Do You Know Where Your Data Is? How Law Firms Can Protect Their Most Valuable Asset

By John A. Smith, CSO, Conversant Group

If data is the new oil, this holds especially true for law firms as they are wholly dependent on the information they store and maintain regarding their clients. Further, law firms have a fiduciary responsibility to protect this sensitive information regarding cases and clients; and, their businesses are wholly dependent on trust and reputation, which can be easily broken in the event of data loss. Despite the significance the industry puts on proprietary data and information, it appears most law firms still aren’t prioritizing how it is protected. A recent report issued by  Conversant Group and the International Legal Technology Association (ILTA) titled “Security at Issue: State of Cybersecurity in Law Firms”  found that only 11% of firms report data backups as a critical security control. In the event of a cyberattack like ransomware, threat actors target backups in roughly 94% of cases and are successful in compromising at least some data stores at least 68% of the time.

With ransomware attacks running rampant, law firms’ IT and security teams must encourage and enhance backup protocols when it comes to protecting the organization’s valuable data. Arguably, backups are the most important security control—when data is lost forever, many firms never recover. Thus, ensuring backups are redundant, immutable, recoverable, and have controls within and around them is essential for firms to protect themselves from catastrophic loss.

What is Immutability and How to Achieve it?

When it comes to data backups, being “immutable” means that data in storage is incapable of being changed, encrypted, or deleted. The only way it should be modifiable is by a two-key simultaneous lock turn (think of the dramatic nuclear bomb launch we may see in movies) and the expiration of a designated retention period, such as a timed lock on a safe.

Immutability for law firms is essential as they are frequently targeted by ransomware actors, and immutable backups are a requirement of many cyber insurance carriers. It is important to note that not all immutability is created equal; and redundancy and recoverability are essential components as well. Should a threat actor infiltrate a network and break controls around one data repository, it’s critical that there be several others, all immutable and preferably of different types and differing manufacturers to hedge bets, to add additional layers of insurance against total loss.

How Secure Are Law Firm Backups?

Alarmingly, 38% of law firms confirmed their backup copies are either not immutable or they are unsure whether they are, and only 24% reported having multiple immutable copies of all data. As previously mentioned, not all immutability is created the same, and sometimes law firms are not correctly reporting whether their backups are immutable.

Storage snapshots emerge as the most common form of backup at nearly double most other backup methods. While this may not be the only method of backup for some firms, it is the most often used as it is most convenient; but it cannot be relied upon to be immutable. To my knowledge, only Pure snapshots offer immutability to the standards of cybersecurity professionals. Currently, only 9% of firms report using Pure snapshots for their shared storage, and all of those are likely not enabling immutable snapshots of all data. Since most firms use non-immutable local and remote storage, there are likely gaps surrounding immutability to truly safeguard organizations from targeted backup attacks.

Lastly, many firms have components of backup infrastructure as part of the Active Directory domain. This is another Achilles’ Heel in firms’ backup resilience strategy—no backup servers, proxies, or targets should be domain-joined, as any attacker that can penetrate the network can then access company data in storage.

How Should Firms Protect Backups?

We recommend organizations of all types, including law firms, employ the following approach:

• Always have five copies of its data:
  • One: The production data.
  • Two: All data backed up to physically redundant, immutable backup storage.
  • Three: All backups replicated to physically redundant, immutable offsite backup storage.
  • Four: All backups copied to digitally air-gapped, immutable storage.
  • Five: All volumes on all storage platforms (NAS, SAN, etc.) immutably snapped.

Through this method, firms can ensure redundancy, immutability, and recoverability—should a threat actor attack one data repository, other immutable copies exist on different technologies.

Putting Backups in the Forefront to Secure Business Operations

In the end, when your data is gone, so, too, is your business. Backups MUST be considered a first line of defense, and with this, law firms need to prioritize learning how to defend not only their front-line defenses, but also their resiliency in the event an attack occurs.

About the Author

John Anthony Smith is CSO of Conversant Group and its family of IT infrastructure and cybersecurity services businesses. He is the founder of three technology companies and, over a 30-year career, has overseen the secure infrastructure design, build, and/or management for over 400 organizations. He is currently serving as vCIO and trusted advisor to multiple firms.

A passionate expert and advocate for cybersecurity nationally and globally who began his IT career at age 14, John Anthony is a sought-after thought leader, with dozens of publications and speaking engagements. In 2022, he led the design and implementation of the International Legal Technology Association’s (ILTA’s) first annual cybersecurity benchmarking survey.

John Anthony studied Computer Science at the University of Tennessee at Chattanooga and holds a degree in Organizational Management from Covenant College, Lookout Mountain, Georgia.