Recent breaches in the MoveIT service highlight how, consistent with other verticals, Law Firms need to attend to information governance in order to understand and reduce their breach surface area.
Not If, But When
Whatever your opinion of your cyber security team, you have to admit that they have a tough job. The threat landscape never stops moving and, from state actor to opportunist or enthusiastic amateur, there is no shortage of people activity trying to make their job hard. As a result, we know that they only have to fail once for things to go badly wrong and so we should never assume that the doors to our organization, and the data within, are securely bolted. The fact is that our security colleagues need all the help they can get.
You don't have to watch the news for long to know that data breaches are a relatively common occurrence. However, it might surprise you to learn that, once a breach occurs, the average hacker will have around 280 days before their presence is detected and contained (Ponemon Institute Cost of Data Breach Report 2020). This time affords a range of opportunities such as, initially, searching for unsecured credentials and, later on collections of sensitive or valuable data for exfiltration and subsequent exploitation.
With these threats in mind, the question any self-respecting information professional should be asking themselves is "how can I mitigate the inevitable breach by reducing my sensitive data surface area?"
Leave Less Candy on the Shelves
In May 2023, the law firm Kirkland Ellis, and other companies such as health insurer Humana, were the victim of a hack where the threat actor compromised the MoveIT data transfer service and gained access to a litany of sensitive personal data in files contained within. The subsequent class action accuses the law firm of 'not doing enough to safeguard personal information'. Other organizations, perhaps most prominently, Equifax, the data analytics giant, have made similar errors, where hackers have gained access to their information environment and found significant volumes of sensitive data effectively left lying on the shelf. Indeed, in our daily business as a data discovery vendor, we find that this pattern is common place, from a defense manufacturer leaving top executive salary and data exposed to a natural resources company exposing employee disciplinary records to open search.
Looking back, all of this is understandable. Our IT and information systems rarely work seamlessly for the average user and busy people, just trying to get through their day, unintentionally leave data unattended, subconsciously assuming that it's safe where it lies. However, in the modern threat environment, it should be plain to anyone who is paying even a little bit of attention that all organizations need to get better at storing less data. This means simply disposing of that which is no longer being used and, where it is needed, making sure it is stored in as few places as possible. The evidence is, however, that we have some way to go to to instill such behavoirs and even further to resolve all the accumulated sins of the past.
Information Governance, the Eyes and Ears of the Business
Information security is a team effort. It requires everyone to be aware of the hazards inherent in their daily work and take time to reduce the resultant risk. However, it's unrealistic to expect that end users shoulder too great a share of that burden. Sure, they can always get better, but they have other responsibilities that we need them to attend to. Further, we have already established that our cyber security colleagues are fighting an uphill battle and can never guarantee that a breach will not occur. With that reality in mind, who is watching out for the organization's data as an asset?
With compliance focusing on a broad range of requirements across all aspects of the organization, Information Governance (or an equivalent) should have the business's back to oversee its information holdings. It stands in the gap between the security organization and the business as the group with the skills and experience to understand the big picture and, armed with the facts on data practices actually in use; it should work hand-in-glove with compliance to assess and mitigate the resultant risk. This task is not small, so Information Governance teams need to be data-driven. They need insights to help them identify data at risk and understand the underlying user practices.
Insights Made for Data-Driven Governance
Information Governance teams empowered with a data discovery capability have the tools to be proactive in their role. Such a capability allows them to spot the warning signs of proliferating bad practices and mitigate the resulting issues. What's more, they can monitor those practices against policies and standards and provide metrics that allow the business to be held accountable for agreed-upon improvement.
Recognizing that cyber security cannot fight this fight alone, we built ActiveNav Cloud to power up Information Governance and Compliance teams to become data-driven. It provides insights across all unstructured data, allowing users to pinpoint risk hotspots and providing clear workflows and visualizations that enable prompt and defensible mitigation. You can see it in action and learn more here.