(Article originally published on Legaltech News by Ricci Dipshan, August 22, 2016.)
The following is part two of a two-part series addressing outside counsel’s vulnerability to emailrelated cyberattacks and breaches. Part one discussed the specific legal and IT risks that law firms’ face when communicating with clients with inadequate data protection.
In corresponding with clients via email, law firms expose themselves to an array of risks, including data breaches, unauthorized use of privileged content and cyberattacks on their own servers and systems. And in the face of recalcitrant or unable clients, the responsibility of securing email communications and all its related risks falls on law firms’ shoulders.
But how exactly can firms go about protecting themselves from “spillover” cyber risks? Here are three innovations that can help legal defend its flanks:
1. Encrypted Email Portals
When securing emails, encryption would seem like the first goto defense. But many often shun the technology, because traditionally it has been thought “of as very clunky to implement, requiring a lot of handson work from the participants and users to manage keys,” said Jacob Ginsberg, senior director at email encryption and security firm Echoworx.
However, this is far from the current case, he added, citing a “new generation of encryption” where security companies “do all the key management on behalf of the [law firm].”
This new generation includes encrypted email portals, which exists separately from a primary email system, and can streamline the encryption process through automating access and limiting use to a select group of authorized users.
Gregory Abrenio, director of Cyber Armed Security, explained that while expensive, these portals offer a high level of security, where every communication is “automatically encrypted so every messages that flows to that system is locked down and no one else can access it.”
These portals can also be designed to “feel very much like a normal email exchange,” said Ginsberg. “There are no real extra steps for the sender in the law firm, and just a simple web mail interface for the recipient.”
He added that if need be, the portal can also be hosted outside a law firm’s IT infrastructure, in a third party “neutral territory” where “you can have a webmail that everyone logs into.”
2. “Ephemeral Messaging”
Isolating and encrypting emails through a dedicated channel still leaves a paper trail, which of course can be necessary due to legal and regulatory retention demands. But for those who do not need to keep records, making sure emails are deleted shortly after they are opened is an even more secure way to ensure those emails never end up in the wrong hands.
Abrenio noted that some modern security solutions, “use temporary emails that will evaporate after certain usage. They combine encryption and they [create a separate communication channel] so no one cannot steal the keys or passwords.”
Email security firm Vaporstream, for example, recently launched a proprietary communications solution deemed “ephemeral messaging” that erases all correspondence after a set time limit. The technology can prove pivotal when handling highly sensitive content, or during incident responses after a law firm or its client systems have been compromised.
Liz Lederer, Vaporstream’s senior vice president of channel sales, previously told Legatech News that “during times of incident response, it’s critical for conversations to remain between those remediating the situation, and we’re able to do that by keeping messages encrypted and enabling crossdevice interactions without the risk of unauthorized sharing or storing.”
3. Scanning Solutions
No matter what email solution a law firm uses, there is still always a chance of an emailbased attack or infiltration. Which is why on top of secure channels, law firms should also proactively watch both what comes into, and is sent out of their primary email systems.
To this end, Echoworx has a solution that “will make sure that all emails leaving an organizations are scanned for sensitive information, and just what is sensitive information is left up to the law firms to decide,” Ginsberg said. “That can help flag sensitive information leaving the law firm unsecured, and that’s just a bare bones compliance step.”
Firms can also hide its email server behind another server layer, which gives them protection against distributed denial of service attacks (DDoS), as well as the ability to track and flag suspicious emails.
Avi Solomon, director of information technology at Rumberger Kirk & Caldwell, previously told Legaltech News that his firm uses such technology to filter out emails from newly registered domains or ones not associated with the firm or their clients, a telltale sign of phasing email cyberattacks.
Scanning solutions are essentially a firewall within an email server, a necessary part of email security, given the furtive techniques of cybercriminals. In this day and age, no communication, whether it appears to come from an internal colleague or an external client, should be trusted at face value.
Copyright 2016. ALM Media Properties, LLC. All rights reserved.
Lewis for Vaporstream: Shannon Felder
202-507-4714 | Vaporstream@teamlewis.com