The cybersecurity threatscape is broad, dynamic, and ever-present. To stay on top, firms need to fully engage with the potential risks
Are your firm’s systems strong enough to withstand a cyberattack and are the processes in place to mitigate the attack’s damage and fallout?
This is a key question all individual attorneys and legal firms need to ask because the way they prepare for, mitigate, and report a breach can result in hefty regulatory fines and legal battles. The onus is on firms to keep the sensitive data of their clients safe, and failure to do so can mean both reputational losses and running afoul of the laws governing cybersecurity practices.
Cyber attacks and data breaches are on the rise, both in the legal profession and elsewhere. According to the 2016 ABA Legal Technology Survey Report: “only 17.1 percent of all law firms had an incident response plan in place to address a security breach, and only 50 percent of firms of 500 lawyers or more had such a plan in place.” The report also indicated that small firms are being increasingly targeted.
Law firms are attractive targets to threat actors: not only do they hold client information that can be monetized by hackers, but they also email attachments to clients, which provides a possible entry point into a firm’s systems. Additionally, firms are thought of as excellent targets for ransomware and extortion schemes because they have had poor defenses historically and are viewed as able to pay large sums of money.
With these factors in mind, it pays to place a strong emphasis on proper cybersecurity measures and have a plan in place that outlines how a firm will respond to a cyber attack.
4 Steps to Better Data Security
1. Understand the laws that govern data security
The rules and regulations that dictate best practices and breach reporting requirements vary depending on a firm’s location. In the UK and Europe, the General Data Protection Regulation (GDPR) governs data security. In the US, however, the rules are a little murkier. For one thing, there is currently no federal GDPR equivalent, but rules set by states, and some elements of the European GDPR do still apply, as noted by Lexology.
2. Create a culture of cybersecurity
Creating a culture of cybersecurity means ensuring that everyone in the firm knows that cybersecurity is everyone’s job, not just the IT department. Conduct regular training sessions and update systems and processes regularly in response to any changes. Human error remains a key entry point for hackers through phishing.
3. Run a full suite of cybersecurity tools
Firms need to cover all their bases and as such, need to run a full suite of the latest cybersecurity tools. This includes using a VPN service, full DNS protection, email scanners, firewalls, antivirus and anti-malware software, and other tools based on the firm’s systems.
4. Be prepared for the worst
Because the cyber attack threat level is increasing, an incident is more a matter of ‘when’, not ‘if.’ Being prepared and having an action plan that clearly details how the firm will respond to an attack and mitigate further damage can go a long way towards protecting the firm’s reputation and financial assets. Firms also need to ensure they comply with the data breach reporting laws in their country and/or state.
The cybersecurity threatscape is broad, dynamic, and ever-present. To stay on top, firms need to fully engage with the potential risks and take adequate steps to protect themselves and their clients.