Why the Heartbleed Bug Should Affect Your Firm’s Data Security Strategyaderantuser
The “Heartbleed Bug” has already become a nightmare for anyone tasked with data security, and frankly any company that maintains data critical to its business operations. This reality puts every existing law firm at risk of a serious data breach. A recent story in Corporate Counsel found that the Heartbleed Bug “challenges all that is known concerning Internet security. Because Heartbleed is a structural flaw, it can be exploited repeatedly and without notice to users. Some estimates suggest that 50 percent of the Internet, mobile devices (including the apps on those mobile devices) and enterprise software could be exposed.”
This issue is not just theoretical for law firms around the world. Jason Krause at the Discovery Cloud Blog noted that a security firm had “investigations of data breaches at over 50 law firms. In one case, investigators found intruders at a law firm were able to obtain more than 30 sets of user credentials, to compromise approximately three dozen workstations, and harvest thousands of emails and attachments from mail servers.”
Clients are also now demanding that firms improve their cybersecurity. In a story last month titled Law Firms are Pressed on Security for Data, The New York Times reported that “In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies.”
And Bloomberg News reported that following hacking attempts by China in 2012, the FBI urged firms to review their mobility policies, including the security of e-mail linkups and mobile phones. The story also quoted Richard Goldberg, a former software programmer and lawyer in Washington involved in data security, who argued that “if clients start thinking they can’t give private information to their lawyers because it might get out, it’s a huge problem for the profession. The whole system will start to fail.”
It should be noted that law firms are certainly not ignoring this threat. Last year’s annual Am Law Tech Survey found that fear of security breaches is the new hot button issue among top the legal information executives. Aderant, as a software company, had to look at Heartbleed from the vantage points of both a provider and consumer of services. Our software utilizes Microsoft technologies and was thus not susceptible to this particular bug. As a consumer of services, however, we had to look at our providers on a case-by-case basis and perform a wholesale verification of either their lack of vulnerability or their prompt remediation of the issue.
Clearly the age of castle-like, completely secure monolithic data repositories and self-sufficient services infrastructures is fading fast. The adoption of hosted services with their data outside the boundaries of your organization is growing with the ubiquity and convenience of the internet connection. While the legal industry remains a bastion of centralized services and data, this paradigm is diminishing. Documentation and verification needs to be part of your next-generation security planning.
The clear message from all the experts: BE PREPARED! Jason Krause noted that “the answer is to put technology, monitoring, and incident response battle plans in place to prevent attacks and respond to breaches before they become critical. No organization is identical and every organization has unique security demands. If you want a full list of everything an organization should consider, there is the Critical Security Controls – a list of security protocol agreed upon by a consortium including the National Security Agency, the Department of Defense, Department of State, the Department of Defense Cyber Crime Center, the FBI and others.”
How is your firm is dealing with the cybersecurity threat?