals, assistants, all of the staff are constantly under great pressure to produce. … When you’re doing that at such a high rate, ultimately it’s bound that human failure is going to happen.”
Often, individuals and organizations promote employee training and a strong, frequently tested security apparatus, as well as well-informed individuals, as a remedy to security ills. Veriato CEO Mike Tierney told LTN that organizations should pair training and security technology, as “security is not always going to be top of mind for folks that are trying to get their jobs done, and a training program won’t sway the malicious insider.”
Likewise, the BakerHostetler report recommended employee cybersecurity “training and education” across departments as part of a list of recommendations to minimize security risks and respond to threats.
The report also underscores the changing nature of client expectations of law firms, a group not historically known for their strong cybersecurity acumen. In one example, tens of thousands of email addresses at U.S. law firms were leaked to the dark web in 2016. Further, the nature of some law firm security threats demonstrates a lack of employee knowledge of proper security precautions.
Ryan McClead, business transformation and innovation architect at HighQ, told LTN, “We talk to law firms all the time. [They say], ‘Oh, we don’t use those types of things. We don’t use Box or Dropbox.’ But if you actually go through and see what people are doing with their domain email address, there are lots of people using these things, and IT isn’t aware of it, and the firm management isn’t aware of it.”
Law firms, though, are increasingly beginning their own cybersecurity practices, assisting clients with everything from security education to addressing regulatory concerns. DLA Piper, Hogan Lovells, and Mayer Brown are also among those that have cybersecurity practices, while Gibson, Dunn & Crutcher publishes an annual “U.S. Cybersecurity and Data Privacy Outlook and Review.”
“The number of [security] incidents is up and continues to rise again this year. Clients are asking for more help focusing their breach readiness programs and identifying questions from regulators that will need to be answered,” Kobus said.


. . . . . . . .

Leave a Reply