Techs education. This is a topic many law firms prefer not to address, do not address or do not address in a systematic and meaningful way. After all, it can be challenging to train staff, who may resist any effort to learn new information or new ways of handling their work. Thus, firms defer, saying it is better to let staff learn about technology in the office, where others may not know how to use technology properly or safely. Or staff can learn on their own or simply elect not to learn. Or they can learn a tougher lesson. They can download a virus or other malware by clicking on a link they shouldn’t have. There are, of course, other risks. But it is easier, and possibly cheaper, to let them learn on their own rather than having educational sessions that will take away from their billable hours or compensable time.
Interesting. After all, who knew that there were parallels between sex education and techs education other than their similar-sounding names?
There are two separate categories of tech education, thus my use of the plural techs. One is learning how to use the technology firms have in better and more efficient ways. The other type of tech is cybersecurity, where education can prevent attacks that could cripple a firm. While both techs are essential, this column will examine why increased cyber training is needed more than ever in law firms and how firms can accomplish this easily and on a budget. In other words, cyber training is necessary and affordable regardless of firm size or budget.
A recent study reported on hacked.com examined “Employee Confidence About Key Cybersecurity Best Practices.” The study polled workers at various businesses and asked employees how confident they felt about cybersecurity risks. Only 42 percent of the respondents were “very confident” that they could identify a phishing email. In another study, decision makers and influencers in IT and security departments identified email threats containing malware, spear-phishing and ransomware as their leading security concerns, followed closely by compromised credentials/account takeover and malicious data breaches.
These concerns apply regardless of whether the subject is a law firm, business or government agency. According to ABA’s 2022 Legal Technology Survey Report, 75 percent of all respondents reported having some training available at their firm. The level of technology training differed by firm size, however, with 32 percent of solos having training available at their firm, followed by 64 percent for firms of 2 to 9 attorneys, 79 percent for firms of 10 to 49 attorneys, 93 percent for firms of 50 to 99 attorneys and 100 percent for firms of over 100 attorneys. Yet it remains unclear how much of the training addresses cybersecurity and how much focuses on computer software in use at the firm.
Anecdotally, in my discussions with firms, smaller firms often explain that they don’t budget for and do not make cyber education a priority. They don’t see themselves as targets––a perception that is wrong and could be financially devastating.
The reality remains that cybersecurity training is crucial because, no matter the level of training, law firms remain vulnerable targets. One study of law firms in the United Kingdom, for example, revealed that more than 80 percent of firms were running at least one service with a well-known vulnerability, placing the firms at a high risk of cyberattack from those who specifically target services with known vulnerabilities.
Here is my four-step plan for increasing awareness and utilizing cyber training without breaking the budget while keeping staff engaged.
1. Adopt CISA’s “Foundational Measures.”
CISA, the Cybersecurity and Infrastructure Agency, a division of the U.S. Department of Homeland Security (cisa.gov), offers a wide range of papers, tools and other guidance for businesses of all sizes demonstrating how to protect against cyberattacks. At its core, CISA recommends that all organizations implement the following measures:
- Fix known software security flaws. CISA’s website contains a list of vulnerable software called the CISA Known Exploited Vulnerabilities (KEV) Catalog. Firms can refer to this resource to confirm that they are using their vendors’ latest software versions and, if not, update their software to the latest version. CISA also allows firms to subscribe to emails that will update them whenever major companies release updates to their products.
- Implement and require all staff to use multifactor authentication (MFA). According to Microsoft, MFA provides “an extra barrier and layer of security that makes it incredibly difficult for attackers to get past.” The company also reports that “MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.” Thus, implementing MFA can prevent most attacks and secure your firm.
- Eliminate bad practices. CISA and other cybersecurity experts recommend 1. replacing end-of-life software products that no longer receive software updates; 2. replacing any system or products that rely on known/default/unchangeable passwords; and 3. as noted above, requiring MFA for accessing your firm’s systems, resources and databases.
- Sign up for CISA’s Cyber Hygiene Vulnerability Scanning. CISA offers this free vulnerability scanning service, which the agency says helps to protect secure internet-facing systems from weak configurations and known vulnerabilities and encourages the adoption of best practices. After you enroll, CISA performs vulnerability scans and delivers a weekly report. To enroll, email [email protected].
2. Utilize CLE programs to educate staff.
Numerous technology and cybersecurity issues confront law firms. It would be impossible for firms to train their attorneys and staff on every type of threat, including those specific to a firm’s practice areas or the type of matters the firm handles. For example, firms representing medical providers may face HIPAA-related concerns that do not impact a firm primarily representing criminal defendants. Thus, even the best-intentioned firms are unlikely to be able to internally address the training and educational needs of every member of the law office.
While many commercial entities can fill this gap, lawyers should first consult with bar associations, which offer a wide range of programs, many of which qualify for CLE credit, including ethics credits. For example, the ABA offers a wide range of live, on-demand, and live/onsite CLE programs, many of which are included at no extra cost as a benefit of paying dues. In other words, attorneys can receive their tech education for no cost beyond the cost of association dues.
Many ABA programs are sponsored by the Law Practice Division (LP), which produces this magazine and offers other technology-focused resources to members. Many LP CLE and other programs address technology, cybersecurity and related concerns. Other ABA sections, divisions and committees produce CLEs and other programming, with many focused on specific practice areas and interests. Other state and local bar associations may offer similar programs.
By using CLEs, firms can control costs while also assuring that attorneys and staff utilize resources that often include industry-specific speakers who are among the most knowledgeable yet who would otherwise never be available to or within the firm’s budget. Thus, CLEs can fill in gaps and provide knowledge and expertise at little or no cost.
3. Create an Incident Response Plan and require all users to be aware of it.
An Incident Response Plan (IRP) is a written document approved by the firm’s management or leadership team and is an essential and primary protocol that every law firm and business should have. An IRP specifies how the firm will prepare for and handle an incident, clarifies each person’s roles and responsibilities and lists key people who may be needed during a crisis.
An IRP has five components:
- Preparation. Preparation is critical to an effective IRP. During the preparation phase, a firm will create an inventory of systems; that is, the firm will catalog all its hardware and software, locate vulnerabilities and put into place an action plan to prevent incidents. During this first phase, firms should develop policies to use during an incident.
- Detection and Reporting. Just like a security system at your home or physical office location, it is equally critical to monitor your technological environment using firewalls, intrusion prevention systems and data loss prevention tools. With these in place, you will be prepared to detect potential security breaches and alert the proper staff in the event one occurs.
- Triage and Analysis. When an incident occurs, it is crucial that all staff understand the plan, the firm’s global response and their role in responding and limiting damage. Depending on their roles, staff will be required to help assess any damage, determine what information is available, and determine how to proceed with firm business while the firm deals with triage and containment.
- Containment and Neutralization. At this stage, the firm must recognize each threat, contain and neutralize it, and verify if and when normal operations can resume. The firm will also need to identify areas of compromise and perform a planned sequential shutdown of all impacted devices. Then the firm can address all infected devices and take necessary actions to restore operations safely.
- Post-Incident Activity. After the incident has been addressed and resolved, the firm must review what happened and determine how to prevent similar future occurrences.
4. Purchase cyber insurance and utilize your carrier’s resources.
Despite sales pitches from some carriers and insurance agents, most general liability insurance policies exclude cyberattacks, or if they provide coverage, it is limited. To assist policyholders and reduce the number of claims, many cyber insurance carriers offer educational programs for policyholders and their employees to learn how to prevent attacks or spot dangerous situations that could lead to a breach.
Firms of all sizes need cyber insurance. Hackers target all-size law firms, just as they target all sizes of businesses. There are two primary reasons for this. One, they like to target easy prey, and small firms typically do not have or employ the financial resources necessary to rebound after a cyberattack. Thus, their guard is weaker. Two, hackers focus on the type of data firms have, which applies equally to firms of all sizes. Because the data is critical to every firm, it also helps to recognize that cyber insurance provides coverage for data restoration in the event of a loss.
Of course, law firms maintain data, which makes them desirable targets for hackers. Hackers also covet Personally Identifiable Information (PII) such as dates of birth, Social Security numbers and other data that can be mined and used to create financial chaos. Plus, under the Model Rules of Professional Conduct, much of the data is not owned by the firm but is the client’s. Who pays for the data loss in a breach? What if there is a need to notify breached parties about the attack or to provide credit monitoring? Cyber insurance policies generally cover costs that could otherwise put many firms out of business.
There are other consequences firms may not consider. For example, if a firm accepts credit cards and stores the data, hackers want that information. In addition, firms could face severe penalties if they lose credit card data or fail to store it properly.
Another benefit of cyber insurance is business interruption coverage, which is not commonly provided by standard liability insurance. These cyber policies may also offer coverage for laptops, tablets and portable devices, including those that are lost, stolen or hacked.
Finally, there are the ever-expanding breach notification laws, which differ from state to state. These laws commonly mandate that businesses that lose personal data must provide written notification to all potential or identified victims. Cyber insurance policies will provide coverage of these costs as well.
In conclusion, law firms must evaluate the cost of increased cyber training and balance it against the risk and potential financial losses if a breach occurs. Thus, affordable cyber insurance, cyber training and techs education are essential components of every firm’s budget. Consequently, firms must address all aspects of cybersecurity with their staff and be sure that everyone understands and receives appropriate training about their individual roles in preventing a cyberattack. Doing so involves techs education. The results will pay off for the firm.