Last fall, MacKenzie Dunham was a law student working at a personal injury firm in Houston when one of the firm’s two partners called the office to say their car had been broken into and he would not make it in.
Not worried, the partner mentioned that among his stolen belongings was a MacBook he used for work.
This was when Dunham realized the theft was not just a nuisance—it was a major breach of client documents.
With no stated firm policy, he leaped into action by rejecting the computer’s access to the firm’s various online accounts and remotely wiped the machine.
“I just did what I could to minimize [the breach],” Dunham says. Without his efforts, “the person that had the laptop would have access to client files.”
After the incident, Dunham created the firm’s first security policy and made sure all firm devices were trackable and able to be remotely wiped.
Now a staff attorney at Access Justice Houston, a nonprofit law firm he founded, Dunham says this lesson taught him that “you need to be prepared to have every device that has ever touched client information … stolen.”
Like that laptop in Houston, cybersecurity is a moving target. And as technology evolves, threats and vulnerabilities evolve, too. To not be caught on the back foot, firms are using simulations to find vulnerabilities and build or bolster their cybersecurity systems, as well as cultivating firmwide culture change to train employees.
“It has to be as natural as putting on your shoes every morning,” says Ruth Hill Bro, a co-author of the second edition of The ABA Cybersecurity Handbook and co-chair of the ABA Cybersecurity Legal Task Force.
This means making “data protection a part of your law firm culture,” Bro says. No longer solely an IT issue, she says everyone must be involved, from the top down. For the skeptics, she says to “insert your name into the most recent headline.”
Those headlines are becoming more common. According to the Identity Theft Resource Center, a nonprofit that helps those who have experienced identity theft, more than 1,300 data breaches happened in 2017, which exposed more than 174 million records that had personal identifying information such as Social Security and credit card numbers, emails and passwords.
And according to the ABA’s 2017 Legal Technology Survey Report, 22 percent of respondents suffered a security breach at their law firms.
To put that into monetary terms, the research firm Cybersecurity Ventures estimates that ransomware attacks alone, like WannaCry, created $5 billion in damages last year, up from $325 million in 2015. Further, according to Cisco’s 2017 Annual Cybersecurity Report, 22 percent of firms that were breached lost customers, 29 percent lost revenue, and 23 percent reported lost business opportunities.
FINDING THE WEAK SPOT
Cybersecurity simulations take a variety of formats, including threat assessments, digital penetration testing and paper simulations. At their core, they all intend to root out weaknesses or blind spots in a cybersecurity plan or network by creating a realistic representation of an attack.
There is some debate about the scope of these approaches. Red team simulations, for example, take an adversarial approach in which a group is asked to emulate a realistic attack on a system. This is an opportunity to test the system’s detection and response capabilities. Sometimes in these simulations, there is also a blue team, which attempts to defend from the attack. A variation on this theme is penetration testing. This happens when one or more person attempts to exploit known system vulnerabilities, and it can illustrate the breadth and depth of unpatched or unknown vulnerabilities. Neither of these approaches is meant to cause harm to the systems themselves but rather to show in real time the weaknesses and strengths of an existing system.
Another mechanism firms are using to assess their vulnerabilities is tabletop simulation. Justin Weissert, director of proactive services at cybersecurity firm CrowdStrike, sees the use “growing in the legal space.”
To create the paper-based simulations, CrowdStrike spends a day or two with an organization’s employees learning what current incident response practices look like, the firm’s technical capacity, and other human factors that can contribute to an incident response. With this information, CrowdStrike develops a daylong exercise for members of IT, the executive team, and legal and public relations to game out how they detect and respond to the scenario.
This approach is meant to help firm leadership grapple with vulnerabilities through targeted attack scenarios without testing their technical systems. Tabletops can provide context to gaps in security processes, Weissert says. For many, he says, it is eye-opening.
Through the process, organizations can “identify initial stepping-stones” for a playbook—a step-by-step guide to triage a cybersecurity breach, Weissert says.
Within that playbook, he also recommends that firms consider security audits when contemplating the acquisition of another firm. “It’s the same kind of thing as allowing an acquiring company to take a look at your books,” he says.
However, creating a plan is one step. Without companywide buy-in, the best-laid plans can crumble, and implementation has its hurdles, says Andy Sawyer, director of security at Locke Lord, who’s based in its Dallas office. “Anytime you make a change, whether it’s at a law firm or big bank or another business … you’re going to have opposition,” he says.
The fact that clients are demanding cybersecurity best practices is helping motivate the more recalcitrant. Sawyer says clients send assessment audits to be filled out by the firm as a condition of representation. With that, Sawyer can go to a resistant attorney and show the clients’ demands to help nudge the attorney. With more than five years of experience building the firm’s security awareness program, he does not see the same amount of pushback he did earlier in the process.
This article was published in the February 2018 issue of the ABA Journal with the title “Game Theory: Lawyers are turning to simulations to test how safe their systems are.”