Is worrying about a security breach keeping you up at night? What will your clients think if it happens? Will you lose business? Are you prepared to stop the breach quickly? Can you afford to invest in information security? Can you afford not to?
Since 2011, 80 percent of the largest 100 law firms (by revenue) have been victims of cybercrime, according to an ABA report. The same survey revealed that 26% of law firms with 500 or more attorneys experienced a security breach in 2016. If this issue wasn’t keeping you up at night already, those statistics seem to be cause for some tossing and turning.
While in the past the legal industry had a reputation for being slow to adopt, a recent study found that on all security ratings measured, legal was the second highest performing. This is great news. Security initiatives are starting to come to fruition. But, many executives at law firms are now accepting that it is less about if a breach will happen, and more about what they are going to do when it happens.
While putting prevention measures in place is still essential, creating a breach response plan is of equal importance. In both cases, having a trusted Chief Information Security Officer (CISO) or Chief Security Officer (CSO) on board who can work well with your executive team is essential for big law firms. If you don’t have a CISO or CSO on your team, we suggest you consider adding one. While outsourced solutions can be sufficient for preventative measures, an internal leader of information security will be much more effective at putting a response plan in place.
Here are 11 tasks to give your leader of information security:
1. Set Up Perimeter Defenses
Most law firms know that setting up perimeter defenses is an essential first step for preventing cyber attacks. Firewalls, intrusion detection systems (IDS), application proxies, and virtual private network (VPN) servers are all important implementations for protecting your data from outside attacks.
2. Take Specific Access Security Measures
One of the next steps is to ensure that security measures are taken to only grant access to files and programs on an “as needed” basis. The fewer end users with access to confidential information the lower risk of that data being breached.
3. Create Clear & Concise Security Policies
A security policy should be written and distributed law firm wide. The key here is to make sure it’s usable – you want your attorneys and administrative professionals to actually read it and be able to easily understand and retain the information in it.
4. Invest in Rapid Detection of Breaches
The faster you can identify a breach and kick hackers out of the system the better. Investing in technology to rapidly detect a breach, be it in the form of in-house security engineers under the supervision of a CISO or an outsourced solution, is well worthwhile.
5. Keep Your Data Off Your Premises
Cloud storage companies are highly effective in keeping your data secure. It’s their job. So if you haven’t already moved your data offsite, it might be worth considering in 2018.
6. Use a Layered Defense System
You want your security engineers to make it as difficult as possible for a hacker to break in to your data, which makes a multi-level defense highly valuable. Some of the ways you can layer your defense system are: two-step encryption, consistent web and network monitoring, implementing a data-loss prevention system, and installing anti-virus and spam filtering software.
7. Educate Your IT Team
Whenever possible, your IT team should be building security measures into your applications and software systems. Have your CISO train your developers to do this and keep your IT team up to date on your various cyber security implementations and changes, so they can train others effectively, and stay on top of the latest cyber risks.
8. Check Your 3rd Parties
One of the more common areas of security breach is actually through one of your third party connections. As more clients are coming to law firms with security requirements, it’s essential that law firms do the same with their own 3rd party resources. You should have a well-documented policy for internal use that you can ask your 3rd parties to adhere to as well. Or request to see their security policies to ensure your data is protected from breaches.
9. Make a Response Plan
Having a system in place to detect and respond to breaches quickly is of equal importance to having effective preventive measures. Cyber threats don’t belong only in IT’s domain. If a breach happens, it will impact everyone in your firm, including your clients. As such, your entire executive team must be aware of cyber risks, prevention and response plans, and ideally be involved in their development in collaboration with your CISO or CSO.
10. Practice That Response Plan
Once you’ve created a response plan, practice it. Yes, we know that isn’t billable time, but when a breach happens, you’ll be thankful it is not the first time you’re figuring out who is responsible for what and seeing if your plan actually works.
11. Train Your Attorneys & Administrators
Phishing attacks are highly effective for breaching your law firm’s security. That’s why training your employees is so important for preventing attacks. While classes can be helpful as an overview, technology simulations that give them practice recognizing and reporting phishing emails are even more effective for employee’s retention of their training. It’s also essential that you get your employees to agree to encrypt emails and files and understand why it’s important. Give frequent reminders emphasizing the value and necessity of your securities policies to help prevent attorneys and administrators from falling back into old habits.
Equally critical to having your leader of security take these tasks in hand is making sure that you are always testing and staying up to date on the latest security practices. Just like you’d hold a fire drill to practice getting your employees safely out of the building, testing your systems to make sure they are secure will ensure you’re ready to handle a breach when it occurs. To ensure the safety of your data and your client’s data, use “white hat” hackers and penetration testing systems on a regular basis (perhaps quarterly) to test your security system and find areas of vulnerability. In addition, from the top down, build a culture at your law firm where everyone takes responsibility for preventing breaches and responding to them if they occur.
The above list may seem like a lot to take on, but breach prevention and response is now a critical priority for all law firms. Implement some or all of the above suggestions, and you’ll start sleeping more soundly knowing that your law firm and your clients’ data are secure.