Mention cybersecurity attacks and the most often quoted use cases of data breaches are in government, financial services, insurance, healthcare and retail. Rarely do we hear of cyberattacks perpetrated against the legal profession.
When you consider that the legal industry carries extremely sensitive client information, you have to wonder why there are no new about this industry.
Data from the 2017 ABA Legal Technology Survey found 22% of law firms got hacked or experienced data breaches in 2017. Law firms are also vulnerable to state-sponsored attacks from Russia, Iran and China, as evidenced by a 2019 Chinese hack into a U.S. firm known for its expertise in intellectual property. Cybersecurity for law firms is rapidly becoming a hot topic.
FutureCIO spoke to Subroto Panda, chief information officer of India-based law firm Anand & Anand to get his perspective about the security efforts that legal firms put in place to avoid becoming victims of cyberattacks.
Anand and Anand is a full-service IP law firm, providing end-to-end legal solutions covering all cross-sections of Intellectual Property and allied areas. The firm is professionally managed by a partnership board comprising 29 partners and a senior director, supported by a management team comprising a chief executive officer, chief finance officer and the chief information officer. The firm has offices based in New Delhi, Noida, Chennai and Mumbai.
How has information security changed in the legal industry?
Subroto Panda: Information security has become an ingrained process in itself like any part of the business. It is no longer taken in isolation, but as a subject taken even in board meetings.
Are law firms just as susceptible to cyberattacks as other industries?
Subroto Panda: It is harsh reality because any law firm store lots of confidential information. I would say that our industry is more susceptible to breaches because law firms attract organisations that collect information.
What types of cyberattacks are most predominant in the legal industry?
Subroto Panda: I would say phishing is predominantly much more, then there is spoofing, Next come viruses, malware, spyware.
Are cybersecurity practices used in Asia similar to those in the US or Europe?
Subroto Panda: It depends upon the organisation how strong they look into it (cybersecurity practice) and how forceful they want to make it. At the same time, security should never become a bottleneck, because with security, there are lots of bottlenecks that will come, but people who are managing the security systems should understand the business requirement and then craft the security measures accordingly.
Can you name some approaches legal firms put in place to mitigate against these cyber threats?
Subroto Panda: The first and foremost is the training. It should be continuous training, where things are explained to them in such a way so that they understand the impact. For example, I would say that nowadays, everything is connected.
There is nothing that is not connected. And there are people who are using a device given by the company, they might be using their own emails, or they might be using some documents to exchange, but these need to know exactly which email they need to open, which emails should be deleted, because unless there have been proper training, they will not know the impact.
To what extent is the legal industry open to outsourcing their cyber security needs?
Subroto Panda: Initially, when the project is done, it should be outsourced with the people who are responsible for it trained on the technology until such time that they can take not only ownership and responsibility but also be able to do everything in-house.
Do legal firms in Asia use cloud-based technologies and services and why?
Subroto Panda: Legal firms are going into cloud because cloud provides a platform where a lot of applications can be integrated easily. The arrival of AI, ML and other emerging technologies will necessitate familiarity with the use of cloud technology.
What skillsets do you look for in your information security team?
Subroto Panda: I will look for somebody who is passionate about security. Every day there is some development in the world of security. A passionate security professional is also well-read, keeps up to date with developments. Lastly, he or she must be able to correlate with the policies and do system audit.
