Biglaw, In-House Counsel

An Inside Look At Insider Threats (Part I)

How can law firms help clients mitigate the risk of bad actors inside their own organizations?

By  
on

(Image via Getty)

Ed. note: In Part I of a two-part series on insider threats, Gabriel M. Ramsey (a partner in the San Francisco office of Crowell & Moring, where he focuses his practice on complex litigation involving intellectual property and cybersecurity) helps me explore how law firms can help clients proactively mitigate the risk of bad actors inside their own organizations, and how law firms themselves tackle the ever-present insider threat. In Part II, we will look at the issue from the viewpoint of a security professional.

First off, with one out of four law firms a victim of a data breach, are there particular security vulnerabilities in law firms which are unique to the industry?

GR: Lawyers already have the confidentiality clause to abide by, so the bar is already high.  Lawyers know they must conform with attorney-client privilege.  They know they have valuable information in their possession, so security and privacy conversations with employees are generally easier. But law firms are always going to be a target of many different types of digital adversaries because they have secrets on so many types of companies.  Firms have the type of information that sophisticated actors will invest time and resources to obtain.  For example, in recent years we’ve seen more examples of calculated breaches where organized crime groups are hacking into the networks of law firms to steal high-value data and then trade on it.

With insider attacks on the rise, there is a need for increased vigilance which seems at odds with creating an open and trusting culture.  What’s your take?

GR: It’s important to understand who your company engages with, whether those are employees or supply-chain partners.  The saying, “know your customer” applies here.  Know your employee base.  Employees have daily and pervasive access to more highly effective digital tools to do things that aren’t socially productive than ever before.  The average smartphone or work laptop is an excellent tool for stealing data.  The average mid-level employee has access to a lot of information, but they aren’t in a decision-making role so management isn’t looking at them.  I wouldn’t say that employers are ignoring the situation but, given how easy it is to move digital data and the availability of tools to do so, there is almost an unavoidable need for more scrutiny and monitoring of people and activities.  But this might be perceived as working against an open and trusting culture.  Many firms now have data loss prevention technologies (DLP) and similar tools which help ensure that sensitive data is not exfiltrated, lost, misused, or accessed by unauthorized users.  Yet there’s uncertainty as to how much monitoring to do, even if it’s completely legal.

How can a firm strike a balance with monitoring?

Sponsored

GR: Companies don’t avail themselves of technical monitoring as much as they could.  The way to resolve it is to bring employees along on the information protection mission and to be pretty up front about use of technical tools.  You can have a conversation with employees that doesn’t make them feel as if there’s a big brother problem and that everyone’s on same page. It’s pretty easy to keep tabs on a company’s digital domain in a way that’s never been possible before.  But companies often don’t deploy DLP or similar tools or they mis-deploy tools such that they aren’t as effective as they can be.

The main thing for the lawyers managing risk regarding sensitive data and IP is to have a dialogue with and align with the security and IT functions in the organization. For example, from a technical standpoint it is important to configure DLP so that it’s looking at traffic around high-value IP, which depending on the tool, may be through keyword or heuristic-based techniques.  You don’t need to monitor all web-browsing activity but at least all packets leaving the network from ports and devices which contain the highest-value content in the company.  In a pharmaceutical company, for instance, lab notebooks might be such an example.  Embedding watermarks or tracking technology in those documents can provide a great ROI as well. In law firms, client documents containing internal trade secrets would be another example of IP you need to protect with DLP.  What’s important is that the legal risk managers, in law firms or otherwise, fully understand the options and integrate them thoughtfully into a risk management strategy.

We hear a lot these days about state-sponsored actors and nation-states hacking into our government offices and large corporations.  Is that threat also a problem in the legal industry?

GR: These definitely happen and they are often very hard to detect.  In terms of volume, I believe that the most severe examples of this type of thing are edge cases which occur when the IP is extremely valuable.  But they are unfortunately high injury and high-risk cases. Lawyers must absolutely plan for them.  What I see mostly is good old-fashioned angry employees or commercial motivation to steal ideas and profit from them.  The problem with state-sponsored actors is that it’s a much more sophisticated type of attack.  It’s harder to see what’s going on because the bad actors have a specific agenda and resources to hide their tracks.  They also have patience.  It’s not just a matter of looking at employee accounts and devices for obvious indicators of theft when they leave the company.  To combat sophisticated state-sponsored actors, you’ve got to compile a lot of little details over a lengthy period of time and across contexts to see the patterns.  This brings us back to the hard question of how much monitoring of people and activities you need.

Let’s talk about BYOD, which is endemic in most industries.  How do you guide clients on setting policies for security in this environment?

Sponsored

GR: You need to have good contracts and policies in place, which employees must sign or agree to.  There are a lot of nuances technically.  If you’re talking about an employee-owned device remotely accessing accounts over an unsecured network, you can just cut off access.  What about an employee bringing home a USB device loaded with documents?  Do you need some form of legal order to obtain that device from the home?  It’s important to think through all these scenarios thoroughly, considering the borders for employee rights and where the company is going to draw the line.  But, good clear contracts with employees, detailing rights and obligations, can make this easier when issues arise.

Does the court system support these types of contracts?

GR: I think U.S. courts would respond favorably and enforce contracts that draw clear lines regarding BYOD issues.  I’m not sure about the cross-border situation in every country but I am aware that in Europe there are more stringent employee protection regulations. So, options may be limited outside the U.S.  Even here in the U.S., some states started enacting legislation that places limits on employer access to computing facilities.  For example, California has a specific statutory limitation on employers requesting employee credentials for their social media accounts.  We might see more states start to limit what employers can do through contract, in terms of technical access or monitoring.  That could make a problematic situation more problematic.

What do you advise organizations in light of increasing security threats from actors inside their networks?

GR: The technology piece of monitoring is one aspect, but it’s also about educating the workforce and reinforcing a culture that says we are all in this together.  It’s not about being autocratic. It’s about staying alert and realizing that the capabilities of bad actors are entirely dictated by the technical tools they are using to attack or steal.

Technology can even catch even innocuous behavior that poses risk to IP.  I had a client which had systems containing very sensitive, highly regulated information.  A couple of employees had installed a browser plugin to perform innocuous spell-checking, using a cloud-based service. The plugin somehow got around the technical defenses that prohibited installing outside applications, but because the company was doing so much monitoring, the security team could see, in real time, sensitive internal documents going out to this odd server on the Internet.  The security folks caught it right as information was being exfiltrated out of the company and were able to find the employees and shut it down immediately.  While in this case nothing nefarious was going on, if it had been a bad actor, the ability to see this type of suspicious behavior quickly gives a company lots of options so they can begin investigating and mitigating risk before a ton of information has been leaked.

In short, get the lawyers and the technologists on the same page, procure the right technologies for protecting your systems and data, apply it to the most important areas, and get your team on board to understand the importance of protecting client data and intellectual property — the lifeblood of the business.

Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm.  She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years.  You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.

Topics

, , ,