When it comes to assessing the risk of your law firm being hacked, the question is not if an attack will happen, but when. That means you must be ready at all times for the inevitable.
Cybersecurity experts David Ries and Jennifer Woods give that sobering advice in the CLE webinar, “Best of ABA TECHSHOW: Anatomy of a Data Breach: Analyzing Past Breaches to Minimize Risk.” Ries, of counsel for Clark Hill in Pittsburgh, Pennsylvania, oversees the firm’s cybersecurity and data privacy group, and Woods is data privacy counsel at the Kraft Heinz Company in Chicago.
No one is immune from being hacked, Woods says, and law firms are particularly desirable targets because they have volumes of aggregated, high-value, well-organized data. Unfortunately, many firms have weak security systems that are easy to compromise. Attacks can come through everything from phishing emails to thieves cracking into information on stolen laptops.
Criminals also have crafty ways to hijack money or data by hacking into a firm’s email system and sending fraudulent requests to clients, such as instructions to wire proceeds from a business transaction. The unknowing client fulfills the request and – poof! – millions of dollars are lost.
Ultimately it is the responsibility and charge of attorneys to protect their clients’ information and do all they can to stop breaches – and investigate the damage if they do occur. Ries and Woods offer the following advice to help safeguard data:
Use reasonable security measures. Firewalls, antivirus software, secure Wi-Fi and encryption are easy ways to help protect information. “It requires that you work with clients to determine how to protect information,” Woods says.
Have a comprehensive security plan. A piecemeal plan simply will not do, Woods says. A thorough plan involves:
- A designated person responsible for security
- An inventory of information assets and data
- A risk assessment
- Appropriate administrative, technical and physical safeguards to address identified risks
- Management of new hires as well as current and departing employees to avoid breaches
- Employee training about security
- An incident response plan
- Backup and disaster recovery program
- Periodic review and updating of the security plan
Never stop reviewing the plan. Cybersecurity is an ongoing process, Ries says. It involves people, policies and procedures and technology. And you must look at all three on an ongoing basis to ensure effective security.
Minimize data. Segment and protect data that is online or in a system, particularly if it’s highly confidential, Ries advises. Use added protections such as two-step authentication to access information. And secure all connections to the internet.
Encrypt everything. Encryption is an easy way to get very strong protection and stop thieves from gaining access to data on stolen devices. Encrypt laptops, tablets, smartphones, mobile devices, thumb drives – even desktops and servers.
In short, “Think security all the time,” Ries says.
The ABA Cybersecurity Legal Task Force offers a host of resources to help small and midsize firms learn the basics of information security and how to build a security program. Also, a guidebook from the National Institute of Standards and Technology, “Cybersecurity is Everyone’s Job,” outlines what each member of an organization should do to protect it from cyber threats.