Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

The Security Risks of Collaboration Tools for Law Firms

August 1, 2019

Infosecurity Magazine carried a post on July 29 about the advantages and security risks of law firms using collaboration tools.

According to a recent PwC report, most of the top 100 law firms now use digital collaboration tools to improve communication with their clients. While these tools support operational efficiency – and improve the relationship between a law firm and its clients – they also pose a risk to security.

The same report also found that three in five law firms suffered a security incident in 2018. Enormous amounts of client money have been stolen.

A lot of threats are internal. Accidental online leaking and misconfigured services and portals have now been responsible for exposing the largest number of records for two consecutive years, ahead of hacking.

Any cloud-based apps used by a business that promotes file-sharing functionality will typically be regarded as being at greatest risk of data exfiltration. While it might be easy to mitigate this risk by identifying and blocking such apps, it would hardly be beneficial to a firm's client relationships.

A law firm's IT admin might assign risk to an entire cloud application, identifying and acknowledging a potential vulnerability. A more thorough approach would be to apply appropriate risk levels to the various possible actions within that app, restricting an individual user's access to only those functions relevant to their role or specific need.

To accomplish this, you need to deploy a Cloud Access Security Broker (CASB). It might not always be necessary to edit or download files – simply being able to view a document will often suffice.

By maintaining visibility and control over how documents are shared in this way, law firms can directly circumvent the number one cause of how sensitive information can be exposed during the collaboration process – human carelessness.

According to the PwC report, roughly half of law firms use mobile apps to collaborate directly with their clients. Unfortunately, the use of such apps creates the perfect conditions for the accidental sharing of sensitive information.

Training often goes out the window when employees use consumer apps such as WhatsApp, Telegram and Facebook Messenger. Years of unconscious behavioral conditioning means that most users are pre-disposed to share as much and as often as possible. These apps are often deeply integrated with commonly used cloud-based business tools that hold confidential information, making accidental sharing very easy.

Consider WhatsApp phishing, for example, in which criminals impersonating a trusted entity will ask for sensitive client or business information. This is becoming an increasingly common technique. Given the medium, many recipients of such a message won't question its validity.

The same tactic can be used on Telegraph, Facebook Messenger, even Tinder, so blocking everything won't make the problem go away. Instead, granular monitoring is required to provide IT teams with an understanding of the different specific actions that touch their firm's information, such as sharing files or clicking links inside messages. Preventing these actions from occurring in the first place is by far the most effective way of addressing the problem.

Blocking employees from using these apps would be counter-productive. But with the application of careful thought, insight, and the right monitoring, the legal profession should soon lose less information to accidental online leaking.

This is already an approach that the legal profession, and many industries, adapt for email and web security. Now cloud applications are as prevalent and, in many cases, replacing the traditional work function of email and web – security practices also must be updated to address this new reality.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

The Security Risks of Collaboration Tools for Law Firms

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer