People, by nature, are optimistic creatures, and when business owners-- specifically law firms-- hear news of a major hack or cyber breach that has the potential to harm thousands of people or disrupt vital infrastructures, we hold onto a cherished belief: that somehow the experience will teach us all something new about cybersecurity, something that will protect us from the next threat. There’s an old story at play, a sort of arms race between criminals and those who hope to thwart them, and most of us would really like to believe that every crime or violation provides new information that brings us closer to a state of total security.
But as a technology-driven society, we aren’t quite there yet.
This unfortunate and increasingly familiar story—about a cyber hack that derailed several US newspaper organizations and delayed delivery to west coast subscribers—drives that message home. According to this short article in Quartz, the LA Times believed that this particular attack was designed to disable the paper’s infrastructure and servers. In other words, the motive in this specific case may have been pure destruction and chaos rather than information theft.
This kind of motive is especially relevant to law firms. In the worst case scenarios, our imaginations dream up, attackers target law firms not to steal cash, but to violate confidentiality, embarrass people, pursue agendas, or otherwise cause chaos for its own sake. For example, the Panama Papers scandal whose ripple effects were felt in several countries began with a cyber attack on a Panamanian law firm, Mossack Fonseca.
So what does this mean? How should we interpret these events as ever-hopeful legal professionals living in a fragile web of law enforcement and judicial systems which depend on strong cybersecurity that may or may not be there when we need it?
Of course, we can’t just give up and hope for the best, but we do need to resign ourselves to a state of constant vigilance. No matter how well-secured our systems may be, and no matter how strict we are in complying with the latest data security standards and protocols, there will always be an incentive to gain access to sensitive client data or disrupt societal nerve centers. As long as that incentive exists, we’ll need to apply pressure in the opposite direction. We need to be constantly on the lookout for new points of vulnerability, and constantly testing and distrusting our own systems, including authentication procedures, password requirements, alert systems, monitoring protocols that follow data as it’s checked out, reviewed, and checked back in, and of course, logging systems that track and record every action during a data transfer.
As the old saying goes, if you aren’t alarmed—in this case, by the scale and frequency of current and future breaches—then you just aren’t paying attention. A little perspective can keep us tuned into small problems before they become big ones. Check out the article for insight into the precarious nature of everything from hospital databases to election systems.
Then recheck your law firm’s security platforms and give us a call! If your concerns are unwarranted and your client data is safe, we’ll help you sleep easier. If not, we’ll arrange a consultation, identify your areas of weakness, and help you take steps to reinforce them. Don’t be worried, be proactive! Stop breaches before they start.