This past month, newspapers around the world have been filled with stories of the Panama Papers — a massive trove of confidential tax planning information that will probably topple more than one politician. For lawyers and law firms, the chilling fact is that these millions of documents emanated from the computer files of a global law firm — Mossack Fonseca. Their client records and all of their secret dealings are now being read by journalists around the world.
Was it done by some skilled cybersleuth, intent on exposing illegal or improper activity, or at least hypocrisy? Was it a disgruntled internal whistleblower, within the law firm? Either way, it points to the vulnerability of law firms, and to the seriousness of the stakes when confidential client information is leaked.
What’s in Your Cybersecurity Bag of Tricks?
A month ago, we asked the Attorney At Work community to let us know how confident you are about cybersecurity in your firm. Today, we unveil the results. (Download highlights here.)
Bottom line: Results from the Attorney at Work Cybersecurity Survey show clearly the vulnerability of law firms. None of us, however small or large, can afford to be complacent.
How Do You Sleep?
We started by asking what keeps you up at night. Topping the list was worry about sensitive client information and personally identifiable information being stolen. Credentials and identities being stolen pulled up third.
Lawyers are notoriously sloppy about passwords, and one does not have to be a star pupil in a cyber-hacking graduating class to break through our security. Generally, law firm computers are much easier to attack than government or business computers.
Is your insurance adequate? When asked if their firm had cyber-insurance covering data breaches, only 22 percent said yes, while 47 percent said their insurance didn’t cover cyber issues.
A recent UK government survey suggested that everyone overestimates their insurance. In that survey, 52 percent of CEOs were confident they had cyber coverage, but according to the insurance industry, take-up was less than 2 percent — rose-colored glasses in the executive suite?
Do you encrypt flash drives? Given the huge capacity of flash USB drives and other mobile devices, we were surprised that only 27 percent of those surveyed routinely encrypt them.
Do you know how to encrypt email? We were surprised that 56 percent of those surveyed said they knew how to encrypt an email. In a similar Australian survey, most firms provided encryption services for lawyers, but very few actually knew how to use them.
Can you stop insiders? Most respondents — 58 percent — were confident they have adequate systems to deal with insider threats. We were surprised at this level of confidence, given the stories in legal publications about staff members taking advantage of weak firm security. Perhaps our readers know something that the Am Law100 firms don’t?
Are you confident? Twenty percent responded that they were “very” confident about their firm’s ability to manage cybersecurity. When you add in those who were “somewhat” confident you end up with a colossal 91 percent who said they were okay. Almost as many were confident that management appreciated cybersecurity risks and the firm’s vulnerabilities.
Are clients bugging you about security? While a significant number (39 percent) said that clients were asking about cybersecurity, that left a majority reporting no client pressure on the issue.
So if data breaches happen, what are you going to do about them? Only one in three of those surveyed — 34 percent — had a crisis management plan in place to deal with data security breaches. Another quarter reported planning to do so in 2016.
The Panama Papers may encourage a few more firms to actually put this on their priority action list.