The average law firm holds a vast amount of sensitive information on its clients – both personal and financial – all of which would prove invaluable to those of a criminal persuasion. In the rush to offer their clients an easier way of working with them, law firms may be overlooking the security risks that accompany the latest collaboration technology.
According to a recent PwC report, however, most of the top 100 law firms now use digital collaboration tools to improve communication with their clients but while these tools undoubtedly support operational efficiency – not to mention improving the relationship between a law firm and its clients – they also pose a risk to security.
The same report also found that three in five law firms suffered a security incident in 2018, the implications of which are huge. According to the NCSC, more than £11 million of client money was stolen by cyber-criminals between 2016 and 2017.
Visibility into the cloud
Many people believe the threat to their information comes from external actors when, in fact, their gaze should be turned inward. Indeed, ‘accidental online leaking and misconfigured services and portals’ has now been responsible for exposing the largest number of records for two consecutive years, ahead of hacking.
Of all cloud-based apps used by a business, any that promotes file-sharing functionality will typically be regarded as being at greatest risk of data exfiltration. While it might be easy to mitigate this risk by identifying and blocking such apps, it would hardly be beneficial to a firm’s client relationships.
Instead, a law firm’s IT admin might assign risk to an entire cloud application, thereby identifying and acknowledging a potential vulnerability. A more thorough approach would be to apply appropriate risk levels to the various possible actions within that app, restricting an individual user’s access to only those functions relevant to their role or specific need.
To do this you would need to deploy a Cloud Access Security Broker (CASB). After all, it might not always be necessary to edit or download files – simply being able to view a document will often suffice.
By maintaining visibility and control over how documents are shared in this way, law firms can directly circumvent the number one cause of how sensitive information can be exposed during the collaboration process – human carelessness.
Don’t shoot the messenger
According to the PwC report, around half of law firms use mobile apps to collaborate directly with their clients. Unfortunately, the use of such apps creates the perfect conditions for the accidental sharing of sensitive information.
Any workplace training in data security an employee has the propensity to be instantly forgotten when using consumer apps such as WhatsApp, Telegram and Facebook Messenger. Years of unconscious behavioral conditioning combined with a UX based on interaction means that most users are pre-disposed to share as much and as often as possible.
When used on a mobile platform, these apps will often be deeply integrated with commonly used cloud-based business tools that hold confidential information. As a result, potentially sensitive documents can be shared with a single swipe.
This hasn’t gone unnoticed by the criminal fraternity. WhatsApp phishing, for example, in which criminals impersonating a trusted entity will ask for sensitive client or business information, is becoming an increasingly common technique. Given the medium, many recipients of such a message won’t question its validity.
It’s not just limited to WhatsApp. The same approach can be used on Telegraph, Facebook Messenger, even Tinder, so blocking everything won’t make the problem go away. Instead, granular monitoring is required to provide IT teams with an understanding of the different specific actions that touch their firm’s information, such as sharing files or clicking links inside messages. Preventing these actions from occurring in the first place is by far the most effective way of addressing the problem.
Using cloud-based digital collaboration tools and mobile apps offers many efficiency and customer service benefits, a fact that law firms have now woken up to. It’s worth remembering, though, that criminals are also acutely aware of their appeal. Blocking employees from using these apps would be counter-productive – sharing is human nature, after all. But with the application of careful thought, insight, and the right monitoring, the legal profession should soon lose less information to accidental online leaking.
This is already an approach that the legal profession, and many industries, adapt for email and web security. Now cloud applications are as prevalent and, in many cases, replacing the traditional work function of email and web – security practices also have to be updated to address this new reality.