Bomb with lit fuseLaw firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.”  This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments.  IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.

But all this convenience comes at a price.  IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls.  An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.

Let’s look at some vulnerable IoT devices commonly found in today’s law firm:

IP-Connected Security Systems and Infrastructure.  Think of cameras, smart meters, and HVAC controls.  Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.

Smart Video Conference Systems.  This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet.  Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.

Printers & Phones.  Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge.  Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.

Light Bulbs?  Yes, light bulbs!  According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks.  “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.”  The more nodes, the more avenues for entry into a system without being on the network.
Continue Reading Law Firm IoT: Internet of Things or Instruments of Trouble?

Sunshine Breaking Through the CloudsYes, with a troubling threat environment and unique vulnerabilities, law firms indeed have data security challenges.  But there are strategic opportunities too.  When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for stronger client relationships, lower and better-controlled expenses, and higher revenue.

As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing:

  • increased competition from nontraditional providers and technology-driven service models;
  • the Internet-driven dissolving of historic barriers to remote service delivery;
  • the post-recession tightening in companies’ outside legal spend;
  • the ongoing shift of work from outside counsel to in-house legal staff;
  • the continued consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and
  • the resulting pressure on mid-sized firms to scale/merge up or to specialize/boutique down.

It’s a more competitive world than ever for attracting and retaining clients. There still will be winners and losers, but now the margin of difference is more slim.  That’s why strategic improvement in a law firm’s data security posture can make a big difference.

Here are three key examples of how better data security is a strategic win for law firms:
Continue Reading Law Firm Data Security Opportunities

pickpocket stealing walletIn a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.

The complaint paints a picture of an alleged hacker living up to the handle “erratic.”  According to the complaint,

Lightning Strike in ThunderstormSecurity risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  Law firms also have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Results of the 2018 ABA Legal Technology Survey reveal a bleak picture for law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of a law firm’s security posture:  computer acceptable use policy (41%); remote access policy (37%); personal technology use/BYOD policy (21%); incident response plan (25%); disaster recovery / business continuity plan (40%).
  • Only 53% of the firms have a formal policy or process to manage retention of data held by the firm, and as of 2017, only 40% have an official records retention schedule.
  • 31% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 46% of the firms have file encryption tools, only 38% have email encryption capabilities, and only 24% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

In the midst of a troubling threat environment, why are so many firms still behind the curve in their data security safeguards?  Here are ten factors to consider:
Continue Reading Law Firm Data Security Vulnerabilities

Threatening dark clouds covering the skyJust another day at the firm.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?

Business email compromise (BEC) is a growing threat for businesses generally.  Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.

But BEC is only one of many potent threats to law firm data security.  Here are some high-profile examples from the news:
Continue Reading Law Firm Data Security Threats

money blowing awayI’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, you’re the “Manager of Money,” right? 

“Nope – that’s indeed my title, but I don’t have the authority to manage all of RabbitHole’s money. My focus is just on the paper money, not electronic accounts and transfers. And I only keep track of the paper currency that is boxed up and kept off-site – what employees do with money day-to-day is up to them, their business units, and the company’s Money Policy.”

What does the Money Policy say?
Continue Reading What if companies treated their money like their information?

Our firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.

The Information Governance perspective is a ready-made, scalable resource. Any organization can make meaningful headway, right away, by simply adopting an inclusive IG perspective when addressing information matters, before investing in significant organizational changes and expensive technology tools.

What does this mean? Simply this – whenever any information-related issue is dealt with or decision will be made by your organization, be sure to ask the following:
Continue Reading Why govern our information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

Weird SportAs you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  It all feels beyond embarrassing, and downright dangerous.

This is not just a bad dream – it’s the reality for companies possessing third-party data without clarity on what rules and responsibilities apply.

Most companies possess some data that they do not truly and solely own.  Perhaps your company signs a nondisclosure agreement and obtains others’ information while evaluating a business opportunity.  Or maybe your company is a service provider that receives or generates data on behalf of customers or clients.  Your company has possession of the data, but it remains responsible to the third-parties if there’s a problem.

What kinds of problems? Well, what if the third party’s data is lost, corrupted, misappropriated, hacked, or held for ransom?  What if the cost of maintaining the information, after the work concludes or need passes, becomes onerous?  What if the information becomes relevant in future litigation?  Who is authorized to make decisions about the information when the unexpected happens, and who is responsible for the expenses and exposures?

Information Governance – your organization’s strategic approach to managing information compliance, cost, and risk while maximizing information value – is tailor-made for this commonplace scenario.  Here’s how it works:
Continue Reading Why govern our information? Reason #3: “Your” data may actually belong to others … and you’re responsible to take care of it.