As the Chief Information Officer and Chief Security Officer for Wolters Kluwer’s ELM Solutions, Joe McMorris spends a lot of time focusing on cybersecurity for our clients, their law firms, and our own company. He shares some expertise and advice here.
Are hackers targeting the legal function specifically? If so, why?
Yes, without question. Law firms are particularly easy targets because they have a wealth of information, like financial data, personally identifiable information, and personal health information. They typically don’t have the same level of security resources that most of their larger corporate clients have, so this makes firms prime targets for hackers. The Panama Papers are a perfect example.
Corporate legal departments tend to have the same type of high-value data in their systems, but are typically more difficult to breach due to more robust security measures. Despite that, there have still been a number of large-scale breaches because hackers are resourceful and persist until they find even the smallest of vulnerabilities to exploit.
With respect to cybersecurity, what are the biggest dangers legal departments face?
Data breaches and high-risk vulnerabilities are the biggest threats to legal departments, although ransomware attacks have become more common in recent months. There is such a widespread potential area for attack and hackers can strike from every angle. They attack anything from compromising someone’s mobile device or personal email account, to hacking an unpatched web server, or even penetrating physical office security.
And there’s obviously added risk for legal departments in having so much data on law firm systems. They need to take some additional steps to protect data that’s outside their corporate firewalls, including requiring that data be encrypted at all times and mandating that firms regularly report on compliance with security controls.
What are the most important steps legal departments and law firms can take to ensure data security?
All organizations need a thorough, end-to-end policy and approach to information security. This starts with dedicating human and financial resources to implement a comprehensive information security program.
Every law department and firm should take a holistic approach to protecting their data. The number one thing to do is to deploy cybersecurity resources to implement and support the most basic measures such as firewalls, intrusion detection and prevention systems, regular patching, vulnerability scans, and probably most importantly, encryption – both at rest and in transit. Legal departments can also require certain security measures on the firm side and have firms report regularly on their compliance. These steps can’t completely prevent attacks, but they can make it much more difficult for hackers to gain access.
Be proactive, not reactive. Even well prepared organizations can have trouble staying ahead of hackers. Any company or firm that only has a limited program in place should take action to strengthen their cybersecurity immediately.
What can be done to mitigate the negative impact of data breaches and cyberattacks if they do occur?
First, make sure you have defined policies, procedures, and response plans for each team in your organization. Breaches can create chaos if there isn’t a well-defined plan in place.
And second, I recommend retaining a forensics or cybersecurity firm to analyze your exposures and help you close any security gaps. Legal departments and firms often lack the right staff to conduct their own investigations, so a consultant can be very helpful in reducing the risk, mitigating incidents, and preparing for future breaches.
What does ELM Solutions do to ensure the security of client data?
First, it starts at the top. Our executive management team is actively involved and we take information security very seriously. We have developed a very mature information security program that we continuously improve upon. We dedicate substantial financial and human resources and go through extensive third-party audits, including both SOC 1 and SOC 2 Type 2 audits, as well as ISO 27001, the most widely recognized set of information security standards on the planet. The core of this standard is ensuring that an information security framework exists throughout organization, starting at top and proliferating throughout, to ensure that current industry best practices are implemented and are being followed.
We also go a step beyond that with the Cloud Security Alliance’s (CSA’s) STAR certification, which is specific to cloud hosting providers and based on ISO 27001 but takes it a step further by assigning a maturity rating. I’m very proud that ELM Solutions was among the first companies to be certified and to achieve Gold certification, the highest maturity level available. These audits and certifications demonstrate that we are doing everything possible to protect against cyberattacks.