As well as understanding risk and actively managing threats, information security professionals are constantly thinking about how best to prioritise investment options.
The financial services sector has always been a target for attack. Add to this the pressures of meeting trust commitments to customers, dealing with compliance requirements in a highly regulated market, and doing business in a highly competitive environment, and it is easy to see why companies in this sector have always faced decisions about where and how much to invest – and there never is an open cheque book.
But as the threat landscape has widened, industries that may never have thought themselves of interest to cybercriminals are becoming targets. This can often mean that historically they have not made adequate investments in mitigating information security risks.
>See also: The 2015 cyber security roadmap
In addition, the professionals tasked with protecting customer and employee data are under extreme pressure to address historic security exposures and make a compelling case for innovative investment to protect against new and more sophisticated threats.
A key industry where this investment conversation will prove challenging is within partner-owned businesses, such as law firms.
There is no lack of awareness of the risks law firms are facing or any lack of desire or talent to implement the required advanced systems and strategies to withstand the growing number of attacks. The challenge is how to prioritise information security culturally as well as financially.
Information governance challenge
Without a doubt, the best place to start the discussion about risk in the law firm is focusing on the security of the data. The explosion of digital documents and the changing litigation landscape makes document governance of strategic importance to law firms.
Getting this right allows lawyers to focus their skills on the case in hand – confident that the documents they are working on conform to effective security practices and standards. The number of potential data sources required for capturing evidence can introduce legal and logistical challenges.
Lawyers are consistently using document types such as Word, Excel and PDF files generated within the firm, and files that have been emailed as attachments from outside their firms. Regardless of the source, legal technology and risk professionals want to ensure that security and privacy standards are applied to control and manage information and limit risk.
Whatever systems and controls are applied must not inhibit fee-earners from doing their jobs and still provide controls for security and privacy. Interruptions to carefully scheduled time for dealing with a case can impact profitability and client relationships. A cost-benefit risk analysis of any solution designed to maintain information compliance is therefore crucial.
In an age where cyber attacks and attempts at hacking the files that a law firm receives are increasing by 100%, according to FireEye’s most recent report, putting forward an effective case for information security investment has never been more important.
Focus on file risk
Digital files are vital to every legal practice and are being produced, transmitted and stored in record volumes. Yet the ease with which they can be accessed means that they are a preferred threat vector for attackers looking to gain access to organisational networks and the sensitive information that they contain.
In recent years, digital data has been the target in almost all advanced attacks. Verizon’s latest statistics report that 78% of cyber-espionage attacks are transmitted through email attachments that are not effectively analysed for security threats.
However, many document security products limit their focus to controlling who can access what documents and on ensuring that those documents are transmitted using secure mechanisms.
Scant if any regard has been paid to ensuring that the actual underlying structure and functionality of those documents is safe, secure and trustworthy. In many law firms, the current controls do not analyse email attachments to ensure they do not pose a threat.
Such a reactive stance is all but ineffective in protecting documents against the sophisticated threats being seen today, where variants of exploits are often specifically written for each new target. The challenge for IT professionals is to convince their partners that company and client information is well worth the attention of criminals and the investment by the company to safeguard this data.
Bearing in mind the vital importance of sharing information and files to every law firm, perhaps one return on investment case worth making is the ability to manage the risk of unstructured data files usually seen as attachments to email.
Addressing this will greatly reduce a law firm’s threat footprint and significantly reduce information risk to the organisation while maintaining document integrity and business continuity.
Sourced from Steve Katz, Glasswall Solutions