Cybersecurity For Legal Firms: What Legal Professionals Need to Know
Given the wealth of sensitive information stored by attorneys and their staff, legal firms are prime targets for cyber thieves.
Unfortunately, data breaches are becoming increasingly common, threatening both clients’ sensitive information and firms’ reputations. This is reflected in data from ABA’s Cyber Security Report, which states that 25% of law firms have previously experienced a data breach. A specific example is when Grubman Shire Meiselas & Sacks was the victim of a $42 million ransom in 2020. When breaches like this occur, law firms are faced with the dilemma of either meeting the ransomer’s demands or risk having their clients’ dirty laundry aired publicly.
Obligations of Firm's to Protect Their Data
At the ABA Annual Meeting in August 2014, the ABA adopted a resolution on cybersecurity, covering all law firms, which “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” Firms might also have additional obligations to protect certain types of information, such as personal health information under HIPAA, or New York’s SHIELD, which stipulates that law firms must implement “reasonable” security safeguards to protect their clients’ information.
It’s clear that even the smallest of legal firms have an ethical duty to have some level of technology competency. In so doing, they not only protect their clients but the viability of their firm. Here are some recommendations for how to approach building that competency:
Cybersecurity Best Practices for Law Firms
Establish Your Security Posture
Perform a Gap Analysis
A great place to start is by understanding the current state of your security posture by performing a risk assessment, including penetration testing, to identity if your firm has any key vulnerabilities that could risk your clients’ data privacy. Since the security landscape is in a state of constant change, and an assessment is just a snapshot of a point in time, the assessments should be performed on a regular basis. In order to remain compliant, some government regulations require penetration tests and assessments be performed on a specific schedule.
Having third party security experts perform your firm’s security assessments can reveal more information since they can see things objectively and a variety of cybersecurity scanning tools at their disposal in which they’ve most likely made significant investments. Additionally, some cyber insurance carriers may require that a third party perform the assessments to ensure impartiality. Some clients may also want to have greater confidence in the status of your cybersecurity by requiring third party assessments or reviewing past assessments, policies and other documentation.
Develop Cybersecurity Policies
The importance of cybersecurity and general IT policies cannot be understated. Unfortunately, while their creation and adherence are imperative, too many firms lack robust cybersecurity policies. In 2021 the ABA reported that 53% of firms had policies to manage the retention of information/data held by the firm, while 17% of firms lacked any policy whatsoever, with 8% stating they didn’t even know about cyber security policies. When discussing specific policies, their 2022 survey reported that 67% have an email use policy followed by 63% with a computer acceptable use policy, 60% for internet use, 59% for remote access and 53% for disaster recovery/business continuity.
Organizations can’t merely apply a generic approach to enacting a cybersecurity policy. Every policy must be tailored to the organization’s distinct, specific requirements—consequently, no two policies will be identical. It’s crucial for organizations to meticulously examine their potential risk areas. Furthermore, formulate a customized policy that addresses these vulnerabilities, and ensure all staff members are informed of their cybersecurity responsibilities. Implementing a strong cybersecurity policy serves little purpose if no one is aware of it, comprehends it, or understands their individual role within the framework.
Cyber Attack Prevention
Preventing attacks is still a large part of your cybersecurity defenses. This includes the implementation of a wide array of systems and services such as:
- Securing your perimeter using next generation firewalls.
- Implementation of email spam filtering to reduce risk from phishing and other email-related attacks.
- Installing Managed Detection and Response (MDR) software on PCs and Servers.
- Engaging with a vendor that provides expert Security Operations Center (SOC) services to proactively monitor and resolve security related alerts from your MDR app (these vendors will generally supply a specific MDR app for deployment).
- Engage with an IT Managed Service Provider (MSP) to ensure security best practices such as Access Control Lists (ACLs) are implemented on computing systems and network devices. Your MSP should also be able to recommend and coordinate with a SOC provider.
Employee Training
Whether it’s a phishing attack, or someone calling an employee and pretending to be someone of authority, the biggest risk to firms is their own staff via the social engineering efforts of hackers. These attacks put the hacker “behind the firewall”, bypassing several levels of security, and providing them with direct access to systems and data. While educating employees on cybersecurity and how to identify these tricks may have a short-term impact to productivity, it could be the most important investment you can make in protecting your law firm.
Incident Response & Recovery
No mater how prepared you are breaches can happen as new exploits are created on a seemingly daily basis. What’s important is your ability to respond to a breach. The security team should have a plan ready for how to react to a variety of attacks from data breaches to ransomware. This plan should dovetail into your business continuity plan which outlines how recover from a range of incidents from data breaches to environmental disasters.
While one can not prevent every security incident, there are experts that can help you minimize damage and downtime when under attack. They can Identify how attackers gained access to your business, the attacker’s foothold and access, and take corrective actions to prevent future successful attacks.
Obtain Cybersecurity Insurance
Conclusion
How Adtech Can Help
- Managed Security Services
- A 24/7 Security Operations Center
- Penetration Testing
- Digital Forensic Services