Securing the Law Firm: With Few Users Involved, Why Are They Lagging Behind?

In corporate law, every communication or document is typically privileged information that carries highly valued corporate assets: intellectual property, patent filings, details about mergers and acquisitions, partnership deals or expansion into new markets or countries and other material initiatives.

Such privileged information has always made law firms a prime target for economic espionage. But in today’s digital age, these nefarious activities might take a different shape and scale. Nation-states seeking a competitive edge over their rivals can sponsor cyber criminals to go after the various systems of lawyers and law firms involved with strategic projects.

Whether in the day-to-day affairs of Fortune 500 companies or with startups about to break through with a new, market-changing technology, lawyers hold the keys to a company’s most valuable assets. They’re also given an unusual level of trust always reinforced by the common “Client – Attorney privileged communication” proviso on email messages. That’s why it it can be devastating if a hacker succeeds at stealing the e-mail of an attorney, and then further fabricates messages that deceive other lawyers at the firm or at the client.

All this potential for a breach has forced many companies to be more demanding of their internal counsels and outside law firms, with stricter security requirements written into contracts – and in some cases, questionnaires about cybersecurity measures that can run more than 50 pages. As The New York Times reported earlier this year, it’s not uncommon for clients to ask law firms to stop putting files on thumb drives, or stop e-mail from going to nonsecure iPads or other mobile devices.

These seem like reasonable requests, but it can be a lot of work to change certain behaviors in the all-access digital age. Anecdotally, my lawyer friends tell me all the time how they’re restricted from certain uses of their mobile devices or other forms of communication, or from communications with specific customers or stakeholders involved with the companies they represent, or even when they travel to countries considered particularly at-risk for hacker activity. As much as they admit that these restrictions are needed, they also complain about the toll they can take on business productivity – especially for clients with demanding deadlines.

Shouldn’t Lawyers Know This Already?

Despite the abovementioned concerns, law firms should be some of the most straightforward businesses to secure. Typically the set of applications and systems they deploy to manage digital documents is well defined, the list of users involved in managing and controlling these assets is known and short compared to security scenarios in other industries, and the types of documents exchanged with clients are also well defined. Another advantage is that lawyers, by trade, are far better conditioned to sharing and communicating sensitive information.

But with attacks growing more frequent and more sophisticated, law firms ought to take advantage of these unique characteristics to apply the tightest possible security to their business. Rather than using traditional security solutions that are unable to apply controls at the application level, they can fully embrace next-generation security concepts such as application-level visibility.

The Palo Alto Networks Approach

Offering 100% visibility into network traffic at the application, user and content level is the foundation of Palo Alto Networks revolutionary approach to security.  By deploying our Enterprise Security Platform, law firms

Can better secure their existing environment and embrace the use of new technologies

  • Can extend enterprise level security to mobile devices regardless of location by forcing all communications through secure enterprise gateway points where these will be identified and inspected for threats
  • Can safely use instant messaging, VoIP and other modern communication tools knowing that behind-the-scene traffic will always be inspected for potential intrusion and threats

Stephenson Harwood Closes Legal Loopholes

International law firm Stephenson Harwood is a great example of a law firm that took a leap forward with their security using Palo Alto Networks. With offices located across Europe and Asia, including sites in Hong Kong, London, Paris and Shanghai, Stephenson Harwood acted on some of the world’s largest high profile fraud and probate cases in recent years.

During a £26 million relocation of its London offices, Stephenson Harwood took the opportunity to refresh its network infrastructure, and a core requirement was a comprehensive firewall that provided complete control over what people were doing both on and offsite over the global network.

Legacy firewall technology just isn’t up to the task of managing modern applications, which can easily bypass port-based firewalls by hopping ports, using SSL and SSH, sneaking across port 80 or using non-standard ports. Law firms using digital communication and collaboration tools to share highly confidential information need true application visibility and control to manage all types of risks.

If you’re still not convinced that it’s time for law firms to get up to speed with a 21st century cybersecurity agenda, I invite you to read this somewhat disturbing but entertaining discussion posted by the SANS Institute between one of their analysts and a law firm.