It was a vendor that first identified the IT data breach at the Office of Personnel Management (OPM), according to Eric O’Neill, a former counterterrorism and counterintelligence operative.
The vendor had installed security software in order to demonstrate its value – and OPM would soon learn upwards of 22 million incidents of data theft. The breach poses the risk of ID theft to federal employees, including the intelligence and military communities.
Mr. O’Neill’s comments came in the form a keynote speech at the 2015 LegalTech® conference titled, Cybersecurity and Data Espionage: Spy Stories for Lawyers.
For a time, corporate America only had to worry about the competition stealing business secrets. Today, a number of high-profile breaches in recent history show nation states are also a threat. Worse, organizations, from government to corporations to law firms, while good at protecting threats from the outside, have room to grow against insider threats.
Button: $3.8 million is the ave. cost of a data breach says MTS lead Jesse Alexander booth 100 #LTNY16 pic.twitter.com/JHqkCEaKpj
— LexisNexis Software (@Business_of_Law) February 2, 2016
The First Digital Spy
Mr. O’Neill rose in prominence as the result of an insider threat. In 2001, he was part of an operation to catch Robert Hanson, “the worst spy in history,” he said. Mr. Hanson stole and sold government secrets to the Soviets and later the Russians for 22 years.
Mr. Hanson was an insider. Not just any insider, but a person of special trust and charged with preventing and identifying spies stealing secrets. He was a spy charged with catching spies, an ideal position for covering up illicit activities.
He was, according to Mr. O’Neill, the first cyber spy. Mr. Hanson exploited computer systems and stored the data on an early model personal digital device, or PDA.
—————————————————————–
Don’t miss these related insights on law firm cybersecurity:
Infographic: Cybersecurity Stats for Legal Tech
Why the ISO 27001:2013 Certification Matters to Law Firms
4 Certs Legal Should Ensure Managed Services Providers Have
—————————————————————–
Outrunning the Cybersecurity Bear
Today, the conventional Hollywood notion of a “hacker” is a myth: the disgruntled engineer typing and clicking their way into a hardened system from a basement location. In contrast, “hackers are looking for the easy way in,” he said.
“Hacking is the normal evolution of espionage.”
Today, cybersecurity is a bit like avoiding being eaten by a bear, according to Mr. O’Neill. You just have to run away faster than the other person.
To keep ahead, he offered a simple framework for security, which Legaltech News summarized in an article titled, Former FBI Operative Tells His ‘Spy Stories’ and the Biggest Issues in Security:
Compartmentalization: First, know where it is and where you keep it. Second, limit access to it, as not everybody has to have access to that info.
Diligence: “Don’t fall asleep behind the wheel,” O’Neill said. Actively use methods to know if information is being accessed. For example, need to know what endpoints there are, and whitelist apps that have insufficient security.
Beware social media: O’Neill said that he “can’t say this enough.” This message is equally for young people and adults, but he stressed that those in attendance should tell young people to be more careful than they are being.
For law firms with additional ethical considerations, IT security can be overwhelming.
“A number of law firms have been so overwhelmed by the nature of the data security threat that they have essentially been paralyzed by the sheer scope of the problem,” according to Jeff Norris, CISSP and senior director of data security for LexisNexis Managed Technology Services.
It is “a reaction that is understandable considering they’re in the business of practicing law, not cybersecurity,” he said during an interview for a blog post titled, 6 Key Ingredients to a Law Firm Data Security Plan.
“You don’t have to outrun the bear, just the person you’re with,” Mr. Norris added in a conversation following this keynote session. “Firms have to start putting plans in place, but those plans don’t need to be perfect or complete – just evolving based on risks. Action helps ‘un-paralyze’ and a path toward avoiding being, or becoming, a soft target.”
* * *
The operation designed to catch Mr. Hanson in the act might today be likened to social engineering. A team distracted Mr. Hanson at work and Mr. O’Neill was able to retrieve data off that PDA without his knowledge, which provided actionable information for law enforcement to catch Mr. Hanson red-handed.
(click here or image for higher resolution)
See our additional news and coverage stemming from LegalTech 2016:
- LegalTech: 6 Tips for Convincing Attorneys to Embrace CRM
- 7 Trends Heard [So Far] at LegalTech New York 2016
- eDiscovery Darwinism: Meet Brainspace CEO Dave Copps [Q&A]
- LTNY Keynote: Judges, Courtrooms and Tech [Session Summary]
- Lexis DiscoveryIQ: Every Case Has a Story; Find it Faster
- Lexis DiscoveryIQ Applies Advanced Visual Analytics to E-Discovery
- Six Sigma: Driving Better Law Firm Business Decisions
- Button: $3.8 million is the average cost of a data breach
- 13 Filtered eDiscovery Statistics to Warm Up for LegalTech New York 2016
- Faster, Easier eDiscovery Review: The New Concordance Desktop
- Espresso and 5 Can’t Miss Events at #LTNY 2016
Photo credit: Flickr, Tambako The Jaguar, Polar bear in the sun (CC BY-ND 2.0)