Security operations · 6 MIN READ · AMANDA FENNELL · SEP 5, 2019 · TAGS: CISO / How to / Managed security / Planning
Amanda Fennell is the Chief Security Officer at Relativity, the global legal technology company whose software platform is used by thousands of organizations around the world to manage large volumes of data and quickly identify key issues during litigation, internal investigations and compliance projects. Relativity has 180,000+ active users and works with 198 of the AM Law 200. Its SaaS platform, RelativityOne, is the fastest-growing product in company history.
I joined Relativity in January 2018 and it took battling a blizzard in Chicago to walk through the doors that day.
Similarly, the weather in the security landscape hasn’t let up in the past year and a half. Larger organizations receive a lot of direction and attention to navigate these cyber storms, but it can be difficult for organizations without a lot of data — or the right connections — to clear frameworks like PCI or HIPAA.
Legal services organizations, including law firms, are a big part of our user community and we know that this industry needs and is demanding more guidance, info and standards on protecting client data. I’m often asked about how legal services organizations and law firms approach security and if it’s different from the other industries I’ve worked in, or managed the security for, throughout my career.
Security hasn’t always been at the forefront for legal services companies and law firms. But the legal services industry presents a softer target for many adversaries, and the data loss from a successful intrusion can lead to stolen intellectual property, merger and acquisition details or even direct financial manipulation. Financial gain is still the major motivation in cyber attacks, with the exception of a few industries — meaning that the legal services industry will always be on the target list.
Developing a mature security program is often a very expensive venture for small to medium-sized firms but I’ve met many forward-thinking security leaders in the industry who’ve been able to make some swift and lengthy strides in protecting their clients’ data. Here are five specific things that orgs in the legal industry can do right now to create immediate, measurable security benefits.
#1 – Perform a risk assessment
One thing I’ve observed is that firms that have more mature security approaches also tend to have a better understanding of the risks they face. If you’re proactive about security, you’ll be a pace setter amongst your peers.
No matter your org’s size, conducting a risk assessment is a critical first step – whether you do it in house or hire an external firm. It may be intimidating, particularly if you haven’t previously done a risk assessment, but making even relatively minor changes in organizational or employee behavior can shrink some of your largest risks. In order to fully understand where gaps exist, it’s necessary to assess your current level of risk. You’ll also find a more positive reception from the partners in your firm when you turn security into a risk-based discussion versus a cost-based discussion since they help clients manage risk every single day.
#2 – Vet your partners
Law firms rely heavily on third-party partners and vendors — and they place a lot of trust in these other companies. As we learned from the Target breach in 2013, trusting vendors implicitly without doing your due diligence can have disastrous results. Attackers target law firms to get access to their clients’ data and they target the vendors used by law firms to exploit that relationship and bypass more difficult routes of compromise. It’s essential that you vet partners and vendors to ensure their security meets your own standards and requirements. Supply chain attacks are often a very successful attack vector against orgs with a shortage of security talent — which brings me back to knowing what’s at risk in your org and where you should focus your efforts.
The vetting process typically begins with checking compliance certifications such as the ISO 27000 standards and SOC 2-Type 2, along with industry-specific certifications such as HIPAA, PCI, and others as applicable. For your closest and most important partners, you should have frank conversations with them about how you both view security. Do you have alignment and the same expectations? Do you share the same vision? Have you established mutual trust?
Frequently ensuring your partners and vendors are doing security correctly is overlooked. It is important to ensure that you don’t allow your most trusted allies to become your greatest source of risk.
#3 – Embrace the human element (aka phishing)
The most common attack vector is still phishing. The legal industry is no different in that this method is highly effective and can lead to devastating results. The good news is that with some education, training and good tech, your firm can successfully mitigate this threat. Teaching your employees to recognize a phishing email and what steps to take when they receive one is an easy and effective place to start.
At Relativity we host regular phishing simulations to train our employees to identify phishing emails and the results have been very rewarding. In looking at our initial phishing email campaign and comparing it to the most recent simulation, we saw a drop of 40% in terms of employees taking incorrect actions. We treat each Relativian as a cyber warrior in the battle to protect our and our customers’ data. Humans have the ability to be our greatest strength against phishing or social engineering attempts, rather than a weak link in the chain — but it’s our job as security professionals to inspire and educate them.
#4 – Pay attention to what’s happening to other firms
Once you’ve identified your largest risks and then start addressing the basics, it’s time to think more proactively about how you can stay ahead of emerging threats.
One method of accomplishing this is to pay attention to what’s happening at other firms from a security perspective. Read law trades about incidents at other firms, talk to your peers, attend industry events like ILTACON or Relativity Fest and participate in the Legal Services Information Sharing Organization (LS-ISAO). There’s nothing more useful in security than the human connections we make with others who are struggling with similar issues or concerns. Organizations and firms represent a spectrum of security maturity at these events. Attendees find not only how others have resolved concerns that are similar to their own, but also how to stay ahead of the threats that are most commonly targeted at the legal services industry.
Attacks are growing exponentially and everyone is suffering — which is why we developed our threat intelligence feed that’s focused on the legal services industry for our RelativityOne customers. We collect and correlate data from our honey networks and from all the customers we work with — then we anonymize it and make it true threat intelligence that we share. This provides our customers with an industry-wide look at threats relevant to firms or organizations just like their own. This allows even small and medium-sized orgs and firms to take advantage of up-to-date, real-time, actionable threat intelligence to strengthen their security posture.
Focusing on where your blind spots are is key to preventing a potential breach. What might appear to be random scanning from one log can be correlated to other activity and may identify behaviors of an advanced persistent threat (APT) actor attempting to compromise a law firm through a remote desktop viewer (yes, this actually happened).
#5 – Bake security into everything you do
As the adage goes, “security isn’t something you buy, it’s something you do.”
Improving your security posture is a process that will take time. When security is a priority, you’ll see security advocates getting a seat at the table for important business discussions and decisions. Partners want the security team to weigh in and green light their decisions. Security is about managing risk.
Another sign of security maturity is seeing security baked into many processes such as the Secure Software Development Lifecycle (SDLC). The security team — or lead partner who manages security — should be consulted for security impact assessments, vendor reviews, major decisions in engineering, every project that is going to affect the code and many other business decisions that need to be made.
Security is everyone’s responsibility
A few years ago during a keynote address at Relativity Fest London, our founder Andrew Sieja said something I’ll never forget: “It’s an honor and a privilege to be a part of the legal profession – and that’s something every lawyer feels.”
That stuck with me because it highlights the great responsibility we have to all our clients using the Relativity platform and RelativityOne, our secure SaaS platform hosted in the Microsoft Azure cloud. We’re helping them do important work and part of that partnership means keeping their information and their clients’ information secure through our work in the Calder7 security group and our company-wide commitment to building a culture of security.
Hopefully some of these tips will help you improve your security posture. If, on the flip side, you’re looking at these five tips and saying, “I’ve already done that,” then help others. Speak at conferences, publish whitepapers or collaborate on a blog post with a partner. We love quoting Winston Churchill in Calder7: “Our fight is hard. It will also be long … but win or lose, we must do our duty.”