3 Reasons a Law Firm Needs a Stronger Defense to Prevent Cyberattacks
The offices of Data, Breach, and Hacker are salivating over your firm’s client roster. They’re pretty devious too, not afraid of using law-breaking tactics like phishing and ransomware to get their hands on proprietary client information that your firm possess.
Keeping data breaches and hackers like our fictional firm at bay has been a challenge for the legal industry. According to a survey by the ABA’s 2015 Legal Technology Survey Report, around 25 percent of law firms with 500 or more attorneys have experienced a cybersecurity breach. Moreover, Cybersecurity 2017 noted some startling statistics. Ransomware attacks are up 500 percent from 2014. The same is true of data breaches — up 127 percent. There were nearly 500,000 cases of identity theft in 2015.
Why are cyber criminals preying on lawyers? Here are three key reasons:
Keepers of sensitive information
All those case files and sensitive information are of high value to hackers of a nefarious nature. In short, you have what they want, and they’ll pull out all the stops to get it. As Kathryn T. Allen, an associate at Polsinelli, an Am Law 100 firm, noted in National Law Review, law firms have a duty to protect client information. “The legal ethics rules require attorneys to take competent and reasonable measures to safeguard information related to clients.”(ABA Model Rules 1.1, 1.6 and Comments).
Information security isn’t a practice focus
Your firm has practice areas, but, chances are, implementing information security isn’t one of them. If you work for a big law firm, you may think you have everything covered with IT resources. The truth is, cyber criminals can access data through any connected device–web server, laptop, phone, public wifi, or even a Nest thermostat. Even without that threat, law firms with corporate clients are receiving assessments of information security practices. If your firm is lacking in information security, form a committee tasked with implementing cybersecurity best practices in your firm.
Spending on information security isn’t a high priority
Law firms are behind other industries and for good reason. Your focus is clients and hours, not preventing data breaches. But given the threat and the potential impact on client relationships, protecting client and firm information from theft needs to be a higher priority.
What can your law firm do to protect itself? Here are four tips:
Get started with an acceptable use policy
Do you have an acceptable use policy that every staffer must sign? This document stipulates the constraints and practices that users must agree to for accessing corporate networks or the Internet. Security awareness training can also help keep information security top of mind. Law firms of every size should have an acceptable use policy.
Focus on controls management for due diligence
Policies can be used to mold associate behavior toward sound information security practices. Controls provide the “trust, but verify.” Controls govern policies and access to data with stipulations like encryption use. Or consider the firm’s password policy. The policy might spell out character count, upper/lower case use, and special character requirement. The control enforces the password policy.
Address cyber threats with vulnerability management
Cyber threats aren’t going away. Address them with an infosec solution that scans and reports on vulnerabilities. You need a game plan for prioritizing vulnerabilities, so the most urgent are addressed first. Manage any incidents with thoroughness, from root cause analysis and mitigation plan to documentation.
Manage your cyber defense with a GRC platform
A lawyer doesn’t go into a courtroom unprepared. Get prepared to prevent cybercrime with a GRC platform designed to manage information security and IT risks. It acts as a central repository for policies, controls, and compliance mandates. The platform connects with third-party technologies that specialize in things like scanning for vulnerabilities. This front line reporting feeds into the platform where it can be analyzed, prioritized and managed, as well as linked to regulations, controls, assets, vendors, and risk registers.
Many law firms use a blend of GRC processes and user-generated spreadsheets and emails to manage information security, comply with regulations and manage risk. That is, until they experience a data breach or conclude there has to be a better approach.
2016 has been called the year of the breach. Is there any reason to think 2017 won’t shine the spotlight on data breaches and cybercrime? It doesn’t matter how big or how small your firm is. Cyber criminals have their eye on your client data, and they’re not afraid to break the law to steal it.
Now is the time to get serious about cybersecurity. Data, Breach, and Hacker have a full caseload of law firms to target. Don’t let your firm be one of them.
Listen to three leading proponents of data privacy as they discuss the development of data privacy around the world.
Learn now to raise awareness of cybersecurity and ensure all Americans protect their identities and assets online.
Learn about first-ever whistleblower case involving cybersecurity.