Law firms are in a precarious position when it comes to cyber risk. These organizations are tasked with storing large amounts of sensitive information — from corporate finances to client data to intellectual property (IP) — and, as such, are finding themselves in the crosshairs of threat actors.
Orrick, Herrington & Sutcliffe, a firm that works with victims of cyber attacks, found this risk out first-hand in the spring of 2023, when the PII and health data of more than 637,000 previous breach victims was exfiltrated from their network during a breach.
Unfortunately, this kind of story is becoming more common in the legal industry, especially as firms digitize and find themselves responsible for more information, much of which they’re choosing to store on cloud servers.
According to a new report by Arctic Wolf and Above the Law, 39% of firms in the past year had a data breach, and 56% of those firms lost confidential or client data as part of the breach.
Additionally, law firms are not like hospitals, which can turn to HIPAA for compliance and security guidance. Instead, they must contend with several sweeping regulations — or face stiff financial penalties.
Regulations include:
- Legal sector-specific compliance guidance
- Client industry-specific compliance guidance
- Location-based compliance standards
It’s important to look at how law firms are utilizing the cloud, the compliance regulations they must face, and how these important institutions can better secure their own and their clients’ data.
Law Firms and Cloud Compliance
While the legal industry was historically behind others in cloud adoption, a shift has occurred in the last couple of years, with more law firms migrating data from on-premises servers to the cloud. The 2022 ABA Legal Technology Survey Report showed 70% of respondents reported using cloud computing, up from 60% in just one year. For solo practices, cloud users moved from 52% to 84%, followed by small- and medium-sized law firms (roughly 75%, up from roughly 65%). And survey results found that consumer cloud technologies were adopted more than dedicated legal products.
Legal organizations, like other industries, use the cloud for a variety of purposes, including the storing of, and sending of, important case documents and data from their clients, as well as the use of cloud-based applications for daily duties. While firms may reside in offices, attorneys are often out meeting with clients, in the courtroom, and everywhere in between, so having a cloud-based way to access documents is crucial for operations.
While the cloud often leads to more productive, agile operations, it introduces new risk to an already- targeted industry fighting to stay compliant and secure. While legal firms see the benefit of the cloud in terms of cost reductions and increased data storage capabilities, only 41% of respondents report that adoption of cloud computing resulted in changes to internal technology or security policies.
Aird & Berlis, a leading U.K. law firm, talked to Arctic Wolf about these challenges prior to their partnership with Arctic Wolf, describing it as a “constant work.”
“The ultimate challenge is maintaining an agile defense against evolving cybersecurity threats, while adhering to our clients’ rigorous compliance standards,” IT Director Pedro Palmas said.
This dual need has led to several challenges for law firms around the globe.
Seven Compliance Challenges the Legal Industry Faces
1. Managing Complex Cloud Environments.
Hybrid-cloud models, which often accommodate multiple cloud platforms and providers, make visibility difficult, and cloud security responsibilities are blurred or potentially ambiguous. In addition, this kind of environment means security controls, hardware, and other aspects of your infrastructure are distributed. This lack of a defined perimeter to defend — and the subsequent absence of a centralized view of your data, applications, and network — complicates the security landscape and increases the risk of misconfiguration.
Potential solutions:
- Know your responsibilities for cloud management
- Make sure cloud optimization is part of your security posture improvement workflow
- Partner with a third-party that can provide visibility into your cloud sources
2. Ever-changing and ever-growing regulations.
Because data protection regulations are far-reaching in scope, changing laws and technologies often spur updates or the creation of new regulations. This applies to regulations specific to the legal sector and the requirements of the industries of legal clients. Not only do legal organizations have to follow location-specific and industry-specific guidelines (for example a firm that works with healthcare organizations would have to follow HIPAA), but clients are beginning to demand firms have certain security controls in place before agreeing to work with them.
Potential solutions:
- Learn which regulations your firm must follow. Thankfully, many have overlapping security controls, meaning it will be easiery to implement a singular control to meet multiple requirements
3. Resilience and repeatability.
Security is a journey, not a destination, so firms must be adaptable and open to consistently evaluating their own security and compliance mandates. Furthermore, effectiveness must be frequently demonstrated to auditors, third-party risk assessors, and other interested parties through compliance audits and ad-hoc requests. To accommodate these ongoing demands, your compliance plan must build in resiliency and repeatability.
Potential solutions:
- Set a schedule in which your compliance requirements can be assessed and benchmarked
- Continually monitor your environment for changes and implement broad frameworks, such as identity and access management (IAM) best practices or the NIST cybersecurity framework, both of which will prompt your organization to regularly watch for and update controls and regulations
4. Industry transformation.
Like many industries, law firms are rapidly digitizing, adopting the cloud at a pace much faster than they’re securing it. In addition, the adoption of digital cloud technologies across the legal services sector dramatically increases the number and types of access points that must be secured and accounted for in your cloud security and compliance strategy.
Potential solutions:
- Implement a managed detection and response (MDR) solution that can monitor your cloud sources, removing the strain on internal resources while meeting compliance standards
- Work with internal stakeholders, including your security teams and possibly CISO, to make sure that security measures are in line with new technologies as they are added.
- If your firm uses Amazon Web Services (AWS) or Microsoft Azure, there are several resources available to improve cloud security and compliance.
5. Employee turnover.
While employee churn at law firms has decreased from the historic high levels reported in 2021, it remains above levels from previous years. In 2022, geographic relocation was cited as one of the primary reasons for associate departures and more than twice as many litigation associates left their firms in 2022 than did business and corporate associates. Because cloud security and compliance are an all-hands-on-deck effort, loss of experienced employees in any area of the organization presents risk.
Potential solutions:
- Work internally to improve employee longevity
- Partner with a third-party on security and compliance, knowing that partnership will create consistency in terms of human and technological resources
6. Skills gaps and shortages.
As computing environments diversify and compliance regulations evolve, the endeavor to establish and maintain security protocols, as well as demonstrate organizational compliance, grows more time- consuming, resource-intensive, and specialized. However, it appears this gap is here to stay, and organizations across industries are learning to do more with less.
Potential solutions:
- Work with a third-party provider to manage both your cloud and on-premises environments, lessening the burden on your already- strained internal workforce
7. Expanded attack surface with increased SaaS usage.
For software-as-a-service (SaaS) platforms, the account is the front line of defense. Threat actors know this, and in recent years have turned to credential theft and credential compromise as their favored initial access method. User action accounted for 24.4% of root causes in engagements with Arctic Wolf Incident Response in 2023, and 7.3% of that came from previously compromised credentials.
Potential solutions:
- Implement a strong IAM program, which should include identity threat detection and response (ITDR), which can help monitor, detect, and respond to the identity component of your organization’s attack surface.
- Add access controls, such as multi-factor authentication (MFA) to all applications, including SaaS applications
- Conduct, or work with a partner to conduct, dark web monitoring to identify compromised credentials
- Employ robust security awareness training to reduce human risk across all applications
How Law Firms Can Better Achieve Cloud Compliance
While the struggles mentioned above will remain, especially as the cloud becomes the go-to for firms, there are steps any organization can take to achieve cloud compliance while also hardening their security posture.
These actions items include:
- Know your role within the shared responsibility model most cloud providers follow
- Invest in cloud security solutions, such as cloud detection and response (CDR) and cloud security posture management (CSPM).
- Utilize known AWS cloud security tools such as Amazon Inspector and Vulnerability Management, Amazon Guard Duty, and AWS Security Hub
Learn more about cloud compliance within the legal industry, and how Arctic Wolf can help.
See how Arctic Wolf partnered with firm Burges Salmon to reduce their cyber risk while helping them achieve their security goals.
