Cybercrime is a multimillion-dollar industry and businesses are fighting well organized, deep pocketed adversaries and need to be prepared.
Law firms face particular risk because of the types of client information they collect – intellectual property, medical or financial information, etc. – to successfully represent them in class actions and other major matters.
To minimize risk of cyber incidents, we recommend law firms prepare for cyber threats and implement the following best practices.
Cyber Policies Having a documented cyber policy is critical for any organization, and law firms are no exception. However, a firm cannot simply create a policy and never do anything with it – firm leaders must ensure all employees are familiar with the details of the policy.
A law firm’s cyber plan should address the access to and release of financial information, intellectual property, customer records and employee records. The policy should lay out who has access to sensitive data, how the data is moved, how often it's updated, how it's stored and the technology involved.
A firm’s cyber policy should also clearly lay out acceptable use rules – can employees use their work devices for personal use? Can security programs be removed from these devices?
Another key component of a law firm’s cyber function is designating a member of the organization to implement and enforce the policies. This person should champion the organization’s cyber function, own the budget and manage the hiring process.
As the legal industry increasingly embraces hybrid work and remote work models in the wake of the COVID-19 pandemic, firms need a policy that specifically addresses remote work cyber controls.
Though a hybrid work model means that firms have less control over cybersecurity than if employees were in the office five days a week, there are precautions they can take to reduce risks.
Firms should consider the physical aspects of remote work that need to be laid out in the policy, such as the exclusive use of the firm’s VPN when performing work duties. If employees are using their own devices, firms should consider having their staff download applications that store and protect client information.
Employee Training A firm’s employees can make or break its cyber policy. Employee adherence is essential to maintaining strong safeguards against cyber incidents.
C-suite members and high-profile partners often have their contact information prominently displayed on firm websites and are active on networking sites like LinkedIn, which make them prime targets for bad actors. It is critical that these high-profile members of firms follow the cyber policies and set a good example for others.
Another important aspect of implementing cyber policies is training. Firms should be consistently training employees on the cyber policies and running phishing tests to ensure employees can recognize and appropriately respond to suspicious emails. Yearly cyber response exercises should be held, too, to ensure each member of the organization understands their respective roles should an incident happen.
Responding to Cyber Incidents If your law firm waits until it has been breached to pull together a cyber incident plan – you are too late.
Firms must develop a cyber response plan before anything happens and delineate roles and responsibilities to the organization’s stakeholders. The response plan should include multiple “what if” scenarios that are practiced at least once a year.
If a cyber incident does occur, its important that the firm meets the obligations for the state(s) in which it is operating.
Firms could also consider purchasing cyber insurance that covers data breaches and CEO fraud. Oftentimes, the insurance policy will also provide firms access to cybersecurity consultants that can aid in the response if an incident does occur.
Third Party Partners If a law firm does not have the capacity to manage its cybersecurity needs it should consider partnering with a third-party consultant. When evaluating potential partners, firms should seek out those with proven track records.
Firms should also ask to speak with other businesses who have worked with the cybersecurity companies before. Successful cyber consultants should be happy to direct law firms to current or former clients that can give positive testimonials.
Another way firms can vet potential cybersecurity partners is to come up with a list of the organization’s need or issues and ask the vendor how they would solve or address those problems. That way firms can get a sense of what a possible partnership with the company would look like.
Following the above best practices will help law firms protect sensitive client data and reduce the risk of experiencing a significant cyber incident.