Anyone aware of current business news cannot avoid the flood of high visibility hacking and IP intrusion/theft. The issues have grown so ubiquitous that it isn't shocking to hear U.S. companies and government agencies suffered a record 1,093 data breaches in 2016 alone, a 40-percent increase from 2015.

On average, the cost of a breach has risen to $4 million per incident—up 29 percent since 2013. Now add state and federal regulations regarding corporate obligations to report, mitigate and protect against breaches, massive individual and class action liability, and reputational damage/loss of good will and you have a recipe for disaster.

This article discusses an effective guide to locking down and keeping watch on corporate systems and those of their outside counsel along with the mission critical IP data and personally identifiable information (PII) they contain.

Challenging Status Quo

There's no mystery to how hackers obtain nonpublic corporate information these days. If someone wants Company X's data, they attack both Company X's network, its easiest points of access and that of its outside counsel simultaneously.

The reason why is simple: beyond corporate data safeguard loopholes to be exploited, corporate outside counsel are typically laggards in terms of industry standard network/cybersecurity infrastructure and protocols. Pick any day of the week and corporate outside counsel have not just one, but many corporate clients' data within their network. Can you imagine a more target rich environment for intruders?

Those in doubt need only ask the folks from the former Mossack Fonseca law firm where the “Panama Papers” hacking occurred. Considered to be one of the largest data leaks ever, the Panama Papers hacking contained more than 11.5 million files including 2.6 terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, such as 72 current and former heads of state.

With deference to the skill of learned outside counsel who enable technology transactions (while also prosecuting, defending and litigating the complex rights of their corporate clients on the same), law firms themselves often lack the competency to securely manage complex technology infrastructure.

Recognizing this reality, hackers have made outside counsel a prime target for obtaining sensitive data they hold on behalf of corporate clients.

Changing Old Habits

Readily available solutions to computer and network security challenges range from simple user behavior modifications to more detailed, but effective, protocol changes.

Let's begin with an example of a multi-national manufacturing concern holding sensitive IP data and PII of customers from around the world with several thousand employees operating from multiple facilities globally. Here the challenge is access to the data. Specifically, how should we treat IP and PII access across the company?

We think the following are baseline requirements:

  • Employee training—Annual training on computer security and email policies as well as corporate compliance policies regarding intellectual property.
  • Contractors—Vetting of contractors allowed onsite. Permit minimal site access.
  • Issue corporate laptops to ensure monitoring and control of network activities.
  • Provide minimal access to computer networks with web interface.
  • Block the use of external computer and laptop ports including Bluetooth and wireless connections.

Protocol Facelift

A spectrum of steps exist for implementation of new protocols to mitigate, reduce and possibly eliminate IP theft which are worthy of exploration.

Recommended IT/Computer policies include:

  • Encrypt all hard drives.
  • Do not allow remote access (VPN) from other than company provided laptops, tablets or phones.
  • Do not allow access to internet sites such as Dropbox, Google Docs, etc.
  • Ensure only front-end web access to filter and restrict access to large back-end IP data stores.

Next, consider monitoring the following activities with all logs retained 90 to 180 days for investigative purposes:

  • Monitor all user login activity both on network and remote VPN.
  • Monitor all Internet activity from corporate devices—software such as WebSence or equivalent solutions may be helpful.
  • Monitor all USB device attachments—software such as SafeEnd and its peers can do this.

It's important to note that corporate monitoring necessitates resource commitments of people, technologies and infrastructure to ensure timely analysis of the data it collects from the above.

From there, we can further the protocol development:

  1. Synchronize all local file storage with network storage—software including CommVault has a client plug-in for this. This is an excellent solution for frequent corporate travelers who need to take documents with them yet need to ensure the latest copy is properly backed up to network storage the next time they are online. This also reduces e-discovery efforts as there is no need to search local hard drives.
  2. Provide travelers with secure self-encrypted USB storage devices for the transfer of data and include asset tracking of all devices assigned to an individual.
  3. Review and organize all network access rights assigned to individuals in order to minimize access to key network data stores. Set up appropriate active directory groups per department and sub teams so that data access is properly restricted to that which is needed to perform one's job duties. This access should be reviewed at least annually and updated when employee job duties are changed.

Guarding The Fort From the Inside

Not too many of us work in corporate network computing environments lacking firewall protection without some layer of security against intrusion from the outside. However, the reality is that while preventative measures are still necessary, they are no longer sufficient to protect an organization against sophisticated attackers' intent on compromising a network.

Security best practices are evolving to meet this challenge by looking at security from the inside out. In other words, organizations are advised to assume that their perimeter protections WILL fail—and on a regular basis.

Once you swallow this bitter pill, an organization can focus attention on the challenge of detecting and responding to threats that have made their way inside the firewall and onto the corporate network. Deploying and managing advanced behavior analytics, log correlation, and endpoint threat detection tools are part of the solution. The question is: at what cost?

For most midsize organizations, including law firms, it's impractical to invest in an in-house 24/7 threat hunting team. This would require becoming armed with the latest tools, training in the latest techniques for advanced detection and equipped for real-time response and forensics. Even if such a team could be assembled, retaining them in a security market experiencing a major talent shortage would be a continuous and expensive burden.

As a result, many companies are turning to a new breed of security partner offering 24/7 managed detection and response (MDR) services. These services couple a round-the-clock security operation center (SOC) with industry leading advanced security analytics and anomaly detection platforms.

With the ability to reduce time to detection from months to hours or minutes, the right MDR partner can dramatically reduce or completely eliminate the negative impact from an intrusion. As long as you can detect and suppress and attack before sensitive data has been exposed, you can avoid nearly all the negative consequences that a full-blown data breach would bring. The best MDR providers can provide the peace of mind that comes from knowing your network is being actively patrolled even while you are sleeping, or simply focused on running your business.

Wrapping It Up in a Bow

Unlike many areas prone to evolving standards, computer technology advances at a breakneck pace creating unique and ongoing security challenges at every turn. Through a concerted effort to proactively identify and address these challenges by vigilant protocol updates and MDR behind the firewall, we can greatly lessen the extremely destructive and costly incidence of corporate data breach and theft.

Locking down and protecting the fort for our corporate IP and the PII contained within is both our duty to safeguard and the required competence for the privilege of doing business and remaining a going concern.

Dan Panitz, UnitedLex VP, Global Legal Solutions, is an attorney based in New York with more than 20 years of combined legal, technology and corporate advisory experience.

Bruce (HB) Gordon currently works for Teva Pharmaceuticals located in Horsham, Pennsylvania as their manager, ESI response management.

R Jason Straight, UnitedLex SVP, Cyber Risk Solutions, is chief privacy officer at UnitedLex and has been managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges for more than a decade.

Anyone aware of current business news cannot avoid the flood of high visibility hacking and IP intrusion/theft. The issues have grown so ubiquitous that it isn't shocking to hear U.S. companies and government agencies suffered a record 1,093 data breaches in 2016 alone, a 40-percent increase from 2015.

On average, the cost of a breach has risen to $4 million per incident—up 29 percent since 2013. Now add state and federal regulations regarding corporate obligations to report, mitigate and protect against breaches, massive individual and class action liability, and reputational damage/loss of good will and you have a recipe for disaster.

This article discusses an effective guide to locking down and keeping watch on corporate systems and those of their outside counsel along with the mission critical IP data and personally identifiable information (PII) they contain.

Challenging Status Quo

There's no mystery to how hackers obtain nonpublic corporate information these days. If someone wants Company X's data, they attack both Company X's network, its easiest points of access and that of its outside counsel simultaneously.

The reason why is simple: beyond corporate data safeguard loopholes to be exploited, corporate outside counsel are typically laggards in terms of industry standard network/cybersecurity infrastructure and protocols. Pick any day of the week and corporate outside counsel have not just one, but many corporate clients' data within their network. Can you imagine a more target rich environment for intruders?

Those in doubt need only ask the folks from the former Mossack Fonseca law firm where the “Panama Papers” hacking occurred. Considered to be one of the largest data leaks ever, the Panama Papers hacking contained more than 11.5 million files including 2.6 terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, such as 72 current and former heads of state.

With deference to the skill of learned outside counsel who enable technology transactions (while also prosecuting, defending and litigating the complex rights of their corporate clients on the same), law firms themselves often lack the competency to securely manage complex technology infrastructure.

Recognizing this reality, hackers have made outside counsel a prime target for obtaining sensitive data they hold on behalf of corporate clients.

Changing Old Habits

Readily available solutions to computer and network security challenges range from simple user behavior modifications to more detailed, but effective, protocol changes.

Let's begin with an example of a multi-national manufacturing concern holding sensitive IP data and PII of customers from around the world with several thousand employees operating from multiple facilities globally. Here the challenge is access to the data. Specifically, how should we treat IP and PII access across the company?

We think the following are baseline requirements:

  • Employee training—Annual training on computer security and email policies as well as corporate compliance policies regarding intellectual property.
  • Contractors—Vetting of contractors allowed onsite. Permit minimal site access.
  • Issue corporate laptops to ensure monitoring and control of network activities.
  • Provide minimal access to computer networks with web interface.
  • Block the use of external computer and laptop ports including Bluetooth and wireless connections.

Protocol Facelift

A spectrum of steps exist for implementation of new protocols to mitigate, reduce and possibly eliminate IP theft which are worthy of exploration.

Recommended IT/Computer policies include:

  • Encrypt all hard drives.
  • Do not allow remote access (VPN) from other than company provided laptops, tablets or phones.
  • Do not allow access to internet sites such as Dropbox, Google Docs, etc.
  • Ensure only front-end web access to filter and restrict access to large back-end IP data stores.

Next, consider monitoring the following activities with all logs retained 90 to 180 days for investigative purposes:

  • Monitor all user login activity both on network and remote VPN.
  • Monitor all Internet activity from corporate devices—software such as WebSence or equivalent solutions may be helpful.
  • Monitor all USB device attachments—software such as SafeEnd and its peers can do this.

It's important to note that corporate monitoring necessitates resource commitments of people, technologies and infrastructure to ensure timely analysis of the data it collects from the above.

From there, we can further the protocol development:

  1. Synchronize all local file storage with network storage—software including CommVault has a client plug-in for this. This is an excellent solution for frequent corporate travelers who need to take documents with them yet need to ensure the latest copy is properly backed up to network storage the next time they are online. This also reduces e-discovery efforts as there is no need to search local hard drives.
  2. Provide travelers with secure self-encrypted USB storage devices for the transfer of data and include asset tracking of all devices assigned to an individual.
  3. Review and organize all network access rights assigned to individuals in order to minimize access to key network data stores. Set up appropriate active directory groups per department and sub teams so that data access is properly restricted to that which is needed to perform one's job duties. This access should be reviewed at least annually and updated when employee job duties are changed.

Guarding The Fort From the Inside

Not too many of us work in corporate network computing environments lacking firewall protection without some layer of security against intrusion from the outside. However, the reality is that while preventative measures are still necessary, they are no longer sufficient to protect an organization against sophisticated attackers' intent on compromising a network.

Security best practices are evolving to meet this challenge by looking at security from the inside out. In other words, organizations are advised to assume that their perimeter protections WILL fail—and on a regular basis.

Once you swallow this bitter pill, an organization can focus attention on the challenge of detecting and responding to threats that have made their way inside the firewall and onto the corporate network. Deploying and managing advanced behavior analytics, log correlation, and endpoint threat detection tools are part of the solution. The question is: at what cost?

For most midsize organizations, including law firms, it's impractical to invest in an in-house 24/7 threat hunting team. This would require becoming armed with the latest tools, training in the latest techniques for advanced detection and equipped for real-time response and forensics. Even if such a team could be assembled, retaining them in a security market experiencing a major talent shortage would be a continuous and expensive burden.

As a result, many companies are turning to a new breed of security partner offering 24/7 managed detection and response (MDR) services. These services couple a round-the-clock security operation center (SOC) with industry leading advanced security analytics and anomaly detection platforms.

With the ability to reduce time to detection from months to hours or minutes, the right MDR partner can dramatically reduce or completely eliminate the negative impact from an intrusion. As long as you can detect and suppress and attack before sensitive data has been exposed, you can avoid nearly all the negative consequences that a full-blown data breach would bring. The best MDR providers can provide the peace of mind that comes from knowing your network is being actively patrolled even while you are sleeping, or simply focused on running your business.

Wrapping It Up in a Bow

Unlike many areas prone to evolving standards, computer technology advances at a breakneck pace creating unique and ongoing security challenges at every turn. Through a concerted effort to proactively identify and address these challenges by vigilant protocol updates and MDR behind the firewall, we can greatly lessen the extremely destructive and costly incidence of corporate data breach and theft.

Locking down and protecting the fort for our corporate IP and the PII contained within is both our duty to safeguard and the required competence for the privilege of doing business and remaining a going concern.

Dan Panitz, UnitedLex VP, Global Legal Solutions, is an attorney based in New York with more than 20 years of combined legal, technology and corporate advisory experience.

Bruce (HB) Gordon currently works for Teva Pharmaceuticals located in Horsham, Pennsylvania as their manager, ESI response management.

R Jason Straight, UnitedLex SVP, Cyber Risk Solutions, is chief privacy officer at UnitedLex and has been managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges for more than a decade.