Courts, Contracts, Cloud And Collaboration

How to respond to the step change in mobile risk across the legal profession

As an IT leader in a legal firm, you don’t need to be told about how important Information Security is to your sector. Legal firms face unique challenges. They not alone handle client funds but also handle sensitive and highly confidential information. Handling of sensitive information is not the exception in legal firms, it’s the rule.

The range of potential attackers targeting legal firms is comparable to that facing governmental organizations, including nation-states, serious organized crime gangs, and hacktivists. Attackers are motivated not just by financial gain but also by political, ideological, and nation-state concerns. Incidents such as the release of the Panama and Paradise papers send a chill through the bones of legal firm Information Security staff everywhere. 

Risks are particularly acute for firms whose clients are in sensitive or controversial sectors such as energy, life sciences, capital markets, and high technology.  

Recent trends

Experts point to a range of recent trends which are heightening the risk profile of the legal industry:

• Clients challenge the technical capabilities of firms insisting that they support their preferred collaboration and data storage systems.
• The legal supply chain is becoming more complex: outsourcing, disaggregation of the delivery of legal services, and the increased use of specialist firms. Not alone must legal firms collaborate securely with their clients, but they must also do so with a range of other legal providers.
• Remote working has become the norm, and with it, the requirement that documents and systems be accessible from anywhere at any time in a manner which delivers both security and ease of use.
• Complex and often conflicting privacy regulations. For example, firms working with US clients may well need to take growing state-level privacy laws into account in their operations.

Supply chain attacks have raised awareness across all sectors that your data is only secure when the third-party suppliers you rely on have effective information security management systems. Clients demand insight into their legal service providers’ cybersecurity controls, processes, and procedures. They are acutely aware that the information they share with their lawyers is highly sensitive and need reassurance that it is being handled and protected appropriately. Firms need to credibly answer clients’ requests about their cyber security practices and their information security management system. Increasingly clients demand certifications such as ISO 27001 and SOC 2.

All of these factors point to the unique importance of information security to the reputation of legal firms. Partners are only too aware that a single incident can destroy a reputation carefully built up over countless years, and there are plenty of ready, willing, and able competitors just waiting for an incumbent to slip.

Information security leaders within legal firms are not complacent, and neither are their management. PWC UK’s Annual Law Firm Survey revealed that the top 100 firms have increased their spending on cybersecurity by an average of 39% in the last year.

The rise of mobile risk

But what if that spend is not properly allocated? Today many legal firms have no protection in place against the rising threats facing mobile users, even though we are now seeing a 50/50% split between mobile and desktop traffic – a significant change from the 25/75 split in 2015. As the profession embraces cloud computing, the exposure that mobile represents begins to align with the exposure with traditional domain-joined devices.  

Today, the vast majority of medium and large legal firms have mobile device management systems in place. In fact, many have had these systems in place for many years. However, the clue is in the name: these are management systems, not security systems. They don’t defend against the three principal risks facing mobile users today. 

The first of these is the risk of credential theft either via phishing attacks or malicious applications. 77% of leading law firms reported experiencing a phishing incident in 2022. These attacks are widespread and increasingly sophisticated. Not alone can they steal usernames and passwords but also authentication cookies and codes. MFA is not a panacea.

Advanced spyware is the second significant risk facing law firms, particularly those dealing with clients in sensitive sectors. Multiple scandals have raised awareness of security agencies’ use of the Pegasus iOS spyware to mount targeted surveillance on politicians and civil rights activists. Today there is mounting concern that similar sophisticated technology is being deployed more widely. Such malware bypasses the in-built security protections in iOS and Android and cannot be detected by anti-virus software. But the threat is real and can lead to a fundamental compromise of any data on the phone and create a gateway to all of the data in the organization.

The third risk is from intercepted communications. Lawyers use their smartphones and tablets continuously on networks which are not under their organization’s control. This can be anything from a home network to the free Wi-Fi provided in hotels or coffee shops or, indeed, the cellular network itself.  Without robust and continuous encryption, these communications are at risk of interception by determined adversaries.

A better set of solutions

It is, unfortunately, true that the first generation of mobile security solutions promised more than they delivered. Many were designed and based on replicating the limited features found in traditional anti-virus solutions. They failed to take into account the unique benefits (for example, sandboxing and the app store distribution model) and challenges (for example, smishing and user privacy expectations) of the mobile environment.

The good news is that there are easy-to-deploy, privacy-sensitive solutions available today. Mobile Threat Defence technology has moved on since the term was first coined by Gardiner back in 2016. Today leading-edge mobile threat defense solutions protect against SMS and other mobile-specific phishing attacks, are able to detect sophisticated malware and against communications which are inadequately encrypted. And what’s more, the leading solutions can do all of this without the need to collect privacy-sensitive information such as location or the contents of files on the device.

In Conclusion

I would urge legal firm IT leaders to carefully consider the benefits of deploying MTD. If you’ve previously looked at mobile endpoint security solutions, now is a good time to look again and if not, then take a look for the first time. You’ll be pleasantly surprised by the protections available, the positive user experience provided, and the ease of management and deployment. And you never know, but your partners might even thank you!