In the first of a series of “Back to Basics” articles, adapted from the Cybersecurity for Lawyers wiki he has recently started, Neil Brown sets out some of the first steps that law firms should consider when putting in place their own cybersecurity policy touching on why it is important, how to assess the threats and documenting policies.
Thinking about security
Be realistic, and think about client experience
Security is important. So is client experience.
Some security controls are appropriate for highly confidential information, but some are less appropriate for less confidential information — the likelihood of harm, or the severity of the harm, does not justify the intrusion or inconvenience.
There comes a point at which providing security makes it more difficult for the client to work with you, contrary to their best interests.
You are never going to be “perfectly secure”
Even if it was possible to protect against every possible attack while still being able to do your job – and I suspect that, technically, that’s simply not the case — it is not going to be affordable to do so.
If anyone insists that you must be perfectly or absolutely secure, they are asking you to do something which is unachievable.
What's important is that you are adequately protected against the realistic risks facing you.
Talk to your clients
If your clients are themselves experts, consider letting them take the lead.
If you act for a tech-aware client, who you know uses encryption for some communications, and they send instructions by unencrypted email, it may be reasonable for you to respond in kind.
Likewise, if they send encrypted attachments, you likely want to do so as well.
(You might always want to offer encrypted communications, so that less tech-aware clients realise that this is an option.)
Security is ongoing
Threats change, and the means of protecting against those threats changes. Security is an issue which you are going to need to continue to address, as one of the many ongoing responsibilities of being a lawyer.
If you are hoping that you can do something, put a tick in a box, and move on, never to think about it again, you’re going to be disappointed.
If you can get to a place where you are routinely identifying the threats which you are most likely to face and taking precautions against them so that you remain “secure enough”, you are probably doing pretty well.
If you get nothing else from reading this, hopefully it will be an encouragement to think about the kind of threats that you and your clients might face, and the types of mitigations and defences which might be available to you.
Threat modelling: risk identification and prioritisation
This section sets out a basic approach for contemplating cybersecurity.
The aim is to stop you from running out and buying whatever product some shiny suited salesperson might be promoting, but rather to think about your security needs holistically, so that you spend your time, money and effort where you can get the best results.
You’ll sometimes see this described as “threat modelling” or understanding your “risk scenario”.
What are trying to protect?
The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future.
Let’s consider some different examples.
A normal domestic conveyancing transaction may not be of particular interest to an overseas government’s intelligence service but may be very much of interest to someone hoping to steal the buyer’s funds.
If you are working on litigation against a government, might that government have an interest in trying to understand your case before it is formally presented? One would hope not, of course.
Could you simply be the weak link in the chain, which someone wants to break to gain access to the information which you hold? Some useful insider information which might affect a share price, for example, or designs for a new or improved product?
Do you hold information about someone which might be valuable from the perspective of blackmail? Or of interest to the media?
Information useful to a competitor of a client?
Or could it be that the information you hold about a client might be useful in some other attack – someone wanting to get into the client, to exploit what information they have, and getting names and addresses and contact details from you is an easy way to do that?
Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, expert legal advice? Threats to this might be more casual — someone reading over your shoulder on a train, for example, or listening in on a phone call you are having in a public place.
Create an information asset register
In a spreadsheet, list every device and service you have which stores data — computers, phones, external hard drives, USB keys, servers, online services, and potentially even printers and scanners.
Against each device and service:
Keep this up to date, amending it as you add and remove devices from your firm.
Who is your threat?
Is your attacker motivated, and focussed on you? Do they have lots of resources at their disposal? If so, chances are you are going to need substantial security measures, and probably professional assistance.
Perhaps you are just of passing interest and, if you have “good enough” security, the attacker will simply find another target — a less secure law firm, more vulnerable to their attack, for instance.
Perhaps it is not even an “attacker”, but rather a fellow commuter, or someone else present in the place you are working. What about private companies tracking what you do online? Are you happy if the operator of your favourite coffee shop’s Wi-Fi network is keeping an eye on what cases or statutes you are researching, or sites you visit, or even your communications with clients?
How are you vulnerable?
Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable.
You might find the European Union Agency for Cybersecurity's threat report to be useful in identifying key threats.
Prioritise your response
Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them.
A simple means of prioritisation is by multiplying the likelihood of a bad thing happening with the impact if that bad thing does happen.
Something which is likely to be exploited, and which would cause a high level of harm, is a greater priority than something either unlikely to happen, or which is unlikely to cause much harm if it did happen.
Bear in mind that some security controls are appropriate for highly confidential information, but some are less appropriate for less confidential information — the likelihood of harm, or the severity of the harm, does not justify the intrusion or inconvenience. There comes a point at which providing security makes it more difficult for the client to work with you, contrary to their best interests.
Write it down
You might find it useful to write this down, so that you have a register of threats and risks, with reasons why you have included, or excluded certain things.
Make this a regular thing
You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently, depending on the likelihood of a risk arising, and the severity of the impact if it did.
If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that.
If you have a compliance calendar, to help you meet your numerous regulatory obligations, make perhaps a quarterly or half-yearly action to review your risk categorisation, and your security measures.
Documenting policies and processes
Documenting for compliance
As a general rule, most regulators like to see documented policies and processes. They prove that you have thought things through — even if not perfectly — and at least attempted to address them.
Clearly, if what you have done is negligent, you are perhaps creating even more of a mess for yourself, and putting together a nice paper trail, but if you are reading this site, and thinking about your own and your firm’s cybersecurity needs, you probably aren’t the highest risk in this regard.
If you can set out what your policy is, who is responsible for it, and document your processes and controls, review them regularly, and keep a note of what you’ve reviewed and when, you’re likely to be heading in the right direction.
If you have staff, there’s likely to be an expectation of training them and keeping them informed of changes, and a record of ongoing training can be useful too.
Remembering why you made a decision
I also find it useful to record reasons why I have made decisions.
In some cases, the reasoning behind a decision might be obvious. But if you weighed up various factors, and reached a risk-aware conclusion, you might want to set out what you considered and why you came to the conclusion that you did — even if just so that, in future, when you are trying to remember why you did something, or didn’t do something, you can get back to the state of mind you were in when you made the decision.
But documenting things has benefits beyond regulatory compliance.
Writing to aid your thinking
Writing things down forces you to think things through, and question why you have taken particular decisions:
In some cases, having a handy reference guide as to what you’ve decided to do in a particular situation may be the difference between absolute panic and, well, slight panic, if something does go wrong.
If you’ve documented the procedure for wiping a lost mobile device, for example, you don’t need to remember things in the heat of the moment: you just work through your document.
Getting an accreditation
If you want more than your own documentation, you might consider an accreditation for cybersecurity.
Neil Brown is Director of decoded:legal, a telecoms, technology and Internet law firm. @neil_neilzone