Home » Corporate Counsel » Outrun the Bear: Law Firm Cybersecurity and the Insider Threat

Outrun the Bear: Law Firm Cybersecurity and the Insider Threat

Outrun the Bear Cybersecurity and the Insider Threat

It was a vendor that first identified the IT data breach at the Office of Personnel Management (OPM), according to Eric O’Neill, a former counterterrorism and counterintelligence operative.

The vendor had installed security software in order to demonstrate its value – and OPM would soon learn upwards of 22 million incidents of data theft.  The breach poses the risk of ID theft to federal employees, including the intelligence and military communities.

Mr. O’Neill’s comments came in the form a keynote speech at the 2015 LegalTech® conference titled, Cybersecurity and Data Espionage: Spy Stories for Lawyers.

For a time, corporate America only had to worry about the competition stealing business secrets. Today, a number of high-profile breaches in recent history show nation states are also a threat.  Worse, organizations, from government to corporations to law firms, while good at protecting threats from the outside, have room to grow against insider threats.

The First Digital Spy

Mr. O’Neill rose in prominence as the result of an insider threat. In 2001, he was part of an operation to catch Robert Hanson, “the worst spy in history,” he said.  Mr. Hanson stole and sold government secrets to the Soviets and later the Russians for 22 years.

Mr. Hanson was an insider.  Not just any insider, but a person of special trust and charged with preventing and identifying spies stealing secrets.  He was a spy charged with catching spies, an ideal position for covering up illicit activities.

He was, according to Mr. O’Neill, the first cyber spy.  Mr. Hanson exploited computer systems and stored the data on an early model personal digital device, or PDA.

Don’t miss these related insights on law firm cybersecurity:
Infographic: Cybersecurity Stats for Legal Tech
Why the ISO 27001:2013 Certification Matters to Law Firms
4 Certs Legal Should Ensure Managed Services Providers Have

Outrunning the Cybersecurity Bear

Today, the conventional Hollywood notion of a “hacker” is a myth: the disgruntled engineer typing and clicking their way into a hardened system from a basement location.  In contrast, “hackers are looking for the easy way in,” he said.

“Hacking is the normal evolution of espionage.”

Today, cybersecurity is a bit like avoiding being eaten by a bear, according to Mr. O’Neill.  You just have to run away faster than the other person.

To keep ahead, he offered a simple framework for security, which Legaltech News summarized in an article titled, Former FBI Operative Tells His ‘Spy Stories’ and the Biggest Issues in Security:

Compartmentalization: First, know where it is and where you keep it. Second, limit access to it, as not everybody has to have access to that info.

Diligence: “Don’t fall asleep behind the wheel,” O’Neill said. Actively use methods to know if information  is being accessed. For example, need to know what endpoints there are, and whitelist apps that have insufficient security.

Beware social media: O’Neill said that he “can’t say this enough.” This message is equally for young people and adults, but he stressed that those in attendance should tell young people to be more careful than they are being.

For law firms with additional ethical considerations, IT security can be overwhelming.

“A number of law firms have been so overwhelmed by the nature of the data security threat that they have essentially been paralyzed by the sheer scope of the problem,” according to Jeff Norris, CISSP and senior director of data security for LexisNexis Managed Technology Services.

It is “a reaction that is understandable considering they’re in the business of practicing law, not cybersecurity,” he said during an interview for a blog post titled, 6 Key Ingredients to a Law Firm Data Security Plan.

“You don’t have to outrun the bear, just the person you’re with,” Mr. Norris added in a conversation following this keynote session.  “Firms have to start putting plans in place, but those plans don’t need to be perfect or complete – just evolving based on risks. Action helps ‘un-paralyze’ and a path toward avoiding being, or becoming, a soft target.”

* * *

The operation designed to catch Mr. Hanson in the act might today be likened to social engineering.  A team distracted Mr. Hanson at work and Mr. O’Neill was able to retrieve data off that PDA without his knowledge, which provided actionable information for law enforcement to catch Mr. Hanson red-handed.

(click here or image for higher resolution)

Infographic Cybersecurity Stats and Facts for Inside and Outside Counsel-small

See our additional news and coverage stemming from LegalTech 2016:

Photo credit:  Flickr, Tambako The Jaguar, Polar bear in the sun (CC BY-ND 2.0)

Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About Frank Strong

Frank Strong
Frank Strong is the communications director for the LexisNexis software division located on NC State’s Centennial Campus in Raleigh. In this capacity, he leads communications efforts in support of software products for law practice and law department management and also litigation tools – across large law, small law and corporate counsel segments. With more than 15 years of experience in the high-tech sector, Strong previously served as director of public relations for Vocus, which developed marketing, PR and media monitoring software. He has held multiple roles both in-house with corporations, ranging from startups to global organizations, and has also endured the rigors of billable hours, having completed gigs at PR firms including the top 10 global firm Hill & Knowlton. A veteran of two year-long deployments, Strong has concurrently served in uniform in reserve components of the military for more than 20 years, initially as an enlisted Marine and later as an infantry officer in the Army National Guard. Strong holds a BA in Film and TV production from Worcester State University, an M.A. in Public Communication from American University, and an M.B.A. from Marymount University. He is a PADI-certified Master Scuba Diver and holds a USPA "B" skydiving license.