The increase in cybersecurity breaches at law firms have many firms, and their clients, alarmed. Rightfully so. What we’ve seen of late — and undoubtedly many other cyber attacks that have gone unreported — is the tip of the proverbial iceberg.
Law firms can be alluring targets for hackers given the trove of sensitive information they hold that can be used for financial gain. And no, your firm doesn’t need to have the headline-grabbing client roster involved in the Panama Papers to be targeted. Small, mid-sized, and regional firms all are vulnerable, since hackers may assume they don’t have a robust data security infrastructure.
Regardless of firm size or global reach, cyber attacks are expensive, both financially and to your reputation. Attorney-client privilege and confidentiality are core tenets of legal practice, and that same degree of care must extend to the security of your case management and other IT systems. Does it?
Firms are susceptible to cyberattacks on many fronts, starting with your people. Common vulnerabilities include the seemingly mundane: unsecured email communications with clients, a partner accessing files from a personal email or cloud storage account when working from home, or use of a third-party software that doesn’t have proper security controls. The solution lies in engaging people, processes, and technology to strengthen your cyber defenses. Pending legislation in New York State will require cybersecurity to be included in continuing legal education requirements likely resulting in increased vigilance for law firms around the nation. Here are six straightforward ways to get started:
- Build awareness.
Conduct security awareness training for the entire firm. Having users who are diligent about strong passwords, who don’t click on links in email, and who don’t use personal email accounts to address client documents can significantly reduce the threat level to the firm. - Offer secure options.
Provide all users a secure means of communication and storage. If you don’t provide firmwide communication and storage portals, users will create their own workarounds. And these won’t be safe. - Block potential threats.
Lock down unnecessary services. Consider blocking email attachments to and from external addresses. Instead, use a secure portal mentioned above for sharing documents, and prohibit unencrypted USB flash drives. Encrypt all devices. Laptops, USB drives, anything and everything that leaves (and enters) your building. And make sure the third-party applications and vendors that access your systems have strong and reliable security measures in place as well. - Create a culture of security.
Develop a strong culture and sound policies around cybersecurity. The management team should lead the security governance charge, allocating resources and modeling a security-conscious culture. The IT team implements specific security mechanisms, such as firewalls and monitoring applications, and your security officer ensures users comply. In other words, everyone in the firm plays a role. Otherwise, you’ve just set out another welcome mat for a hacker. - Test and monitor.
Intrusion detection monitoring 24/7 is a must-have these days. Hackers are becoming increasingly sophisticated and, without your constant surveillance, they can hide out undetected, accessing firm and client information for a long time. In addition to continuous monitoring, firms should conduct so-called white-hat hacking or penetration testing. Do this at least once or twice annually to see how your cyber infrastructure would hold up to an attack. - Have a plan.
Firms need a formal, written, and current cyber incident response plan in the event of a breach. This includes hardware theft, such as a stolen laptop or smartphone. The plan should include procedures for reporting incidents within the firm, contacting law enforcement, and communicating with clients and the media. As uncomfortable as it may feel to alert clients, you don’t want them learning your firm was hacked from a news article or through the business community grapevine.
We also recommend that firms look into cyber insurance, which may help recoup some of the significant expenses associated with a breach. That said, as with any insurance policy, it won’t mitigate your risk.
There are a lot of moving parts to consider, but cybersecurity is critical to the success and sustainability of your legal practice. Clients and prospective clients, too, are recognizing the risks of sharing their information with vulnerable organizations. You can expect them to ask you what cybersecurity measures your firm takes to protect it. The starting points above not only can help alleviate these valid concerns; they also can differentiate your firm from those who still mistakenly believe it can’t happen to them.