Posted Jul 01, 2014 07:50 am CDT
Law firms face an array of cyberthreats from foreign governments, competitors and hackers. And then there’s the threat that has always existed in the offline world, but has migrated online: inside jobs—or what cybersecurity experts call extrusion.
That threat comes from firm employees who may be disgruntled or who want to make a quick buck from selling private information.
While there’s no such thing as 100 percent protection against extrusion, to guard against it experts recommend tight background checks, formal written policies, perpetual vigilance, appropriate attention to technical considerations, and striking a balance between security and usability of the firm’s files and data.
While inside jobs may not be common, they do happen, says Edwin Reeser, an Altadena, California, sole practitioner who writes about law management issues.
“Crowell & Moring had one guy [Douglas Arntsen, who pleaded guilty in 2012] who took a bunch of money from clients and tried to run away” and was extradited from Hong Kong, Reeser says. He also cites the case of Matthew Kluger, convicted in 2012 in an insider trading scheme that ran 17 years while Kluger worked at Cravath Swaine & Moore; Skadden, Arps, Slate, Meagher & Flom; and Wilson Sonsini Goodrich & Rosati. Reeser says Kluger “would run barefoot through the firms’ system late at night because he had access and gave [information] to outsiders who traded on it. … Those could have been detected and stopped with an appropriate system.”
Even smaller boutique firms need such systems and protections.
“We’re going to find providers of these services … that we’re going to have to hire,” he says. “If you don’t have $20 million to set up a system … but you don’t need a system for everything you do, you’re going to have to rent it.” Such systems also can be accessed in concert with major corporate clients who can best afford it, Reeser adds.
To start with, firms must perform background reviews and make judgments about a potential employee’s reliability during the hiring process, says Alan Charles Raul, a Washington, D.C., partner at Sidley Austin and author of a chapter in The ABA Cybersecurity Handbook. “You need intake scrutiny,” he says.
Writing and disseminating formal policies helps ensure that honest personnel know to be aware of and report any suspicious activity, Raul says. Those policies should make clear that firms have the right to monitor their networks to enforce compliance and prevent wrongdoing, and that no expectation of privacy should exist in the use of the firm’s network.
“The formal, written policies are not necessarily going to deter the renegade,” he says. “But by sensitizing all the honest employees, you do make the environment less hospitable for dishonest employees.”
Firms also need policies to appropriately restrict the use of personal handheld devices and home computers, Raul says. But policies limiting use of personal smartphones, tablets or laptops can cause some strong reactions, especially from top partners, notes Sharon Nelson, president of cybersecurity firm Sensei Enterprises Inc. in Fairfax, Virginia.
“They dictate, and IT and security have to do what the partners want, even if it’s a violation of policy and common sense,” Nelson adds. “They scream ‘I want! I want! I want!’ And they get it because they’re high up the food chain.”
Andrew Jurczyk, chief information officer at Seyfarth Shaw in Chicago, says employee education is the most important part of a security system. “It’s extremely important for firms to provide education to their user base,” he says. “They need to know what encryption is, and what possible sources [of data leakage] are.”
To protect their networks on the technical side, firms need to have data leakage prevention tools or internal computer audit trail monitoring, Raul says.
“That will ascertain whether there are any unusual, untoward, suspicious accesses to files, emailing of large quantities of files to personal email accounts, and so on,” he says. “There should be automatic encryption of USB drives, and there ought to be limits on who can access what information.”
Since firms are perhaps most vulnerable to extrusion when an employee is about to leave, systematic processes are needed to handle that transition, Jurczyk says. “Typically, when somebody is leaving, they go through appropriate channels for the amount of data they’re allowed to take,” he says. “We produce it for them on a DVD and hand it over. It gets treated as a matter of record, and we go on from there.”
Particularly if an employee is disgruntled—and even more particularly if they’re being fired—firms need to be on maximum alert, Nelson says.
“Kill their ID, cut their remote access,” she says. “There’s a whole checklist of things you need to do to make sure there’s no further visit to the data by the person you’re terminating.”
This article originally appeared in the July 2014 issue of the ABA Journal with this headline: “Inside-Out Threat: Law firms’ own employees are among the major cyberthreats they must protect against.”