Demand for legal technology staff grows as law firms and corporate legal departments come under scrutiny for information security practices.
Are law firms doing enough to secure client data? In a year when major U.S. companies including JP Morgan, Home Depot and UPS have suffered massive data breaches, attention is turning to the information security systems employed by the legal institutions that advise America’s biggest businesses.
Lawyers, C-level executives and other company personnel who regularly discuss corporate movements are currently the target of hacking group FIN4, which operates an unusually sophisticated phishing scam designed to steal insider information.
Instead of sending the standard random email containing an equally random link, the scam initially targets a single employee with malicious dialog boxes that trick the user to enter his or her login details, after which point the hackers use the account to send email with malicious links to other employees in the company. Once they gain access to email accounts, the hackers can view private information pertaining to corporate mergers and acquisitions to gain a lucrative edge in the stock market.
Data Breaches at Law Firms and Corporate Legal Departments
According to Darien Kindlund, the Director of Threat Research at cyber security company FireEye, FIN4 has stolen information from 100 publicly trading companies, including multiple legal firms. “Hackers go after law firms because certain firms hold very valuable financial information,” says Benjamin Wright, attorney and instructor at the Maryland Information Security Training Center, by the SANS Institute.
While retailers hold customers’ personal records that hackers exploit for identity fraud, law firms have specific information that directly affects business deals. For instance, in 2012, China-based hackers attacked seven Canadian law firms to derail the acquisition of Potash Corporation of Saskatchewan Inc., the world’s largest potash producer, by Australian mining giant BHP Billiton. Though the deal fell through for unrelated reasons, Bloomberg reported that such data could be worth tens of millions of dollars, due to the advantage it could offer in trade negotiations.
Data hacks are also common with copyright law cases, where one side wants to gain access to the information its opponent will use in the lawsuit, says Michael C. Maschke, CEO of digital forensics firm Sensei Enterprises, Inc.
Some hackers may not even be after data, but simply cash. In February, North Carolina law firm Goodson’s admitted that its entire cache of files had been scrambled by a hacker that demanded just a $300 ransom to restore the files (despite the firm paying up, the files were never restored).
“The security holes and vulnerabilities at law firms are increasing, in part due to the greater number of law firms allowing users to bring their own devices to work,” says Maschke.
Point-and-click hacking tools that require little cyber security knowledge can breach unsecured personal devices, while automated attacks that a secured company system would shut down, may instead be allowed on smartphones.
Compared to banks, which adhere to much stricter data security regulations, law firms represent an easier “back door” to the data a hacker is after. “Legal firms generally do not invest nearly as much as financial institutions, when it comes to security operations, technologies and processes. As a result, they are just as, if not more, vulnerable than the clients they serve,” says Kindlund.
Emphasizing Security from the Beginning
In March, The New York Times reported that many Wall Street banks had begun pressing their law firms to prove the security of their data systems. “Some major corporate clients have sent 70 page surveys to law firms asking for detailed info about their security,” Wright says. “If a law firm wants to work for a major client, it will be asked very difficult questions.”
Wright says that clients may demand proof that lawyers are trained in information security, or lay down rules on how their data may be accessed – for example, from encrypted high-end smartphones, or via a virtual private network (VPN) if the lawyer is away from the office.
Though law firms that deal with healthcare data must—like any company holding medical records—comply with the Health Insurance Portability and Accountability Act (HIPAA) regarding data privacy, and those that deal with credit card companies must similarly comply with the Payment Card Industry Data Security Standard, not all lawyers are aware of, or prioritize, such standards. “We still deal with lawyers who don’t think HIPAA applies to them because their firm is too small, even though they’re working on a personal injury case,” Maschke says.
According to Maschke, it isn’t very common for law firms to train staff in basic security practices such as communicating about or with clients only over secured devices, or avoiding storing confidential files on unencrypted portable drives.
Information Security Engineers and the Future of Legal Security
This training would be part of such roles as the firm’s Information Security Engineer—a role Maschke predicts employers will increasingly demand in 2015 and beyond. A firm’s Information Security Engineer oversees the entire wireless and wired network, including developing protocol for detecting and recovering from a data breach. He or she should be well versed in network security technologies, including prevention methods such as firewall configuration, wireless security and anti-malware tools, monitoring data access levels, as well as developing the security standards and best practices for the firm.
“With larger firms that have an internal IT department, it wouldn’t surprise me if it becomes a requirement that staff are also trained in data security,” says Maschke. Some firms are likely to make room for in-house information security staff, while smaller companies that may not have the budget will use independent vendors to provide similar services.
According to the Parker + Lynch 2015 Salary Guide, entry level Information Security Engineers in 2015 can expect an annual salary of $95,000-$110,000, while senior and managing engineers may be offered $150,000 and above.
“A large percentage of data breaches are not because of hacking,” Maschke says. “It can come down to misconfiguration of network equipment, unsecured or unencrypted mobile devices, saving data to non-secure third-party servers, employee theft, and human error.”
In September, an IT worker at the law firm Wilson Sonsini Goodrich & Rosati was arrested for insider trading based on stolen client data. Last month, a Seattle law firm working with the state’s public schools accidentally released over 8,000 student records, including test scores and special education plans, in an email to the guardian of one of the students. What makes it more difficult is that there currently is no overarching security standard for law firms to pin their systems to.
However, Maschke believes that this will change as local and national bar associations issue rulings and opinions on data security. “Law firms will be forced to implement some of the recommendations, particularly if they’re dealing with medical records, social security numbers and other private information,” he says. “The more law firm data breaches are made public, the more it will change minds and attitudes.”
FireEye’s Kindlund recommends that legal firms looking to update their security engineering employ a virtual desktop infrastructure that would allow each client’s data to be handled in separate, secure enclaves. “This limits the overall risk that, when compromised, an attacker would have full access to data across all clients,” he says. “The challenge, though, is presenting a new system in a way that doesn’t impact the legal firm’s ability to conduct normal business functions—one of many reasons why the demand for security engineering roles will grow in the future.”
Qualifications for Data Security Personnel
As more law firms seek out dedicated data security personnel, job-hunters considering security engineering roles should check the certifications required for these positions. At Parker+ Lynch blog, employers advertising for Information Security Engineers are looking for training in CISSP, GIAC Security Essentials and the ISO 27001 in information security management, as well as certification as a Microsoft Certified Systems Engineer. Candidates are usually also expected to come with a working knowledge of software including Websense® TRITON® , IDS/IPS, Palo Alto Networks, Windows PKI, TACACS, and SolarWinds Orion.
As technology increasingly allows off-site working, it’s imperative that information security personnel are also experienced with secure remote access connectivity, including virtualization technologies such as VMware and Cisco, plus connection protocols SSL and MPLS.
In general however, job seekers with graduate degrees are in demand more than ever; 42% of employers surveyed for Parker + Lynch’s Salary Guide intend to hire more candidates with master’s degrees in management next year, while candidates with advanced degrees in accounting and finance are attractive to 37% and 32% of employers, respectively. And of course, the MBA is always in hot demand. Overall, jobs requiring a master’s degree are slated to increase to 18% of the market by 2022.
Up to speed?
At Parker + Lynch, our knowledge of the legal technology profession is unparalleled. We align top employers with top-of-the-line professionals in legal technology.