July/August 2019

Hot Buttons

A Road Map for Lawyers with Cybersecurity Paralysis

Sharon D. Nelson and John W. Simek

We understand why lawyers have cybersecurity paralysis. They don’t understand cybersecurity, experts disagree on the best steps to take, the majority of cybersecurity measures involve spending time and money and, to top it off, the threats and defenses against those threats change daily. Here’s a brief road map to where you should be going.

By the Numbers: Where We Stand Today

  • Thanks to the ABA’s 2018 Legal Technology Survey Report, we have some solid numbers to ponder as we construct our road map. Looking strictly at the big picture statistics, these were the ones we found most significant:
  • Twenty-three percent of respondents reported that their firm had been breached at some point.
  • Of those reporting that they had been breached, the percentage breached generally increased with firm size until you got to large firms: 14 percent were solos, 24 percent were firms with two to nine attorneys, 24 percent were firms with 20 to 49 attorneys, 42 percent with 50 to 99 attorneys and about 31 percent with 100 or more attorneys.
  • Sixty percent reported that their firms had not experienced a data breach. It is important to note that it is extremely possible that many firms experienced a breach and never detected it.
  • About 9 percent of those breached notified clients, and 14 percent notified law enforcement.
  • Of those breached, 41 percent reported downtime and/or loss of billable hours, 40 percent reported consulting fees for remediation of the problems, 11 percent reported loss or destruction of files and 27 percent reported replacement of hardware and/or software.
  • Forty percent reported experiencing an infection with viruses/malware/spyware, with the greater number occurring in firms with two to 49 attorneys and the lowest in firms with 500 or more attorneys.
  • Thirty-four percent reported having cyber insurance coverage. (The percentage is growing, but slowly.)
  • Twenty-four percent reported using full-drive encryption, a low number in this day and age.
  • Twenty-nine percent reported using encryption of email for confidential or privileged data sent to clients.

Without bombarding you with numbers, the smaller the firm, the less likely it was to have a policy covering document retention, acceptable computer use, remote access, social media, personal technology use and employee privacy.

Perhaps most startling to us was the fact that only 25 percent reported having an incident response plan, a critical cybersecurity component. Larger firms were more likely to have such a plan. In general, larger firms have a bigger attack surface, but they also have more resources to devote to cybersecurity. We therefore focus in this column on solo, small and midsize firms as we try to lay out a road map to cybersecurity.

Security Assessments Are Essential

You can’t fix what you don’t know is broken. That’s a fact. We are now at a point in time where 11 percent of attorneys have received from a client or prospective client a request for a security assessment. Thirty-four percent have received some sort of client security requirements document. While the survey didn’t ask about assessments required by insurance companies in order to get cyber insurance, we know from our own clients that these are becoming more prevalent.

Even if no one requires you to do an assessment, you absolutely need one—and it should be done at least annually. Why don’t law firms have an assessment done? Mostly because lawyers fear the costs of the assessments—and the costs they may incur in fixing what’s wrong.

So let us try to allay some fears. While it’s true that large law firms will generally seek out large (and therefore expensive) cybersecurity firms, it’s equally true that there are many smaller cybersecurity firms with reasonable fixed-fee prices for doing an assessment and giving you a report identifying your vulnerabilities.

What should you be looking for besides a reasonable price? References from colleagues (who have no dog in the hunt) are useful. Make sure the company has true cybersecurity certifications. IT certifications are not cybersecurity certifications. Also make sure the report will follow the guidelines of a reputable organization such as the Center for Internet Security.

What you want as an end result is to know what critical vulnerabilities you have so those can be fixed right away. After that the report will identify medium and low risks. Address medium risks as soon as you can. The idea is to plan a time line, often constructed around budget constraints or impact on productivity. The low risks should of course be addressed, but they don’t carry the level of concern that critical and medium risks do.

Train Your Employees!

Your employees, your most valuable asset, are also a great threat. They are often moving too fast and are easily duped by phishing emails. Phishing emails often, and successfully, target law firms. Perform phishing simulations where employees receive carefully constructed emails specific to your firm. If they do not see the red flags and click on a link or attachment (or answer an email leading to a follow-up conversation asking for monies, gift cards, etc.), you will see how much training—and retraining—is needed.

Training should be annual, mandatory and without mobile devices present. The partners should be there, leading by example. Believe it or not, training is not very expensive—again, stick with smaller companies with cybersecurity certifications. Don’t use your in-house folks; they simply don’t carry a big enough stick. Outsiders are invariably a better solution. Again, it’s a good idea to get referrals from colleagues. You want trainers who can both educate and entertain. If they cannot keep the attention of your employees, you are probably throwing money down a rat hole.

Happily, we are seeing more and more firms of all sizes investing in training. It might surprise you, but the employees generally enjoy the training and feel more confident in their ability to spot phishing emails, recognize social engineering attacks, etc. This is an excellent way of creating a culture of cybersecurity.

The Power of Policies

Policies in law firms tend to be static. There is a big push to get some policies in place and then nothing happens, sometimes for years. But policies are invaluable in all sorts of ways. They set the expectations of your employees. If employees disobey them, they will expect consequences, up to and including termination, depending on the severity of the violation.

As the world invariably changes (think of the policies that sufficed 20 years ago!), all policies should be reviewed yearly and revised as needed. Train employees on them every year—they will invariably forget portions of policies that are very important.

Many policies involve cybersecurity, but they have different names, which can be confusing. The most common, by whatever name, are:

  • Acceptable use policy.
  • Social media policy.
  • Remote access policy.
  • BYOD (bring your own device) policies.
  • Access control policies (passwords, multifactor authentication, biometric authentication, etc.).
  • Backup policy.
  • Vendor access policy.
  • Retention and destruction of data policy. (Let us interject here that minimizing the data you retain is free—and greatly reduces your risk.)
  • Disaster recovery policy.
  • Encryption policy.
  • Reporting lost or stolen device policy.
  • Employee privacy (which may mean the absence of privacy on your network).

The Critical Incident Response Plan

If you don’t have an incident response plan and you then suffer a breach, you will invariably be running around in headless chicken mode. We have borne witness to this reaction many times—you definitely don’t want to be in that mode.

The way to avoid it is to have a good incident response plan. The elements of such a plan are not all that complicated. Here are the essentials:

  • Contact information for your regional FBI office.
  • Contact information for a data breach lawyer.
  • Contact information for the attorney who will oversee the breach response and any others in the firm who may be involved.
  • Contact information for a digital forensic company, to investigate and remediate the breach.
  • Contact information for your insurance company. You may be required to report a breach or incident in a given period of time or lose benefits.
  • Contact information for your bank, in case you need to warn it to be wary of suspicious transactions. Banks are accustomed to this.
  • Contact information for a public relations firm. Small firms are less likely to use these services.
  • Who needs to be informed? Clients? Vendors? The state attorney general? Make sure to have a copy of your state’s data breach notification law kept with the plan.
  • Plans for preservation of information to assist in the breach investigation, such as gathering all logged data and taking impacted devices offline.
  • Steps to resume operation.

You should do annual reviews of the plan, including (at least) tabletop exercises where you go through various scenarios, adding and subtracting issues and problems (e.g., the managing partner is climbing a mountain in Asia and inaccessible, the electric grid is down, etc.).

The Right Technology at the Right Price

So you’re not a megafirm and you’re budget conscious. No worries, it’s a big club. So here is our basic technology advice with this stern warning: No technology is invincible.

Let’s start with some simple and free advice. Make sure you apply all patches and updates as they become available. Failure to patch leaves you vulnerable to a security incident. Trust us, the bad guys are constantly scouring the internet looking for those that are vulnerable to widely known hacking techniques.

Obviously, you need some sort of endpoint protection. This means there should be some sort of security software installed on all your computers, servers and mobile devices. In the old days it was called antivirus software, but today’s endpoint protection is really a security suite that contains such things as a firewall, antimalware protection, antivirus, encryption, etc. Endpoint protection is a good start, but you really need some vision into events happening at the endpoints. According to a report by Sophos and market research company Vanson Bourne, 1 in 5 IT managers didn’t know how an attacker got in, even after discovering the threat. This has given rise to endpoint detection and response tools to provide vision into security events.

Another important concern is edge protection. This is where you would install some sort of firewall appliance. One of our favorite products (no, we don’t get any commissions) is the Meraki product line by Cisco. The Meraki is a combination firewall, intrusion detection system, intrusion prevention system and wireless access point. The device itself is only a few hundred dollars, and the annual subscription for the software is only a few hundred dollars as well. Best of all, the subscription includes continuing updates to your protection as new threats are discovered—and they happen automatically. You don’t have to do a thing or spend another dime. You may recognize the combined functions from the old days of unified threat management devices. You don’t see the term “unified threat management” used these days, but effectively that’s what devices like Meraki are.

Another area to focus on is mobile device management. It’s no secret that we are a mobile society and our smartphones are really powerful computers that can also make phone calls. Larger firms will invest in mobile device management solutions such as AirWatch, MobileIron or Microsoft’s Intune. We would suggest that the solo and small-firm lawyer look to the built-in controls contained in ActiveSync. If you have your own Exchange server or use Exchange Online with Office 365, ActiveSync is a free feature that can enforce device encryption, enforce lock codes and even remotely wipe the device.

Final Thoughts

As we write this, the week after coming back from speaking at ABA TECHSHOW, we are reminded that much of the cybersecurity advice given above was echoed there. One of our favorite slides had the words “Store Less. Delete More.” That might have been the best, most succinct advice we heard during the conference. Words to live by! 

Sharon D. Nelson

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 17 books published by the ABA. snelson@senseient.com

John W. Simek

John W. Simek is vice president of Sensei Enterprises Inc. He is a Certified Information Systems Security Professional and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics from their Fairfax, Virginia, firm. jsimek@senseient.com

Entity:
Topic: