Depressed employee with laptopMost people have elevated stress during the holiday season — work, travel, family, money, time.  And holiday stress can make people inattentive, tired, frustrated, and willing to take short cuts, especially when it comes to computer and Internet use.  This is when mistakes happen.  It’s when we decide to evade policy by emailing work home or by using the unsecured airport Wi-Fi because our plane is delayed.  It’s also when malicious acts of information theft, sabotage, and fraud can more easily occur and go undetected.

According to a recent survey, insider threats — as opposed to outside actors — can account for nearly 75% of cyber incidents.  These incidents occur because of the actions of employees, suppliers, customers, and previous employees.  Law firms are not exempt, particularly small to medium size firms.  In fact, smaller firms typically have fewer resources to devote to cybersecurity and use more outside suppliers.

End-of-year activities for law firms also make them especially vulnerable to insider threats, whether inadvertent or malicious: the push to bill and collect for more hours, time-sensitive legal matters that must be resolved before the end of the calendar year, attending to year-end tax accounting, case and client review, bonus calculations.  Lawyers and their staff feel the strain of extra hours, looming deadlines, and sometimes contentious clients at the same time we all feel holiday pressures at home.

What is at risk?

More than you think.  Not only is client information a target, but also firm business data.  In just one example of a law firm security lapse, a big-law associate felt his firm was “screwing” him, so he attempted to extort over $200,000 by accessing and downloading “quarterly financial reports, documents describing how the firm determines billing rates, a list of clients and fees charged, confidential associate reviews, and an analysis describing recruitment of lateral lawyers.”  He used a partner’s pilfered log-in credentials and threatened to leak the documents to an on-line legal forum.

How will I know an insider threat when I see it?

Readers of who-done-it thrillers know well that the culprit is often someone you least suspect.  But in hindsight, there were usually signs.  The same can be true of persons in your firm, although there is no one profile that fits all malicious insiders.  Bad actors may be male or female, management or IT, and may or may not have any technical skills.  Here are some indicators to look for, especially in combination:

  • Poor performance appraisals
  • Disagreements with policies and co-workers
  • Financial issues—too much or too little money
  • Working odd or excessive hours
  • Leaving the firm
  • Personal or professional stressors

The most important message is to pay attention to suspicious behavior.  Follow up, ask questions.

How do I manage the risk?

Focus on your information and your people.  Among the many good ideas in the Common Sense Guide to Mitigating Insider Threats published by the CERT Insider Threat Center are:

Information

  • Inventory your data and evaluate risk (data map and security risk assessment)
  • Segregate information according to risk
  • Protect your information with policy, physical, and technology controls
  • Pay particular attention to access management and the principle of least privilege

People

  • Perform background checks, including when feasible drug and alcohol tests
  • Encourage a culture of cybersecurity, including periodic training
  • Monitor employee actions (what’s normal, what’s not normal?)
  • Ensure a comprehensive termination procedure is followed

When outsiders become insiders.

One last point … remember that most small to medium size firms rely heavily on business associates and suppliers for everything from managed IT services to accounting.  When these third parties have physical or electronic access to your offices or your systems, they default to becoming insiders who should be provisioned and monitored appropriately.

Wishing you a happy — and cybersecure — holiday season!