People engage in conversations over phones in public areas without a thought to who can overhear, or about the potential consequences. There is a blind faith that privacy is somehow granted by being surrounded by strangers. That privacy is often valid, however strangers don’t always equal safety.
Author–Kristi Perdue Hinkle
On the heels of the largest data breach on record, it is easy to say that data breaches have become big, and all too common, news. We see it flash across the screen daily: legal firm—leak, hospital—ransomware, government agency—hacked. Cyber security is no longer something just for financial organizations to worry about—it’s become a necessity for any organization that handles private, valuable and sensitive information to prepare for – including those in higher education.
In the last few years, multiple universities have been the victim of data breaches—University of California Berkeley, University of Virginia, University of Maryland, to name a few. In 2014 alone, 30 educational institutions experienced data breaches, with five of those schools experiencing larger data breaches than the Sony hack. Universities face a unique set of challenges when it comes to a data breach. As Paul Rivers, UC Berkeley’s CISO noted, similar to a healthcare organization, schools cannot close if a major breach occurs and network security on campus cannot be treated like a bank or technology company. Schools by nature are an open community, with a network shared by students, staff and even visitors—so closing vulnerabilities can be especially difficult.
Unfortunately, a data breach or IT outage is not the only type of emergency that Universities must prepare for. In the wake of acts of terror, natural disasters and other reported campus safety concerns over the last decade, Universities have a heightened call to action to protect campus staff and students. The ability to securely, efficiently, and, when appropriate, confidentially correspond about emergencies is paramount to successful response and recovery.
So how can universities ensure that sensitive information and communications remain secure during an out-of-course event?
One way is the use of encrypted, secure, ephemeral messaging. Secure messaging enables executives, board members and staff (as well as students for that matter) to communicate in a way that ensures that any sensitive information is protected. This is because at the core the sender is in complete control of anything he or she sends out. Messages cannot be forwarded, shared, saved, printed or screenshotted by the recipient, eliminating the risk of reputational damage or diminished trust. As an example, if a communication needs to be kept to a specific area of the campus to avoid panic during an emergency response – it can be; if a communication needs to be kept confidential to avoid media coverage during an emergency response – it can be; and if a hacker needs to be kept out of discussions concerning an emergency response to a breach – that too can be done.
For additional security, ephemerality means that any messages received and sent are automatically removed from the sender or the receiver’s devices per a pre-defined time period for expiration, removing the risk caused by BYOD device loss and theft. With secure messaging Apps that also support compliance, such as Vaporstream, a copy of the message can be archived in a single repository of record and stored behind a firewall for safe keeping to meet business and regulatory requirements.
In case of an emergency, secure messaging keeps sensitive communications ongoing. This is especially critical for universities, given that schools cannot close when an incident occurs. Secure messaging provides a means to continue crucial conversations and to discuss mitigation, emergency response and recovery plans. In case hackers or even terrorists may have access to certain university information or communications, employees can rest assured that whatever conversations they are conducting via secure messaging are uncompromised.
In short, encrypted, secure, ephemeral messaging protects high level communications for universities at every step of the way—during day-to-day business communications for such things as discussing HR and IP as well as during out-of-course events where emergency response plans need to go into action. If you would like to learn more about secure messaging and Vaporstream’s solution you can download our white paper or contact us.
Author–Kristi Perdue Hinkle
The revelation last week that 11.1 million confidential client documents were compromised at a Panamanian law firm is a mammoth triggering event for the legal industry. Legal is next up to feel the hot glare of the cybersecurity spotlight, following on the heels of healthcare, retail, banking, entertainment and government headline-making cyber-attacks. At 2.6 terabytes of data on business transactions of global public figures, the Panama Papers leak is the largest data breach ever.
A Call to Action.
The notion that law firms are soft targets for hackers is not new. In 2012, the FBI warned major US law firms: hackers see attorneys as a back door to their corporate clients’ valuable data. According to the head of the FBI’s New York cyber division, “[a]s financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.”
Despite this warning, many law firms have been complacent in taking action to develop a cyber security plan for their firm. Unlike other industries, most law firm breaches have been kept private in the past, however it does not mean they have not occurred. In fact, some estimate that 80% of the AmLaw 100 firms have been breached. Recent headlines revealed that hackers gained access to networks at Cravath, Swaine & Moore and Weil, Gotshal & Manges, two prominent New York firms. Cravath acknowledged a “limited breach of its IT systems” in 2015. Law firms holding client healthcare information, banking information and personal information such as social security and license numbers and credit card numbers are prime targets for hackers. In the last few years, Chinese hackers have infiltrated major law firms to gain advantages in M&A and trade export matters, for example. Law firms, similar to the healthcare industry, have experienced ransomware attacks, where bad actors break into networks and encrypt files, demanding money for the key to decrypt the files. Ransomware attacks have become so common that we recently blogged on the outbreak in 3 Ways to Avoid Becoming a Cyber Hostage.
The Panama Papers however, just shattered the delusion that the law firm and its clients could remain in the background of the cyber breach media frenzy. With a breach at this scale, and the associated scandal, you can bet that it is creating a new level of awareness and lighting a fire under managing partners across the globe.
In order to remain competitive, law firms will be required to beef up their security and governance programs and to do it now. “I want an assessment of your cyber-security program on my desk by Friday,” is a phrase likely uttered by many general counsel to their law firms this past week. How law firms react to this call for action will make or break many firms as they move forward under this new post-Panama Papers world.
With the “breach of all breaches” highlighting law firm security, law firms must act now to secure all client content and forms of communications, including mobile communications. Those that don’t jeopardize the sensitive data that their clients entrust to them. At a time when cyber-criminals are targeting law firms, a lackluster response can expose clients to identity theft, loss of intellectual property, personal embarrassment, harm to corporate brand and, as we are seeing in the Panama Papers, government investigation and litigation risks. Clients will demand better.
Law firm InfoSec and IT teams must rapidly establish a strategy and security protocols to satisfy increased client concerns and scrutiny of document and client communications. Your cyber security strategy should include security protocols that reinforce client confidentiality, governance policies, back-up and recovery as well as breach notification.
Firms must secure documents, emails, desktops, mobile devices (such as smartphones, laptops and tablets); and of course the network, systems and applications. Encryption is now a must for data at rest and in transit, as are annual third party security assessments and information governance policies. Vendor security protocols should be double checked, especially if they touch personally identifiable information (PII) or personal health information (PHI) – both considered extremely valuable on the black markets where hackers reap profits.
Firms must implement breach incidence response plans, intrusion monitoring and detection and technology to track unusual downloads. Importantly, firms must constantly update and educate lawyers and staff on hackers’ ploys such as phishing, back door attacks, bots, denial-of-service and other threats, including a rise in malicious browser extensions that collect data every time a user opens a compromised webpage, according to the Cisco 2016 Security Report.
“Our external-facing Internet sites are probably getting hit 400 to 500 times a week” by third-party bots or denial-of-service attacks. That kind of activity is the new normal and it’s hitting everybody.” CIO, AmLaw100 firm, 2014
Not all law firms are new to the expectation of increased security. Banks have audited Big Law firms on security protocols for a number of years now, often sending thick questionnaires and onsite auditors to inspect the firms’ data centers and protocols. Afterwards, the law firms are often required to implement new security measures and investments. Many firms now include security requirements in “outside counsel guidelines” that their firms must sign and execute. An ABA article offers key steps to survive a client cyber-audit and is a good place to start when planning for future requirements.
Heed the Spotlight.
The Panama Papers breach has put an intense spotlight on law firm data security that will not fade anytime soon. Like the Snowden revelations, the fallout from this ethical hack will go on for months to come if not years. As public figure resignations, tax evasion investigations and litigations mushroom, we will continue to uncover the depth of this breach and its cause. Every time a corporate counsel hears another news bite, they will ask their law firm for a security update and stricter guidelines for audits will be created.
Firms need to get ahead of the curve and invest in policies and technologies to increase its security posture. The risk to your clients’ and your firm’s reputation is simply too huge to ignore.
To find out how Vaporstream can help law firms better address their security posture, contact us.