Cybersecurity Controls in Your Law Firm
Questions to ask and cybersecurity milestones to reach to protect your legal practice
The Most Prepared Win
You’ve likely seen it in the news: cybercrime is on the rise. But it’s not just hype. Numerous studies show that more companies are being attacked. The attention is attracting new actors, emboldening experienced ones, and driving up the cost of preventing, insuring against, and recovering from cyber incidents. Cyber criminals are profiting from disrupting organizations, stealing critical data, and sometimes holding it hostage.
Large enterprises aren’t the only targets. In fact, according to a study performed by IBM, sixty-two (62) percent of all cyberattacks are directed at small or mid-sized businesses.
You can, however, dramatically reduce the chances that your firm falls victim. Do you know the old saying about two people who encounter a bear in the woods? As one is lacing up his sneakers, the other exclaims “What are doing? You can’t outrun a bear!” To which the first person replies “I don’t have to outrun the bear, I just need to outrun you!” Similarly, your firm doesn’t have to be capable of withstanding every possible type of attack. Sufficient defenses, in the form of good practices that are consistently followed, can encourage attackers to move on to easier targets.
Additionally, The Center for Internet Security (CIS) publishes a detailed set of best practices – 18 controls, in fact – that are publicly available for organizations to learn and adopt. Details are provided at the end of this document.
Armed with advice from your insurance broker and the CIS control measures, your team will be in a better position to assess your firm’s risks or navigate a conversation with a cybersecurity services provider.
Where to Start
Insurance companies (of course) have to stay abreast of what it takes to prevent an attack and recover if one occurs, so even just discussing cyber insurance requirements with your broker can be enlightening. Why do your own research when you can “borrow” theirs?
Understanding what it takes to qualify for cyber insurance (and get reimbursed in the event of a loss) will provide your firm with a useful “checklist” of important cybersecurity protections.
To get your process started, have your team consider these questions:
- Can we produce a list of computers and data in use?
- How would our firm fare if we lost access to all the computers and all the data in our building?
- What are we doing to keep employees (reasonably) focused on security and trained?
- How often do we update our equipment?
- Do we have a written acceptable use plan/incident response plan/disaster recovery plan?
- What data do we have in the cloud?
- Who else has access to our data and what are they doing to secure it?
How Your Firm Can Tackle Cybersecurity
While cybersecurity is a complex topic, approaching the implementation of stronger defenses in phases will render it less daunting.
We recommend that you assign one person in your organization to be the cybersecurity leader to organize this project and report on security activities regularly. Pursue the project in three phases:
- Know your environment by creating an inventory of the equipment and information comprising and connected to your network.
- Protect your assets by analyzing your risks and developing a plan to guard them.
- Prepare your organization by laying out your plans for responding to an incident so you can get back to business quickly
Phase 1: Know Your Environment
Perhaps much like a legal case, it’s best to start with understanding “the facts” – an inventory of the devices and software that are connected to your network. By collecting this information first, your team can develop a more clear understanding of what needs to be protected. This exercise is also likely to expose a few easy-to-resolve gaps in security right away.
In particular, encourage your team to thoroughly understand what information is at risk. Here are some examples of data to identify and inventory:
- Credit card, banking, and financial information
- Personally identifiable information (PII), such as Social Security numbers, health information, usernames and passwords, home addresses, birth dates, etc.
- Customer lists, product lists, pricing, etc.
- Company trade secrets, formulas, methodologies, models, etc.
- What your team can do:
- Create an inventory of applications.
- Limit the number of individuals with administrator privileges to a very small number.
- Use unique strong passwords.
- Ensure that system administrators use a separate non-administrative account for day-today
activities. - Develop a company process for downloading software to your network.
CIS offers detailed Critical Security Controls (1 & 2) for creating a thorough inventory of hardware
and software assets.
Phase 2: Protect Your Assets
As a law firm, you likely identify with the adage that people are your organization’s greatest asset. They are, unfortunately, also the most likely targets for cyber criminals. The majority of successful cyberattacks start by duping a person into clicking a link or otherwise taking an action that exposes your systems to malware.
You can help your people become good stewards of your firm’s information and systems by:
- Requiring password and multi-factor authentication policies.
- Training them to recognize risks, like phishing emails or phone call attacks. Pay particular
attention to training and supporting individuals who handle sensitive data.
In order to complement cybersecurity training provided to your employees, your systems need to be configured with a baseline of protection to prevent easy entry by cyber criminals. Regular system maintenance should include:
- Ensuring operating systems and applications are up-to-date and securely configured. Web browsers are particularly vulnerable, so consider standardizing on a browser that automatically updates.
- Leveraging security and malware functions included in most operating systems. Make sure anti-malware software is updated regularly.
CIS Critical Security Controls 3-10, 12-16, and 18 provide recommendations for protecting your assets and training your employees in cybersecurity best practices.
Phase 3: Prepare Your Organization
As the saying goes, hope for the best, but prepare for the worst. All of your team’s hard work to prepare your defenses may ultimately fall short. Therefore, you’ll also want to plan your response to a cybersecurity incident.
Common examples of what can happen include: a denial-of-service attack that shuts down your website, a malware attack that results in a loss of important data, a ransomware attack that holds data hostage, and the theft of a system (like a laptop) containing unencrypted data.
Similar to the second phase of your implementation plan, this third phase requires both technology and people solutions. Given your law firm’s dependence on information (vs. capital equipment or other assets), AND the fact that you operate in earthquake-prone and fire-prone California, you may have a head start on this phase. Sound disaster preparedness practices will help your firm recover from a cybersecurity incident quickly.
What your team can do:
- Develop a rigorous data backup regimen. This may seem like a tedious task, but it could become your firm’s most valuable business process in the days after an attack.
- Identify a staff member who will serve as the lead in case of an incident.
- Have contact information readily available for IT staff and/or third-party IT consultants, legal counsel, and insurance agents.
- Familiarize yourself with your state’s data breach notification laws.
- Prepare a plan to notify any affected individuals, law enforcement and other stakeholders as needed.
CIS Critical Security Controls 11 and 17 provide guidance for responding to a cybersecurity incident and quickly and securely recovering your data from backup sources.
Conclusion
Preparing your firm’s systems and people to prevent and recover from a cybersecurity incident may be an added expense. The benefits, however, are significant. Using the right tools and establishing sound practices may prevent a costly attack, mitigate legal consequences, help your firm qualify for cyber insurance, and allow your operation to recover quickly.
Pursue the three phases of cyber security implementation that are recommended for small and mid-sized organizations that we’ve outlined here. Additional resources are included below.
Resources
Center for Internet Security [↗]
CIS® is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. Their CIS Controls and CIS Benchmarks are global standards and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer global community of experienced IT professionals.
Endsight is a California-based outsourced technology support provider. Companies that hire us expect their technology to perform. And they count on us to make it so. While we ensure their systems operate effectively and their investments in IT align with their business goals, our clients get to concentrate on employing that technology to thrive. Our team of experts, ranging from the CIO level to readily-available help desk specialists, collaborate to provide comprehensive IT support to small and mid-sized businesses - nonprofits included. In the realm of cybersecurity, we help organizations assess vulnerabilities, tailor and implement protection measures, train staff, and maintain effective practices.