John Fitzgerald, CPA
11.12.2015 | Practice Made Perfect
No matter your firm’s size, practice areas, or client base, if you are a law firm, you are a target for cyberattack. Your enemy can have a face -a disgruntled employee, a rival, a vendor. It can also be something less tangible – a hacktivist group, organized crime, a rogue nation-state. Wherever the attack comes from, it can devastate your infrastructure, your client base, and your reputation.
In today’s world, a cyberattack is something you should almost expect and certainly plan to defend against.
Before you can begin to build your defense, you need to know what it is you must protect. To do so, you need to answer three not-so-simple questions.
1) What data do you possess? This must include all firm data and all data on your clients, including past, current, and pending matters.
2) Where is this data stored? This seemingly obvious question may lead you to realize that important data is in the hands of partners and staff in the form of physical and electronic records that sometimes leave the protection of your offices. Here are some of the places you may need to consider:
- The cloud;
- Digital cameras and recorders;
- External drives;
- Third-party file-sharing websites;
- Laptops and tablets;
- Mobile devices and Printers, copiers, fax machines, and scanners.
You should also consider your discovery applications.
3) Who has access to your data? Who are the individuals you have entrusted with this valuable private data? How many of them are there? Are they all necessary? Can you set practical limits? Look beyond the walls of your firm. Do you have third-party service providers who have access to your data and systems? If so, can you assess the quality of their security?
Know What Puts You at Risk
You may feel secure with your state-of-the-art firewalls and anti-virus software and these are certainly part of a good defense, but it’s your everyday business practices that can also leave you vulnerable.
It can be as simple as physical theft. A stolen laptop, mobile device, thumb drive, or other portable technology can cause havoc. Then, there is still the old standby – important physical papers that are carelessly exposed can easily be copied or carried away. Ask yourself some important questions:
- How strong are your passwords?
- If you have had a systems upgrade, how secure was the migration of the data?
- Do any of your clients or vendors house confidential data about your firm?
- Have there been any incidents of unauthorized computer use?
- Have you recently assessed your compliance with federal
regulatory laws regarding security standards and policy and any
corresponding laws in states where you operate?
- How porous is the confidential information about your firm?
- Attorney/client communications;
- Drafts of agreements (at any stage);
- Payroll and benefits information; and
Blogs and other social media activity by partners and associates.
Assemble Your Team: Designate at least one senior professional of the firm as your cybersecurity leader, who will then assign responsibilities to the appropriate IT and operations professionals. By having a senior leader in this role, you are demonstrating that cyber-risk management is a priority and you now have a go-to team in the event of a crisis.
Spread the Word: Invest in an awareness program for all levels that includes training on all new policies and procedures – emphasizing why they are important. Your own people are your best line of defense and can alert you to unusual activity. Consider running a mock cyberattack to make the firm familiar with what will need to be done in the event of the real thing.
Revisit Your Screening Policies: If you don’t already, perform background checks on new hires and vendors with careful attention to any history or experience with cybercrime.
Strengthen What You Already Have in Place: Determine where you stand right now. Perhaps your antivirus and antimalware programs are aging out and need an upgrade. Maybe your password protection policy is insufficient. Upgrade and revise what is already in place.
Establish Your Cybersecurity Policies: Together with your chief information officer or senior IT professional, develop an understanding of the cyberthreat environment you face. Look at any history of cyberattacks on your competitors. Learn about the various approaches cybercriminals might take. Try to determine where you are most vulnerable. Once you know where you stand, you can develop the appropriate policies and procedures. Senior management must fully support the cybersecurity policies and be willing and ready to make the financial investment to make the firm more secure.
Determine Where You Are Most Vulnerable: Give priority to the areas you believe are most likely to be the subject of an attack. While you cannot completely eliminate breaches, you should address your weakest points first.
Try for Early Detection: The time between a cybersecurity breach and discovery is crucial. The longer the breach goes undetected, the more damage can be done. There are 24/7 monitoring and incident detection systems which can correlate and analyze large amounts of data and send out red flags when detecting threat indicators.
Prepare for the Worst
Knowing that a breach is a probability, it is prudent to have a plan in place so that disorder does not reign when the worst happens and the damage can be limited or contained.
In the event of a breach, contact your crisis management team (a group you designated earlier, of course). This team will be your operational unit in charge of seeing that all computers and other media are secured and access to affected systems is terminated. The next step would be a thorough forensic investigation of your system.
It will be necessary to have a media relations plan in place with a spokesperson who will be the voice of the firm – both internally and externally. It is important to convey the message that you have the crisis in hand. The firm will need to determine the exposure and to whom you need to report the breach. It may be necessary to bring federal and various state agencies into the investigation. In fact, depending upon the state you are located in, you may have a legal obligation to report a breach. Consult with your insurance agent. Should the breach involve social security numbers and/or financial accounts, you may need to offer credit monitoring.
It is clear that the ramifications of a cybersecurity breach have a wide and deep reach. You need only consult the headlines to reinforce your position should anyone in your firm think otherwise. The only reasonable and financially sensible course is to prepare a powerful and adaptable defensive strategy that places you in the strongest position to prevent or, at the very least, inhibit the impact of an attack. You simply have too much to lose.