Effective Strategies for Data Security and Risk Mitigation in Legal Firms

Safeguard Your Data with a Security Policy Top Strategies for Security, Storage, and Risk Mitigation 16, Oct 2024 0

State of Cybersecurity 1

Safeguarding Data in modern legal firms Risk Management requires focused intent With the increased occurrences of cyber-attacks in frequency, aggressiveness and technological advancement, today s law firms must be more diligent than ever in protecting their clients personal and private information. External threats, such as malicious exposure and ransomware, pose significant risks to on-premises systems. Malicious exposure involves unauthorized parties gaining access to sensitive data or internal networks, potentially leading to data theft, industrial espionage, or unauthorized system manipulations. Ransomware, on the other hand, is a type of malicious software that encrypts a firm's data, holding it hostage until a ransom is paid. Such threats can cripple a firm s operations, erode customer confidence, and inflict substantial financial and reputational damage. Assembly Software Proprietary & Confidential. Not for external distribution. 2

Sources: Statista / Forbes There were 2,365 cyberattacks in 2023 with 343,338,964 victims. 2023 saw a 72% increase in data breaches since 2021, which held the previous all-time record. A data breach costs $4.45 million on average. Email is the most common vector for malware, with around 35% of malware delivered via email in 2023. The total cost of damages incurred by cybercrime is expected to reach $10.5 trillion by 2025. An organization loses $4.45 million in the average data breach The average cost of an organization detecting and escalating a data breach is $1.58 million. Ransomware attack victims rose by 128.17% between 2022 and 2023. At any given time, 4.1 million sites are infected with malware. On average, a ransomware attack costs a business $5.13 million. Ransomware accounts for 24% of malicious cyberattacks. In 2023, 35% of malware was delivered via email, and more than 94% of organizations reported email security incidents. Cybersecurity Fast Facts Understanding the modern threat landscape As the globe becomes more interconnected and reliant on digital technologies, cybercrime is surging. To best protect your firms infrastructure and data, it is important to understand the global cyber attack data, its nature, impact and growth rate. Assembly Software Proprietary & Confidential. Not for external distribution. 3

Sources: Statista / Forbes Protection of data is a shared responsibility Technology providers and partners are not wholly responsible for your firms security Most common cyber attacks experienced by companies in 2024 Phishing Intrusion Disclosure Lost / Misplaced Misuse / Config 10% 4% 37% 30% 12% 4 of the 5 most common attack vectors involve capitalizing on human behavior Assembly Software Proprietary & Confidential. Not for external distribution. 4

Cloud provider, SaaS provider, and Firm all play a role Shared Responsibility Model Cloud Provider SaaS Provider Customer Responsible for securing all aspects of physical infrastructure Responsible for securing activity within the Responsible for enforcing secured operations cloud environments Responsible for protecting access/credentials Responsible for keeping the infrastructure of the service from threats, vulnerabilities, abuse, and fraud Responsible for proper configuration of the Responsible for managing local physical security features access to building and computers Responsible for providing customers with key security capabilities Responsible for ensuring employees aren t Responsible for physically managing local exposing sensitive data to unauthorized copies of data (even paper) parties 5 Assembly Software Proprietary & Confidential. Not for external distribution. Assembly Software Proprietary & Confidential. Not for external distribution.

The importance of Security Policy A playbook to manage risk and protect data A security policy is an internal business procedure created by your firm, to protect your valuable systems and case data. It is a planned approach for how your firm handles and protects case data and information. It is also incredibly important to train your staff in how to handle data appropriately. Focusing on what is protected, and why can help make sure the staff at the firm is aware of how important it is to focus on securing this information. Your security policy will be a single, or a set of documents discussing how your firm operates and manages data in today s constantly changing landscape of cyber-attacks. Identify Risk Assess Risk Review Controls Control Risk Risk Management Cycle Assembly Software Proprietary & Confidential. Not for external distribution. 6

Why does your firm need security policy? Cyber Crime Regulatory Responsibility Professional Responsibility Privacy Considerations Availability Because of the types of data involved in Firms that handle personal data fall All businesses have an obligation to As we know, the American Bar A good way to think about this most lawsuits, firms are prime targets under the provisions laid out in handle their clients personal data Association has rules regarding the aspect is that you can only for cybercriminals for a few reasons. data protection laws at both the with respect and privacy. This is no confidentiality of case information. protect data if it exists Firstly, the types of data required to federal and state levels. Most different for legal firms. Failure to Basically, this rule states that you somewhere. Your policy must effectively manage legal cases is far firms are legally required to prove properly handle sensitive information cannot share your client s have considerations to ensure reaching and likely includes personally they are taking steps to protect can result in everything from information without their consent. that the protected elements of identifiable information, financial their clients personal data from malpractice claims to reputational This includes all the case related data are always available to be records, medical and treatment unauthorized usage and access. If damage. A simple way to think about data. Firms are required to keep all consumed and used as needed, information, and other data that have your firm was ever breached and this aspect, is a desire to stay off information private as a primary but also to be continually high value for resale or ransomware could not prove proper handling the news for any loss of data or function of a client relationship. protected. targeting. processes were in place, you could mishandling of private information be subject to heavy fines. Assembly Software Proprietary & Confidential. Not for external distribution. 7

Implementing a Security Process 8

Step 1: Conduct a Risk Assessment Risk scenario Identification date Existing security controls Current risk level Treatment plan Progress status Residual risk Risk owner Determine risk position for each What If Rank Likelihood of Occurrence: 1 (Rare) -5 (Probable) Rank Impact if Exploited 1 (Negligible) 5 (Catastrophic) Link Common tactics to assets Identify industry specific concerns Identify unpatched resources Place each asset on the Cyber Kill Chain Risk and Impact Analysis Identify Threats What If Scenarios Document Risks Identify Assets Prioritize Risks Capture the consequences of the identified threats being successfully exploited Threat: Vulnerability: Asset: Consequence: Regulatory Requirements Crown Jewels Likely Targets Identities Servers Backups / Archives Give all data a sensitivity rating Assembly Software Proprietary & Confidential. Not for external distribution. 9

Step 2: Develop and Implement Security Policies and Procedures Baseline and review cycle Refresh Threat Matrix Document Mitigation State Create policies and procedures that directly address your identified risks and vulnerabilities. These should cover various areas, including data protection, access control, network Create Procedure to Achieve Measure Efficacy security, incident response, and training and awareness. Your policies should outline guidelines for safeguarding sensitive data, establishing access controls to limit unauthorized access, implementing measures to secure your network infrastructure, defining procedures for responding to security incidents, and ensuring ongoing training and awareness among employees. Developing and implementing these policies and procedures will Train Formalize Procedure create a framework that guides your organization in maintaining Employees a secure environment and effectively managing security risks. Assembly Software Proprietary & Confidential. Not for external distribution. 10

Step 3: Implement Access Controls and Data Protection Measures Inventory Data Set Security Baselines Set Access Rules and Controls Lifecycle management by data type Having secure data starts with knowing Access rules help prevent unauthorized what types of data you have, where it s access, use or transfer of sensitive data Encryption requirements by sensitivity stored and who has access to it. by ensuring that only authorized users and privacy classification Conduct a comprehensive data inventory can access certain types of data. Backup and recovery with RPO and to identify and categorize all information Employee have the exact permissions held by your organization. Determine the RTO specified they need and nothing more. sensitivity and criticality of each data Storage management and Role-based Access Controls type to prioritize protection efforts, then requirements Multi-factor Authentication regularly update the inventory with any Role-based access white-listing by changes in data usage or storage. Regular Review of Role / Access asset assignments Assembly Software Proprietary & Confidential. Not for external distribution. 11

Step 4: Train Employees on Security Best Practices Role-Based Training Scenario-Based Training Simulated Phishing Exercises Scenario-based training is another Simulated phishing exercises are one of Role-based training is another best practice effective method for training employees the most effective ways to teach for employee cybersecurity training. Role- to identify and respond to cyberattacks. employees to identify and respond to based training tailors training sessions to In this type of training, employees are phishing scams. In these exercises, specific roles within an organization, such as presented with real-life scenarios and employees receive an email that looks partners, paralegals, manager. Employees asked to respond to them. Scenario- like a phishing scam and are asked to receive training that is relevant to their day- based training is effective because it respond to it (usually by reporting it to to-day tasks and responsibilities. For provides employees with hands-on their security organization). This helps example, intake employees might receive experience and helps them to employees to understand what a training on how to identify and avoid understand the potential consequences phishing scam looks like and how to phishing scams from contact forms, while of their actions. respond appropriately. finance might receive training on the proper handling of sensitive financial information. Assembly Software Proprietary & Confidential. Not for external distribution. 12

Step 5: Develop and Rehearse an Incident Response Plan Preparation Detection and Analysis Contain, Eradicate, Recover Post-event Activity Monitor and alert for signs of an A lessons learned meeting involving all The purpose of the containment phase Define a team with roles and incident (precursors as well as relevant parties should be mandatory is to halt the effects of an incident responsibilities indicators) after a major incident before it can cause further damage. Develop and update a plan Develop strategies based on: What happened and When Analyze alerted signs Acquire and maintain proper Criticality / Sensitivity of affected How well the response was executed Document incident infrastructure and technology systems and data Were procedures followed Prioritize Incident Are the procedures adequate Maintain up-to-date threat intelligence Type and Severity of incident What information was missing when needed Need to preserve evidence Launch Notifications as required Identify clear communication roles and templates for any external reporting Importance of system to critical What actions slowed recovery business What could be done differently Rehearse responding to an incident What could be done to prevent recurrence Resources required to implement strategy What precursors or indicators can be monitored and alerted in future Assembly Software Proprietary & Confidential. Not for external distribution. 13

Step 6: Review and Update Security Policies and Procedures Regularly Define Triggers Review for Applicability Update, Deploy and Train When implementing new technology Does existing procedure cover the Makes required changes to procedure change from trigger When internal processes change Create revision and accept into Has anything else changed that would catalog When hiring new staff impact this procedure Deploy to impacted roles When working with new Vendors Are there changes to named Train impacted roles on procedure in When security incidents occur resources, employees or roles its entirety When legal or regulatory compliance Does existing procedure handle any rules change new risk introduced from trigger Annually Assembly Software Proprietary & Confidential. Not for external distribution. 14

Closing and Q&A Thank you for your time and attention Firms must view security processes as a mandatory requirement rather than an optional measure to protect themselves and their clients. With the increasing risks and potential devastating consequences of data breaches, unauthorized access, and reputational damage, implementing comprehensive security measures becomes essential for safeguarding sensitive information and maintaining the trust of clients. Prioritizing security as a necessity is crucial in today's digital landscape Remember, security is not an option but a necessary investment in your practice's trust, reputation, and longevity. By implementing the recommended strategies and steps outlined in this session, you can start building a strong security framework today and empower your firm to navigate the digital landscape of the future with confidence. Your clients and your business deserve nothing less than the highest level of protection. Assembly Software Proprietary & Confidential. Not for external distribution. 15