Three Tips to Tackle Data Risk and Keep Your Law Firm Profitable
Digital transformation is all around us. Companies are relying more and more on the data that drives their business and the IT systems that store and process that data. Nowhere is this more apparent than in the legal industry. To provide uninterrupted service to its clients and remain profitable as a business, legal practices must keep IT systems operational and available at all times.
Unfortunately, the number of threats that can result in system downtime are increasing. These threats include weather-related disasters, technical malfunctions and human error. But the fastest growing threat in the legal industry is from cyber-attacks. With 98 percent of organizations experiencing some kind of cyber attack in 2016, you don’t have to look far to find examples. In a case that surfaced in 2016, hackers associated with the Chinese government stole over seven gigabytes of data during a 94-day period in Mach of 2015 by breaking into the partners’ email accounts.
What are these thieves after? Law firms continually handle intellectual property, merger & acquisition information, and a wealth of personal information on behalf of their clients, which makes them ripe for similar security attacks. The thieves then sell the intellectual property to competitors, the personal information to identity thieves, or use the M&A data to support insider trading schemes.
As a product of these major hacks, law firms should prioritize the security of data. In the end, a legal IT department is in place to meet the requirements of its partners. So, keeping this goal top of mind, I have listed below three strategies that can positively impact the way practices cater to clients and therefore, secure profitability for the firm.
1. Frequent and motivated security evaluations
The attack surface has expanded exponentially in the last few years. Gone are the days of simple upkeep for legal IT environments with actions like patching and firewalls. The evolved threat landscape has made it imperative to extend security practices beyond these historical solutions to include tasks like encrypting sensitive data both in-transit and at-rest, intrusion detection, vulnerability scans and plethora of other risk mitigation strategies.
However, data security is not just an IT problem. Humans are still the number one way hackers gain access to sensitive data. A comprehensive security program must include an educational program, an on-going educational program, for all employees of a firm (yes, including the partners). One need not look any further than the recent attack involving Google documents and the speed at which it spread to see that we are all susceptible to “social engineering” threats. Unexpected emails with attachments or links, even seemingly sent by friends and colleagues, should be treated with suspicion.
Another area of weakness in the defense against cyber-attach is Disaster Recovery (DR) systems. Often, cybercriminals look at DR as an easy win — as it’s not uncommon for these solutions to be ignored in a company’s security assessments. The security measures set for your DR environment need to be on-par with production, particularly since it will convert to your production in the event of a breach or major disaster. Just as you should test for security risks in production, make sure to also analyze your DR procedures to identify shortcomings.
2. Explore Third-party Experts for Support
According to a 2016 survey from ALM and Bluelock, a large majority of IT professionals (69%) indicated “data security” as the biggest hurdle within their firms’ IT operations. While firms are paying more attention to protecting their operations (for valid reasons), a true commitment to risk mitigation is still lacking. In the same survey, “tight budgets” (59%) and “overwhelmed IT teams” (40%) were the following top challenges within IT operations, indicating that even when IT teams identify the steps needed to best secure their firms, these departments are largely lacking the resources needed to do so.
Providing the needed resources to properly lessen risk shouldn’t necessarily be met with a need to increase IT department spending, especially when it comes to using DR as a mitigation strategy in the event of an attack. Instead, law firms with an already lean IT team should consider enlisting a dependable Disaster Recovery-as-a-Service (DRaaS) provider able to act as a true extension of the IT team. With this type of trusted partner, you can leave the management of security and the ins-and-outs of data protection with experts, which will free up your personnel to work on other internal tasks that drive direct value within your firm.
Leveraging a DRaaS solution can be implemented without the large capital investment often associated with more traditional forms of DR solutions and can be far more secure. Take the two-data center model for example. In this model, a firm has two geographically dispersed data centers. Data is either replicated or copied between the two. In the event of disaster in one data center, the other is used to restore the data and the applications and serve the employees, partners and clients. This means the firm must invest enough capital in both data centers to be able handle the full load of both locations should disaster strike. Both environments must be kept in sync, which means, double the work and double the investment when one location gets upgraded, the other location must be upgraded as well.
Many firms use this model but in addition, they run production out of both data centers. If the disaster you face is a cyber-attack, chances are an attack in one production data center has now been copied to, and infected the other data center, leaving the firm with no “clean” copy from which to restore. Utilizing the cloud as a DR solution can reduce costs, provide additional security and eliminate many headaches that can come with other traditional solutions.
3. Thoroughly Safeguard Digital Assets
Proper protection for firm and client data should rest with the IT department. However, it needs to be the concern of everyone in the firm and everyone should understand their responsibilities.
It is the responsibility of legal IT professionals to assess existing measures, lay out a plan to enhance security efforts, and report to leadership the level of risk associated with any gaps. And, a strategic disaster recovery roadmap needs to be one part of your firm’s overarching security plan, since this enables practices (large or small) and sole practitioners to safeguard sensitive data from cybercriminals.
Due to the legal industry’s complexities, it can be tricky to deploy an approach that is made-to-measure for all. However, there are two components vital to any efficient data protection strategy — consistently-executed replication to a cloud environment for quick recovery time in the event of a disaster of any kind, and backups for longer-term storage required by compliance or record retention needs. It’s this mixed technique, using backup and replication-based solutions respectively, that proves more successful for protecting a practice since both approaches are complementary of the other’s strong points for a complete response plan that’s equal parts quick and efficient. Remember backups are for archival purposes not DR. And DR replication is for recovery not archival.