As a cybersecurity defense strategy consultancy focused on small law firms and professional offices, eWranglers (of which I am founder and principal owner) wondered what law firms were doing to protect client data. Our theme for 2017 was to explore the concept of what security measures are easy to implement, are widely known, and can be considered essential and reasonable for all law firms. The term “reasonable” is so widely used in the legal industry that we felt it applied in particular to cybersecurity. Law firms harbor a trove of personal, confidential, and sensitive data about their clients. The release or exposure of such data for many clients may be harmful to their reputation, business, and personal lives. Of course, any data breach easily has the potential to put a law firm out of business. To expand on “reasonable,” we are really talking about those steps that a reasonable person would take to protect data in the firm.
To learn more about the state of cybersecurity at small law firms, we asked firms to respond to 23 questions that focused on exploring what measures are in place, whether their firm had been breached, and other topics concerning cybersecurity defense and awareness. We contacted firms directly and actively solicited survey responses at the ABA GPSolo Solo & Small Firm Summit in St. Paul, Minnesota, in October 2017. Here’s what we found.
Security Measures in Place
Many firms are taking at least some measures to protect data. The most common cybersecurity defense strategy is to use anti-virus software. Seventy-five percent of respondents reported that they used some type of anti-virus software in their firms. The next most commonly deployed measures were firewalls and e-mail spam and phishing protection, reported to be in use at 58 percent of the firms that responded. Backup and disaster recovery technologies were reported to be used by 50 percent of firms. E-mail encryption, device encryption, and directory security were in use at 33 percent, 25 percent, and 17 percent of firms, respectively. Developing policy around protection of data and training employees were used in 33 percent and 25 percent of firms, respectively. Some admitted taking absolutely no deliberate measures to protect their electronic data. Firms using Macintosh computers believed they did not need to take any additional measures beyond using computers believed to be more secure than Window-based systems.
Of firms responding to the survey, 42 percent reported taking measures to enhance the security of data in their firms over the past year. Motivating factors leading firms to actively address their cybersecurity risks are led not by regulations but respect for fiduciary responsibility. A full 64 percent of firms cited fiduciary responsibility as the top motivator in taking steps to protect data. Fifty-five percent reported taking measures in response to regulations. Outright fear, threats to company reputation, and client or contract data security requirements were listed by 45 percent, 36 percent, and 27 percent of firms, respectively, as factors motivating them to action. Outside the survey, a trend we’ve observed is that businesses are increasingly writing language into contracts that require suppliers and vendors to take minimum specific measures to protect data. Many large industry hacks have been linked to vulnerabilities not in the firm that was hacked, but in smaller and much more vulnerable suppliers with visibility into the company. Hackers are actively targeting these smaller professional services firms specifically to gather intelligence about their clients.
What firms considered to be their greatest risk areas were not reported to be in line with defense measures they were taking. Clearly, 75 percent of responding firms cited e-mail as one of their greatest risk areas, yet only 58 percent were using spam and phishing protection, and only 33 percent employed e-mail encryption to secure their e-mail. Fifty percent of respondents reported that they felt people were the biggest risk area, yet only 33 percent of firms reported developing policy as a strategy, and only 25 percent of firms actively trained employees on how best to secure the firm’s data. Mobile devices and specifically lost or stolen mobile devices were reported as significant risks by 33 percent and 17 percent of firms, respectively. This was in line with defense measures, with 25 percent of firms reporting to be using some type of mobile device management technology or process. Eight percent of firms reported hacktivists or employees using personal devices for work as equally contributing to cybersecurity risks in a firm.
When assessing their law firms’ preparedness on a scale of 1 to 10, with 10 being fully prepared and 1 being not prepared at all, the average response was 3.5. In general, firms are not feeling prepared to deal with the threats facing them. When it comes to the ability to prevent ransomware, the average was a bit higher, at 4.1. Regarding the ability to prevent theft of mobile devices, the average was 3.8. The existence of software vulnerabilities continues to present entry points to hackers and malware. On a 10-point scale of preparedness against hackers and malware, firms rated themselves at 3.4. In the area of negligent insider attacks, the rating was 4.4. Regarding phishing, firms indicated 4.7. “Zero-day” attacks (attacks that take place the same day that a vulnerability is first discovered/announced) are quite effective for hackers, as they tend to know of these vulnerabilities even before the software vendors publicly release the details of the vulnerability and a respective software patch. Firms reported on average 2.5 on the preparedness scale for zero-day attacks. Firms felt a bit more confident in their preparations to deal with malicious insiders, with an average score of 4.1. Spear phishing has become more common; in this form of attack, well-crafted e-mails are directed at specific individuals enticing them to take some action to expose data or credentials. Firms rated themselves a 3 on the 10-point scale for spear phishing preparedness. In the area of denial of service, firms rated themselves a 2, with a tipping point of 5 to firms feeling more prepared to defend themselves. On average, based on the low numbers reported, firms are feeling unprepared.
As technologies such as cloud computing evolve, it is becoming harder to define where a firm’s perimeter lies. Some data may be on a server in the office, while other key files are stored in a cloud-based application or service. On the scale of 1 to 10, with 1 indicating strong agreement and 10 indicating strong disagreement, firms averaged a 4 on the statement that security begins at an organization’s perimeter. Regarding the statement that sharing cyber-threat information is beneficial to my organization, firms were right in the middle at 5.5 on average. On the premise of information security, firms were also right in the middle on whether to agree that information security must be approached as though attackers have already breached the perimeter.
Response to Breaches
In the field of cybersecurity, it is common that a lot of time can pass between the time when a data breach occurs and when it is discovered. People simply don’t know that information has been taken until it is used or disclosed in some way as to clearly indicate there was a breach. In order to know if something has happened, a firm must have some type of monitoring in place, backed up by someone to review reports, logs, and other data to know whether something is wrong. Sixty-seven percent of firms reported that they rely on employees to be on the lookout, as well as some form of network monitoring to discover when something might be wrong. Thirty-three percent of firms reported actively monitoring system activity logs and or having a designated internal security officer in charge.
Motivation for Breaches
On the topic of what motivates people to actively try to compromise a firm’s systems, there was a wide range of responses. Sixty-four percent of responding firms reported that outright theft of client information was a motivator for hackers. Motives of identity theft or hostage and ransom were reported by 36 percent and 27 percent, respectively. Business espionage was cited by 18 percent of respondents as a threat motivator. Firms dealing with merger-and-acquisition clients and the possible impact of disclosing details on stock prices is an example from news stories. Nine percent reported black market activities, insider theft, and business partner theft as significant threat motivators.
Why Are Firms Unprepared?
It is clear that firms believe substantial cybersecurity risks exist and that even though they are taking some measures, the firms don’t feel adequately prepared or protected. So, why is it that firms are not more prepared? Thirty-six percent of firms reported they simply did not know what they could or should do to protect data. Lack of knowledge about how to mitigate and remediate cybersecurity risks is a big problem. Many small firms don’t have access to qualified IT support and may simply be “self-insured,” so to speak, with respect to IT support. Firms may tap family members or friends they feel to be knowledgeable about IT for advice. The IT service and support industry remains for the most part completely unregulated in most states. This creates a climate where firms that actually rely on IT “professionals” may still not get good advice. Technology vendors often sell a single-point product that in itself may reduce risks in a particular area but doesn’t effectively address a defensive strategy or work effectively to reduce overall cybersecurity risk. As a vendor in this space, we can understand why so many firms cited lack of knowledge as a reason for being under-protected. Thirty-six percent reported a lack of financial resources as a barrier, while 36 percent also reported there are simply too many emerging new threats to deal with.
Where Are Firms Turning for Help?
When it comes to seeking advice on how to handle cybersecurity in their firms, they equally lean on their peers and industry associations. Thirty-six percent of firms cited both peers and industry associations as important sources of information about what cybersecurity measures they should be taking. Only 10 percent reported seeking advice from vendors or security professionals. Others looked to organizations such as the Federal Bureau of Investigation (FBI) or the Community Emergency Response Team (CERT). Nine percent of responding firms indicated they looked to such sources.
In conclusion, it is clear that cybersecurity is a major business risk facing small law firms. The survey results also paint a dismal picture of where the industry stands with respect to effectively protecting client data. The survey results show firms are struggling to decipher what security measures make up an effective cybersecurity defense strategy. In our opinion, a comprehensive defense strategy is the best way to achieve a material reduction in cybersecurity risks facing firms. Vendors who sell single-point solutions may give firms a false sense of security when they address only a specific risk area while leaving whole categories of threats unaddressed. Their solutions are likely effective inside the small box they operate in, but they don’t address the risk spectrum end-to-end. An effective cybersecurity risk reduction strategy will address defense measures and strategies in the categories of people, process, and technology. Remaining residual risk after implementing these categories of defense can be addressed through a cyber-liability insurance policy.
Measures Your Firm Can Take
Specifically, all firms should take several reasonable, simple measures to protect client data. Here’s the secret to success.
- People measures include employee awareness training and culture. An effective security awareness training program is customized to technologies and systems in use in your firm. Generic security awareness training, while better than nothing, is much less effective than training focused around specific devices, software, and processes in use at your firm. The culture in your firm should create constant vigilance among your staff around awareness, current events, and rewards for good behavior. This does not need to be complicated. A small firm can usually cover this topic in a one-hour training session developed by a security professional on your behalf.
- Process measures include written policies designed to put boundaries on what kind of activities are permitted or prohibited in your office. The key policy measures should be part of the security awareness training described above. An example might be whether employees are permitted to use personal devices for work and in what capacity. Are employees allowed to check business e-mail on their personal mobile device, for example? Taking time to spell out whether or not these activities are permitted and under what restrictions will go a long way toward protecting your firm in the long run. Again, this does not need to be complicated. We see most small firms getting by with a one- or two-page list of what is allowed, what is prohibited, and specific procedures to access critical systems.
- Technology measures are those on which firms historically have focused a lot of their resources. But technology measures on their own without people and process measures may be less effective—or not effective at all. Technology measures include things such as anti-malware software; firewalls; backup protocols; device tracking; device management; directory security; e-mail spam, phishing, and encryption security products; and other technologies.
In our experience, addressing these three areas effectively can reduce your cybersecurity risks by 85 to 90 percent. The remaining risk can be addressed with a basic cyber-liability insurance policy to supplement the measures taken above. Check with your carrier, but you likely will find that your malpractice or commercial general liability insurance policies specifically exclude losses owing to cybersecurity breaches.