Law firms are no less vulnerable to cyber attacks. In fact, they prove to be almost irresistible to hackers, because firms are a repository of sensitive and privileged information. Recently, several major law firms, including Cravath Swaine & Moore, LLP, and Weil Gotshal & Manges, LLP, have fallen victim to cyber attacks. In many cases, such data breaches could have been easily avoided. Mossack Fonseca, for example, a Panamian law firm, reportedly had more than 10 million sensitive records stolen because it failed to take fundamental steps to protect confidential data, including updating its web servers. In most cases, large and mid-size businesses and law firms have the resources—including in-house IT specialists—to prevent and protect businesses from cyber attacks. Small law firms and businesses, however, can learn important lessons from larger corporate entities, which have the resources to protect themselves against cyber attacks and, yet, opt to remain unnecessarily vulnerable to them.
Given the costs related to cybersecurity and incurred as a result of data breaches, small businesses and law firms can ill afford to be under-protected in this area. They must be proactive and find creative and cost-effective methods to be as, if not more, prepared than their larger brethren in the event of a cyber attack. Small businesses and law firms must be forewarned against the specific and pervasive threat that cyber crime represents to them in the modern world and forearmed with reasonable cybersecurity measures, tailored to protect their clients’ and their own interests.
Cybersecurity 102: Cybersecurity Assessment and Procurement
Small businesses and law firms have several advantages over larger entities that can help them target the specific areas where additional cybersecurity protections are necessary. As compared with large companies with branches and employees spread across the country and the world, small business and law firms may be less vulnerable in the event of a cyber attack. They generally will have fewer quantities of sensitive information to protect and may have fewer points of entry for hackers to gain access to data.
The first step to protecting a small business from cyber attacks involves assessing potential threats. The more sensitive information a small business is responsible for protecting, the more it should invest in cybersecurity, but cybersecurity experts agree that effective cybersecurity does not have to break the bank. To reduce costs and increase efficiency in data protection, a company should consider isolating and segregating the most sensitive and confidential data and restricting access to this information, including through the use of log-in protections, to further reduce the likelihood that a hacker could successfully infiltrate this information. Should any stored data legally require additional protective measures, it should be secured, as mandated under state or federal law. The failure to properly do so may expose a business or law firm and their agents to liability in the event of a security breach.
Many security measures do not require a high degree of computer literacy or great expense. As we should do at home with our personal computing devices, anti-malware and antivirus software should be installed in a company’s computers, and these programs should be updated regularly. If a business uses a wireless network, it should be protected with a password, and the encryption should be updated to thwart hackers on the lookout for poorly protected networks. Access to websites and email should always be protected with robust passwords. Once done accessing a website, the user should log out and close the webpage as a further deterrent to hackers. These are some of the low-tech ways that companies can stay one step ahead of hackers looking for a weak link, but information theft can also involve the physical theft of computer hardware. Therefore, a business should routinely physically secure and lock offices, hardware, and any mobile devices when not in use and consider installing tracking programs on hardware, as well.
Not every business or law firm is in the position to, alone, protect themselves from the level of cyber attacks that threaten them and require expert guidance. If a business cannot afford to hire a full-time cybersecurity officer, consultants can be retained on an as-needed basis to provide services related to cybersecurity training, program implementation, and incident response planning and execution. Cybersecurity experts add value to a business and limit exposure to data breaches through their knowledge of changing risks and security protocols.
Some of the most important measures that a business, whether large or small, can take to protect themselves against data breaches, however, rely on a business’s most important resource—its employees. A business should educate employees to act as a first line of defense against cyber attacks by reporting any suspicious activity. An action plan should be developed and implemented to respond to cyber attacks, and employees should be accordingly trained.
Unfortunately, the truth remains that even if a business is vigilant about cyber attacks and protects itself against known risks, cyber attacks and data breaches can still occur. Cyber insurance is a way to shift a business’s unavoidable risks and provide liability coverage for data breaches. Ultimately, there is no panacea for eradicating cyber attacks, but preparation greatly reduces the risk that a business will fall prey to hackers and lose not only confidential data, but the respect, confidence, and custom of its clients.