2021 Cybersecurity Guide to Law Firm Data Security – Developing a More Resilient Posture to Emerging Cyber Threats
Law firms and legal advisory organizations have a vested interest in taking all necessary precautions to protect against the encroachment of cyber threats. As organizations entrusted with their clients’ sensitive personal, business intelligence, economic, and political data—law firms are uniquely attractive targets for enterprising cybercriminals. And 2021 has already been a significant year for cybercrime that includes high-profile incidents carried out on all continents targeting the legal profession. Goodwin Procter, Seyfarth Shaw, Cadwalader, Peabody & Arnold, Jones Day, and Charles J. Hilton & Associates P.C. are just some high-profile law firms embroiled in data breaches and other catastrophic cybersecurity events in the last 12 months. The true scope of cyber threats facing legal clients remains hard to measure. That’s mainly because so many firms are reluctant to want to publicly disclose improperly handling sensitive data due to the considerable losses in reputation such confirmation is likely to cause. To further complicate matters, according to research conducted on behalf of the American Bar Association in 2020, despite ongoing cyber threat challenges, most law firms have not invested in advanced processes to counter cyber threats. In that research survey conducted by the Legal Technology Resource Center, only 43% of respondents confirmed using file encryption, 39% confirmed using email encryption, and 26% confirmed using whole/full disk encryption. Of the remaining security tools used by less than 50% of respondents, only 39% use two-factor authentication, only 29% use intrusion prevention or intrusion detection software, only 28% use remote device management and disk wiping, only 27% have device recovery protocols, only 26% use web filtering technologies, only 23% use employee monitoring software, and just 12% use biometric login technologies. The result is an industry facing an unusually high number of cyber threats compared to most others. At the same time, many of its leading organizations have not taken concrete steps towards mitigating threats by adopting and implementing the most advanced cybersecurity technologies and best practices.
Essential Strategies for Countering Modern Cyber Threats
- Develop a 360°Awareness and Commitment Towards Maintaining a Modern Cyber Resilience Posture Every once in a while, news headlines herald the revelation of a new data breach, hacking exploit, or ransomware attack carried out against legal service providers. Firms take notice and begin to respond, only to completely drop all ongoing change initiatives after the PR moment has died down. Developing a 360° awareness means investing in cybersecurity today and playing an active role in fortifying responses to prevent attacks down the line. Simple steps such as providing customers with an email address or telephone line to inform your teams about suspected malicious activities and bugs are significant first steps. Many commercial companies offer bug bounties to get everyday citizens involved with helping to secure digital infrastructure with a crowd-based approach. Developing a simple security.txt standard is another technique that makes it much easier for information security experts to report and share insights that they may have found in your firm’s networks. Developing a cyber resilient posture means taking time to invest in measures to protect your valuable data. It also requires creating feedback loops to be able to ensure that all your bases are covered, all of the time, not just in the weeks following the latest hacking event.
- Consistently Check Who in Your Organization Needs to Have Digital Credentials and Access If you aren’t keeping accurate documentation about who has access to what platforms, systems, sources of data, and passwords, you are leaving your legal organization exposed. It is relatively simple to keep up-to-date records, but the results of not having this info can be extremely detrimental to your organization’s future success. Your law firm is under a constant threat from the advanced tactics of criminals from around the world. It isn't a question of "if," but instead, it's "when" you experience your first advanced cyber threat. However, by limiting the potential for outside entities to gain action through avoidable human errors or wrongdoing, you are taking a proactive approach to security that could save your organization tremendously in the long run.
- Always Maintain Insights About Data Usage Across Your Organization If your organization can spot anomalous data usage statistics early, there is a much better chance of avoiding a severe data breach before it ruins your global reputation. User behavior analysis is an emerging area of risk management that uses machine learning to analyze how your teams handle data under normal circumstances. When unusual behavior patterns are identified, alerts are issued that enforce strict firewalls to ensure the behavior does not escalate, leading to all of your sensitive employee and client records reaching the dark web or somewhere even worse.
- Enforce a Modern Password Practice One of the most widespread attack vectors for cybercriminals comes from overly simplistic or duplicate passwords used across multiple platforms and account credentials. As tempting as it might be for your employees to access shared services with extremely simple and easy-to-guess passwords, this exposes your law firm to data breaches down the line. Instead, initiate policies requiring that passwords are very long, complex, and challenging for humans or machines to guess. Furthermore, change your passwords frequently and make sure everyone in your organization follows these practices all of the time and not just when upper management is watching.
- Develop Systems that Utilize Multi-Factor Authentication Multi-factor authentication refers to a wide range of practices used to verify through multiple means that someone is whom they say they are and that the information they are provided is correct. An example of this would be a two-factor system that requires users of a database to input a password and a separate code sent directly to a mobile device. Multi-factor authentication works similarly, though it may require completion of a captcha, answer security questions, complete a math assignment and complete many other simple tasks in tandem to verify identity. Multi-factor authentication often seems like an unnecessary headache until an attack targets a firm.
- Stay Up to Date on Government Regulations and Cybersecurity Advisories Data protection laws are constantly changing, and it's not easy to stay up to date on them, but failing to do so could cost your law firm tremendously. Additionally, government organizations are frequently issuing cyber threat updates that provide extremely vital information. If no one in your organization is staying up to date on developments regarding information security, then it is nearly impossible to prevent the most advanced threats. This world moves faster than the speed of light, and countering that means developing a more resilient and responsive cyber posture.
- Develop a Cyber Threat Response Plan and Stick to It Your cyber threat response plan should encompass activities embodying the following phases:
- Discovery: Detection of anomalous or malicious behavior being executed against your mission-critical digital infrastructure
- Containment: Ensuring that a problem situation does not escalate further by utilizing strategies to isolate the effects of a cyber threat
- Investigation: Gaining insight into how an attack was executed
- Mitigation: Repairing vulnerabilities to prevent further escalation of a cyber threat event or data breach
- Recovery: Pivoting towards building on what you have learned to ensure the same vulnerabilities do not continue to threaten success at a later date