9.23.21 | Practice Made Perfect
There can be no greater mandate for a law firm than the protection of client and business information. But we live in a hostile age where even the buzzwords themselves — cyberattack, ransomware, security breach — strike fear. We have seen that cybercrime can be committed from within an organization by an unhappy employee or can strike from outside via organized criminals. And as we may be seeing the back end of the pandemic, it can be taken as certain that cybercriminals will not let up and may even become more aggressive. Fortunately, if appropriately used and regularly revisited, law firms can rely on a virtual armory of security measures that can go a long way in protecting their most precious commodities.
Assess the Situation
Begin by determining where you are most vulnerable. If you are uncertain, consider getting an independent cybersecurity assessment to understand the risk to your firm. Cybersecurity is a multi-factorial challenge that requires a multi-disciplinary response to analyze the security, operational, technological, and governance elements simultaneously. Even if an organization possesses these substantive areas of expertise internally, these business units are often typically disparate functions among dislocated teams, each with separate, if not conflicting, objectives. With this in mind, John T. Araneo, Managing Director of Align Cybersecurity and Cybersecurity Advisor to Berdon Technology Services suggests: “Seek out a credible cybersecurity advisor who can conduct an independent assessment and render an objective, dynamic evaluation across all of these areas.” Araneo adds: “In one exercise, this advisor can provide harmonized takeaways for each of the separate units.”
By way of example, declaring a Data Classification Methodology is a necessary first step. Daunting as it sounds, the process is quite intuitive when explained to business leaders in the appropriate context. As a starting point, buried within a firm’s total data universe are various “crown jewel” data sets — the gold cyberattackers troll for. Where and how is the data stored? How is it used, and by whom? It is more than likely that it resides in more places than you may think, including in the Cloud, emails, laptops, and external drives as well as cameras and recorders, third-party file shares, and yes, even your copiers and those archaic fax machines.
The human factor must also come into play. Identify who in your firm has access to private client data. Do you have confidence in all the individuals identified? It is then up to you to determine if this group should be entrusted with this responsibility and if more significant limitations would provide greater security without interrupting workflow. This evaluation is critical if any third-party service providers have access to your data.
Build Your Team, Educate
Deputize a senior professional as your cyber team leader. This individual will work with your technology and operations professionals and assemble a cybersecurity risk management team with designated responsibilities that will be ready to act if and when a cyberattack occurs and should be appropriately empowered, incented, and accountable. Initiate employee training on cybersecurity matters. Araneo notes: “Your professionals are your first line of defense in detecting and reporting suspicious activities that could indicate a breach.” Arm your professionals with specific policies and practices that should be regularly communicated and updated as conditions change. This communication can be built around an overall awareness program to keep cybersecurity matters top of mind.
Five Key To-Dos
Here are some practical and achievable imperatives for any effective law firm cybersecurity program.
Update and harden your external-facing systems. Cybercriminals are constantly probing for vulnerabilities in your lines of defense. Your external-facing systems, such as your firewalls, should be monitored in real-time and updated with the recommended patches from the manufacturer. Software and hardware companies regularly release patches to address new vulnerabilities, and it is critical to apply the relevant security patches to help ensure a secured technology environment.
Require Multi-factor Authentication. This security feature requires multiple means of identification at login and is widely recognized as the most secure software authentication method for verifying access to data and applications. Multi-factor authentication ensures that a user is who they claim to be, and the more factors used to determine a person’s identity, the greater the trust of authenticity.
Insist on Complex Passwords. Passwords are deemed one of the most critical Windows vulnerabilities; therefore, you should take great care in establishing your password policy. No kids’ birthdays. No wedding years. No ABCD1234. Passwords are only effective if properly managed. Effective passwords contain a complex combination of at least three upper and/or lowercase letters, punctuation, symbols, and numerals. They should also be a minimum of 8 characters. A “good” password is easily remembered by the holder, but not easily guessed by anyone else. Set a fixed time for them to expire and be replaced — never to be used again.
Maintain a Robust Screening Policy. When hiring a new professional or accepting a lateral, make sure that your background checks look into any history or experience with cybercrime. Previous cyber activity may be a red flag, and it should require some inquiry. Apply this same policy towards hiring outside vendors.
Be Prepared. Even the strongest defense is not perfect, so it is wise to be prepared with an appropriately crafted Incident Response Plan should your firm suffer a successful cyberattack. At the moment of such an occurrence, your cybersecurity risk management team (mentioned above) must be prepared to swing into action. Their job is to limit or contain the damage, lock down the affected technology, and see that access to affected systems is terminated. Since bad news travels at warp speed, you need a designated spokesperson to communicate a unified message to all impacted parties. All inquiries should be directed to this person, who will act as a single source of firm information and updates. Make sure that all members of the firm be aware of this policy and comply. You may also be legally obligated to report the breach to state and/or federal authorities. Consult with your insurance provider so that you know what steps are necessary.
Cyberthreats are simply part of the cost of doing business today and will continue to be so as we move deeper into the 21st century. As such, having a robust and adaptable prevention and defense policy designed to blunt, inhibit, or deflect an attack should be the first order of business for all law firms going forward. The alternative is unthinkable.
If you have any questions regarding cybersecurity or any other law firm management issue, please contact John Fitzgerald, the Leader of our Law Firm Services Practice, at JFitzgerald@berdonllp.com | 212.331.7411.
Berdon LLP New York Accountants