#Privacy: How to reduce insider threats to high value legal content

The Verizon 2019 Data Breach Investigations Report (DBIR) says that 34 percent of all breaches in 2018 were caused by insiders, and it’s only going to get worse.

Law firms, their clients and all organizations, in fact, face a volatile insider threat landscape, exacerbated by emerging technologies, interconnected and mobile devices, and new and evolving privacy regulations such as the GDPR and CCPA. Most organizations take basic steps to help limit insider threats and employ these practices to some extent, especially against threats posed by unwitting insiders.

A few of the most important ones include establishing and communicating cybersecurity programs with stakeholders, from email system security awareness to cloud repositories and USB devices, along with basic security controls at the device level – all which can all help prevent accidental exposure of information by employees.

The bleak reality is that these controls are not sufficient. So, how do corporate legal departments and law firms stop a committed, digitally savvy employee looking to steal information, or with malicious intent? Data owners need to work extra hard to stay ahead of all threats, and its mission critical to move beyond standard security controls when it comes to cybersecurity risks.

Law firms and legal departments are notorious soft targets

As custodians of sensitive and high-value information, lawyers amass a ton of high value information about their own business and that of their clients, including regulatory filings, intellectual property, employment contracts, privileged communications, non-public personal information (NPI) and personally identifiable information (PII), to name a few.

Lawyers are, unfortunately, notoriously known for not being able to protect this information. Almost a quarter of respondents to the American Bar Association’s 2018 Legal Technology Survey indicated that their firms had experienced a data breach – and these are just the firms that are aware they have been breached.

Former FBI director Robert Mueller said it best back in 2012: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Given the increasing recognition of these risks, 48 percent of law firms had been subject to a data security audit at the behest of at least one corporate client over the preceding year.

But why are insider threats so dangerous? Insiders start on third base and have what external hackers have to work very hard to get – authorized access to data. Not only do insiders come bearing with valid credentials; they are often expected, even required, to access sensitive data during the course of their work.

There is no reconnaissance phase, phishing campaign, malware injection, or lateral network movement and privilege escalation when dealing with (most) insider threats. The insider simply uses their approved network credentials to access information and then can download or exfiltrate that information in some way. This is why insider attacks frequently evade detection for so long – or are never discovered.

To better secure your organization from all threats, the legal sector – or all organizations and industries, rather – needs to focus on the data. Below are three steps to reduce the risks of insider threats through better understanding and management of data.

Know where sensitive data resides in your organisation

Many organizations, including law firms, don’t know where and what information is contained in their documents, including sensitive and regulated information such as PII and PCI – or where that information resides within the organization. Much of the content resides outside of centralized managed systems, relying on manual enforcement of governance policies and procedures by individuals, which increases risk of inadvertent or malicious exposure of sensitive documents. File analysis tools, which can be quickly deployed, can provide enterprises with insight into what sensitive content exists, and where. Among other things, such tools can crawl data sources, analyze documents by metadata (age, owner, location, etc.), keywords, policies and more, allowing authorized individuals to take action – such as moving, deleting, retaining, exporting or archiving that data. This is a critical step in identifying sensitive, high-value data and documents that need to be protected.

Encrypt sensitive data at rest

With encryption solely at the device level, sensitive information can still be viewed via a server, opening the door to unauthorized documents accessed by system administrators who have access to back-end databases. By encrypting individual documents at rest, users can close that door, ensuring that not even high-level administrators can gain access to document contents without authorization from established content owners.

Document-level encryption protects content both on-premise and in the cloud, and continues to protect content that is backed up onto external media. This protects back-up data in-house and ensures that content remains encrypted and inaccessible should a back-up device be stolen or hacked.

Employ proactive monitoring tools to detect threats

Even authorized users can engage in unauthorized document access. That is the very essence of many insider data breaches. Proactive activity monitoring tools, such as those that reside within enterprise content management (ECM) systems, can detect suspicious access patterns and send customized alerts to designated individuals. This minimizes the time between improper data access and its detection, limiting the damages of such a breach.

These monitoring functions can also automatically lock down sensitive documents, preventing access when an authorized user attempts to violate a rule or engages in unusual activity, perhaps by deleting multiple documents or accessing documents outside of business hours. Finally, activity monitoring includes the creation of document audit trails, enabling organizations to reconstruct what happened during an attempted breach or inappropriate document access.

Proactivity is the watchword

With a growing number of data breaches initiated internally and an ever-widening regulatory landscape demanding stricter data protection requirements, organizations need to move from a reactive model – after sensitive data is lost and it’s too late – to taking preventative steps to mitigate the risk of insider data theft.

With these threats on the rise, device-level security – or worse yet, not knowing where sensitive, high-value information lies within the firm or organization – is no longer adequate. Fortunately, legal professionals and their IT counterparts can implement proactive approaches to mitigate the risk of an insider threat. By proactively identifying, categorizing and isolating sensitive data and implementing secondary layers of defense using document-level security protections, organizations can place security closer to what’s most important, the data.

Law firms, corporate legal departments and other organizations that deploy these advanced technologies can enable better security at the document level – the source of growing insider threats. However, a more layered security approach is critical to fighting off internal bad actors and reducing the risk of a catastrophic data breach. It’s crucial to also reinforce a security conscious culture where there are security policies and protocols in place to help teams better detect suspicious activity. With this mix of the right technology and practices, organizations will be one step ahead in mitigating insider threats for good.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/