The Panama Papers leak made global news in April, providing detailed financial and attorney-client information showing how the world’s rich and powerful hide their money through shell corporations. Not only did this leak hurt its clients—ending the prime minister of Iceland’s career, for instance—it also crippled the hacked law firm Mossack Fonseca.
While Mossack Fonseca was a headline-grabber, it experienced just one of many recent law firm hacks. Cravath Swaine & Moore has acknowledged it was hacked, and news reports listed “dozens” of other law firms that were targeted by a Russian hacker. Most of these firms denied important information was compromised.
But these attacks are costing lawyers credibility, argues Jonathan Stribling-Uss, director of Constitutional Communications, a cybersecurity firm based in New York City. With each breach, he says, “we’re losing trust in the profession.”
On account of increased and evolved attacks, attorneys and companies are rethinking cybersecurity. It is not sufficient to merely have anti-virus software. Plans for when a breach happens and software that can help ameliorate the damage are emerging cybersecurity trends.
Luke Dembosky, a partner at Debevoise & Plimpton in Washington, D.C., puts it succinctly, warning organizations to “start with the assumption that you will face one or more cyber breaches.”
There are three major cyberthreats to law firms, Dembosky says. These include ransomware, which locks users out of their computer or network until they pay a fee; ideologically motivated hacks, as with the Panama Papers; and hackers looking for insider trading information.
Jake Frazier, senior managing director at FTI Consulting, explains that “historically, the information security world has taken a fortress approach.” This approach is a reliance on anti-virus software, proxies and firewalls—all intended to keep malicious software out—but which provide poor protection once this perimeter security is compromised.
PLAN FOR ATTACKS
Evolving past the fortress mentality, attorneys and law firms are learning to plan for a breach. Marcus Christian, a partner at Mayer Brown in Washington, D.C., helps companies create such a plan.
Before the breach, an organization should have a team ready and a plan in place, he says. “Who’s going to be the quarterback?”
The team can be varied: digital forensics experts, crisis communication firms, and regulatory and legal teams can all play critical roles in the first 72 hours after a breach.
To help others create a plan, Christian and his colleague Stephen Lilley wrote Preparing for and Responding to a Computer Security Incident: Making the First 72 Hours Count (PDF), which can be obtained via Mayer Brown’s website.
Meanwhile, on the software side, two cybersecurity companies, enSilo and Terbium Labs, are also moving beyond the fortress approach.
Roy Katmor, a co-founder and CEO of enSilo, says the way we think about digital threats must evolve. “It’s not a virus anymore. … It’s like a chronic disease. With a chronic disease, you can control it.”
This mentality is reflected in the product: EnSilo maps a computer’s operating system to later find modifications in the form of malicious programs. According to Katmor, these intruding programs violate operating system instructions in order to remain stealthy and unobtrusive, making them hard to detect.
The enSilo product creates constant triage, Katmor says, which blocks the malicious software and allows the operating system to work uninterrupted.
According to a Verizon Risk Team report, it takes months before a target is aware its data has been taken, also called exfiltration. The report says 92 percent of data breaches in 2015 were found by someone other than the target, often by law enforcement or a compromised client.
Tackling the detection problem, Baltimore-based Terbium Labs built Matchlight. This platform creates a unique fingerprint for sensitive data such as employee Social Security and credit card and source code. Once a fingerprint is created, an automated tool called a web spider crawls around the web looking for these fingerprints. When the spider finds a fingerprinted document, often on so-called dark web markets, the owner is immediately informed that a data breach occurred.
Matchlight “brings detection time from a couple of hundred days to a couple of minutes,” says Tyler Carbone, COO of Terbium Labs.
Still, even with the creation of new tools and improved preparedness, some precautions are tried and true. The Verizon report found in 2015 that 63 percent of confirmed data breaches involved weak, default or stolen passwords.
A lawyer himself, Frazier believes the legal field can get a handle on the issue. “Lawyers putting forth really good effort will always count for something,” Frazier says. “You never know what small risk control you put in place that might avert a disaster.”
This article originally appeared in the August 2016 issue of the ABA Journal with this headline: “Plugging Leaks: Experts advise new tactics to fight data breaches.”