One of the many important roles of a lawyer is to mitigate risk to his or her clients. Each day, we learn more about the ever-changing landscape of cyber threats that pose a risk for lawyers serving their clients. In today’s world, it is not really a question of “if” your law firm will be the target of a cybersecurity breach, but a question of “when”. There are even websites that exist which identify specific law firms as targets because they are known to be vulnerable and penetrable to those who wish to exploit them.
More often than not lawyers are either ignorant of the risk or choose simplicity over security, and firms simply cannot afford to continue on this path any longer. In my experience, most lawyers do not even realize they have chosen a risky path until it is too late. A lawyer’s time is extremely valuable, so the struggle usually occurs when there is a choice between security and the billable hour. Is it more important to focus on servicing a client or learning on how to ensure that the law firm’s information and the client’s information are secure? Both areas are vital to the success and growth of a law firm.
The best defense against cybersecurity threats is a solid plan and an unrelenting commitment to it. Regardless of a law firm’s size or resources, implementing a strong cybersecurity plan is attainable with the right technology team. Make sure the team truly understands the needs of the firm and that they closely follow the Bar rules for professional conduct and ethics, as well as evolving legal trends. Ensuring that the firm’s cybersecurity plan aligns with Bar rules and current trends is vital and must be the benchmark. This is much like how a law firm assists clients in mitigating risk, a solid technology team will do the same for the law firm.
Every law firm we have ever worked with has been committed to investment in common security measures such as firewalls, anti-virus, anti-malware, and spam filtering, but while these systems are integral to a strong cybersecurity plan, other aspects of the plan are often overlooked or ignored. In this article we will focus on 3 of the most important areas for a stronger cybersecurity plan: awareness, passwords, and policies.
The most important element of a strong layer of cybersecurity for a law firm is awareness. Threats are all around us and occur in real-time. Bad actors do not care if we are busy, in fact, they thrive on it and seek to capitalize on it. As we are all working diligently to provide service to our clients, we are constantly faced with cybersecurity threats that wish to expose our weaknesses. We need to be armed with the latest information around cybersecurity threats, trends, and best practices. We must empower our colleagues to make good decisions in real-time, whether it is clicking on a link in an email, identifying a fraudulent request or, using social media to force us to give up valuable information.
A cybersecurity awareness program has proven to have excellent results. These programs educate law firm and businesses on best practices and how to avoid the many pitfalls of cyber-attacks. The benefit of these programs is their ability to help prevent staff from falling victim to ransomware attacks, malware, or even worse, fraudulent wire transfers. This can be accomplished through simulated email phishing attacks, lunch and learn training, and testing firm policies. The cybersecurity industry has found that testing employees on a regular basis is vital to the security posture of the organization and keeps these tools in the consciousness of staff. We recommend scheduling time at least once per quarter with the technology team to run tests, discuss best practices and to educate staff to be more aware.
Over the past few years, there has been an increased effort to help everyone understand the importance of maintaining strong, unique passwords. We are making progress, but we have a long way to go. This is by far, the easiest way to hack into any law firm. What many lawyers overlook is how critical it is to not use the same password for multiple accounts. Think of it from this perspective. While your law firm may not be a huge target for a hacker, your account with Apple, Google, Microsoft and other large companies are.
Sample Scenario – let’s assume for a moment that someone uses the same password or password convention for their Gmail account which is the same as their law firm email account. Their password then gets exposed due to Google or their specific account being hacked. Now the hacker has the user’s name and email address and ultimately will do an internet search to find out more information about them. That internet search will reveal many things, including their law firm, personal information and history. From there, all they have to do is find the login page for their email and they are in! Note – there is a website which anyone can go to and see where they have online accounts and whether they have possibly already been hacked.
Always use a different password for each online account and use a good password manager to keep track of them. By using a password manager, individuals only really have to remember one password, so make it a good one!
Policies are often overlooked, especially as it relates to cybersecurity. Most law firms have a password policy, but that is only scratching the surface. Ultimately, every law firm should have a general cybersecurity policy, a communication policy, a password policy, an incident response policy, and a wire transfer policy. Policies protect a law firm from attack by making sure everyone receives a consistent message to the firm’s expectations with information exchange, and ultimately protects against breaches and other fraudulent activity. Most importantly, in the event of a breach, the law firm knows exactly how to handle what is sure to be a stressful situation and what steps it can take to resolve the matter. When something bad happens, it’s human nature to panic and be worried. A good policy does the thinking for us and we simply execute it.
Sample Scenario – let’s assume for a moment a law firm does wire transfers on a regular basis, maybe for real estate closings. If the managing partner’s email is compromised, a bad actor now has access to it and initiates a fraudulent wire transfer request to the accounting person, the accounting person might see the request coming from the partner and execute the transfer without question or follow-up. Before the breach and bogus request are even discovered, the firm has perhaps wired $100,000 to someone other than the intended recipient of that money.
A wire transfer policy should be clear and understood by everyone, and it should always include more than one method of authentication. The policy should maybe require a form to be filled out, and the written request to be backed by a documented verbal approval as well.
Within an effort to create strong cybersecurity policies, start by documenting all of the ways a lawyer interacts with clients and information processing. This will assist the team in identifying potential holes or risks in those policies. There is a balance to how much security each firm needs, and each law firm is slightly different. Find out if the technology team or vendors closely follow the Bar rules in order to be in a position to help your firm navigate the proper approach in terms of balancing the firm’s required security needs with the efficiency of running a law practice.
A commitment to cybersecurity is no longer an option, and all firms need to take cybersecurity threats very seriously. It could be the difference in a law firm’s ultimate success or failure. If we all do our part, we can make a difference and effectively protect the firm’s personal information as well as client information. Cutting costs and ignoring cybersecurity threats is not only a formula for disaster, but it may also nullify any cybersecurity, E&O, and other insurance policies the firm may currently have in place to help mitigate such disaster. Review your firm’s policies and ensure that important internal policy requirements required by your insurance carrier(s) are not being overlooked or ignored.