Cyber attack is a major risk for today’s law firms as cybercriminals target law firms in a multi-billion dollar industry that has lead to a fast-growing cyber industry, which remains a sensitive area to talk about for lawyers and businesses alike.
But as the cyber crime business grows, the urgent need for law firms to target cybersecurity risk has become equally urgent.
And clients are seeking the assurance that lawyers will take the risk seriously.
Clients are now seeking greater urgency in what law firms and in-house legal departments are doing to ensure they are protected from cyber attack.
Further, as law firms provide services to a range of clients, often changing and shifting in their alliances, so too does the risk of having someone leave the law firm with firm and/or client data, which may be very difficult for the firm to detect.
Law firms provide a vault-load of valuable, sensitive information relating to corporations, governments, individuals and others. Many lawyers fail to realize that their sensitive information can be exposed to breach and intrusion particularly as there are increased breaches
As Bloomberg News report that a corporation can ask a law firm to take the assessment, which gives it a score and remediation advice, which provides a score used to compare firms.
Companies and law firms need to create a culture of security and act now, says David Shonka, acting general counsel of the Federal Trade Commission.
“The answer is to think ahead of time,” says Shonka said. “Plan things.”
US research shows that the cybersecurity business is one of the fastest-growing in the world, worth over $230 billion by 2022.
Crystal Market Research shows a less impressive but still heady market by 2022 of over $173 billion and Gartner Inc show that this year cybersecurity research would reach over $96 billion.
What should law firms be doing to protect themselves from cyberattack?
IT Security Central asked some of the top cyber security experts in the US what law firms should be doing to protect themselves from cyber attack and/or data breaches.
We’ve looked at five of the top, key suggestions.
Cyber experts say the best thing they can do is get outside experts to provide vulnerability
assessments to see where they are at risk. The costs of having an assessment will vary depending upon the complexity of the firm’s computer systems and will range from fixed fee amounts to hourly rates.
For firms the vulnerability assessments are privileged so they can’t be used against the firm in court by invoking lawyer-client privilege.
What are some of the things firms can do now to avoid attack or major data loss?
1. Data Loss Prevention
Implementing a data loss prevention (DLP) plan is a key way to ensure the firm tracks and prevents access to data so as to protect the firm and its clients.
DLP solutions have become increasingly effective and also provide a more affordable option which opens the door for smaller law firms to use their software to implement the protection in a highly affordable manner.
2. Train staff in Security Awareness.
Security awareness training for users should be ongoing and mandatory as part of every firm’s IT Security Policy.
Training staff to recognize signs of attack is a key factor. Ensuring law firms have appropriate cyber security is part of what it costs to do business. Remember that many firms are hacked without even knowing it and employees can click on things that appear familiar. Building a ‘security awareness’ is part of the key towards avoiding data breaches or cyber attack.
Phishing attacks are also common and need to be guarded against by employing phishing simulation to make staff aware of what is happening with increasing frequency.
3. Manage Data Separately.
Storing data in a third party cloud provider and also ensuring that users have limited access to it is a suggestion that has wide appeal. The use of a third party can provide up-to-date technology, as well as having access to third party security and monitoring while at the same time reducing the risk of exposing client data through a single person’s breach.
Documents should only be retained on the main system if it is necessary. There are various ways to ‘partition’ storage or use devices like ”air gapping’ in respect of sensitive data to avoid exposure to potential hackers.
4. Insure Yourself.
Taking insurance to cover the costs of any data breach is key, even though it is an after-the event precaution.. Having the best possible firewalls and anti-virus software is key and part of what any law firm today requires to avoid cyber attack, along with the other methods outlined here. But at least have insurance to ensure your firm is not massively damaged by cyber attack.
4. Disaster Recovery Plan.
Have a good disaster recovery plan which can provide access to data once you’ve been attacked or compromised in any way. This can also avoid having to pay hackers’ ransom demands and avoid providing them with the soft target that will see them return.
There are a variety of other software and security solutions that are emerging when it comes to cyber attack. One of the things law firms need to do is ensure their security personnel or consultants are in place and to recognize that an IT security employee is a key part of the firm, which means remunerating and recognizing their importance above and beyond what has hitherto been the case.