As news of data breaches and hacker break-ins continue to make headlines, many companies and law firms may feel helpless as hackers continue to get more sophisticated and cybersecurity defenses, even the best of them, become outdated quickly. Indeed, many breach victims don’t even realize their data has been compromised until long after hackers have broken into their systems.
Legal Executive Institute recently spoke with Mary Beth Borgwing, Chief Strategy Officer of LemonFish, a data behavior analytics firm that works with companies, law firms and other entities both before and after a data breach or cyberattack.
Legal Executive Institute: When Lemonfish comes in after a data beach has happened, what can they learn and how does it help the company that’s been hacked?
Mary Beth Borgwing: Let me give you an example. In a case we recently worked on, a company had a PII [Personal Identifiable Information] breach, and they didn’t even know it until they were contacted by the FBI. The FBI came in and took the information and the server it was on, and held onto it for eight months. This company eventually got the data back, and they contacted us.
We took the 500,000 documents that were in there, indexed them, and found the PII data that had been exposed using our data detection platform. Once we found the exposed PII information, then the company could accurately report it and begin work on their insurance claims.
So, we are working with the client’s legal, insurance and management teams. We’re giving them a breach report that details what was breached, where it was found, and how the breach happened. We are going to take the data that’s been in that file, and we are going to build search queries on it with our analytic engine. Then we take it out to the Open Web and the Dark Web, and find what has been exposed. That all goes in the data breach report.
LEI: How do you search the Dark Web and find out what’s been exposed? I’m guessing there’s no equivalent of Google there.
Borgwing: Right. Almost 70% of the information out on the World Wide Web is not indexed. If you think about that much information missing from any search ability, then you see the Dark Web as basically a black market. But we are able to put a graph analysis together of that marketplace, so people can visualize what their exposure is, without compromising their data or security. We are able to see what the company looks like from a document capability perspective, how they speak and how they communicate within their company. Then if one of those documents is compromised, we can do similarity analysis and go out and do a search, and see if somebody is chatting about them, has stolen some of their documents, is selling them or thinking about selling them. We do this all through an analytic engine that we call External Data Detection, or Dark Web Analytics.
We also do a process called query salting, which is secure and safe, for us and the clients. It’s really the ability to make searches in both the Open and the Dark Web that masks the real intent of the search so that criminals or hackers don’t really know what you’re searching for. And we do seven or eight query salting exercises like that, which only make sense if seen in whole. Then we bring that information back, and we have a variable to create a relativity and frequency and relevancy about the match. We look for a 90% accuracy of the match, so that we know that your document has been taken and used or sold on the web.
LEI: How do you work with a firm that has not yet had a breach? Are there ways to keep the worst scenario from happening?
Borgwing: It’s really about knowing your data. Our mantra is: Know your data, know your risk, and reduce the impact. If you know what your risk tolerance is, and you know what is important to your company, then you can create protocols around that. And if you continuously monitor where your critical data is, you can reduce the impact of any hacker attack.
Nobody wants to air more dirty laundry than they have to. And this is something their attorneys should be telling them. If you don’t want your laundry aired, you should be looking at your exposure on an ongoing basis. The information that’s out there is not going to change. People are always going to be trying to expose your data. How can we stop the exposure?
There’s a realization in cybersecurity now that exposure isn’t going to stop, and that’s why we have to know what clients want to protect the most.
LEI: What do you think is the biggest problem that corporations and law firms have in terms of maintaining and continuously monitoring data security? Is it cost fears? Or an overwhelming sense of not understanding cybersecurity and how to address it?
Borgwing: Think about quantifying the cost of the security a company does have in place. How many more tools does the company need to buy? And what return on investment will it get by buying more tools? There are always going to be more and more security tools coming out. So what happens is the company puts together a data loss prevention system that will have a lot of gaps in it because it’s not an airtight system.
But now there’s a shift going on in the industry and people are realizing that this approach isn’t going to make it. They want to change and look at data analytics. They want to know: How can I take in more data and analyze what’s going on in my environment so I can better utilize the security that I currently have? This is where operational risk meets security.
I think security, as we think of it today, is going to go away. It’s going to become part of the enterprise. People have to be accountable at the board level on down, and to do that you have to bring security completely into the operational risk management platform.