We’ve all heard about the large breaches over the last decade, including at Target, Yahoo, and, most recently, Equifax. What is not that well-known is that law firms have become a major target of attackers as well. Data breaches cost organizations lost revenue, loss of customer confidence, legal fees, and regulatory fines. Customer data, however, is not the only asset at stake for a law firm; the loss of critical case data may result in evidence inadmissibility and potentially a negative outcome of an important case.
As we continue to rely more and more on digital technology, it will be imperative for law firms to develop a cybersecurity strategy capable of ensuring the confidentiality, integrity, and availability of valuable data and digital assets. This will ensure firms’ ability to continue to operate in a digital world where data breaches are becoming more common.
WHAT IS A CYBERSECURITY PROGRAM?
Basic cybersecurity programs are aimed at providing confidentiality, integrity, and availability to an organization through various programs that support these pillars through well-defined processes and measurements that track the health of the controls set in place.
When developing your cybersecurity program, it is important to ensure that you are managing risk through mitigation, deferral, or acceptance. Aiming to eliminate all risk is an impossible task and will end up costing the firm more money than the value realized through its controls.
In order to establish an effective cybersecurity program, the organization must first identify potential threats and their associated risk. For law firms, some examples of potential threats may be unauthorized access to a large client’s data resulting in insider trading, blackmail, or fraud.
Once you’ve identified the threats, it is time to implement effective security controls capable of mitigating these threats. Some basic controls to consider are:
- Educating your employees on phishing, scareware, and other common attacks.
- Implementing anti-malware soft ware on all systems and email providers.
- Ensuring the timely patching of soft ware and operating systems.
- Implementing two-factor authentication for critical systems.
- Encrypting data at rest and in transit.
- Implementing network and host-based Intrusion Prevention Software (IPS).
- Creating a data classification program to govern the controls necessary for each type of data.
- Creating a data governance program to manage the flow and control of confidential data.
DETECT ACTIVE THREATS
Cyber threats continue to evolve at an alarming rate, with new exploits being weaponized in as little as 48 hours. This may limit an organization’s ability to stop an unknown threat until a security provider can provide a solution. This is where a strong threat detection program can be used to spot these threats and alert personnel for action.
Some detection solutions to consider are:
- Endpoint system (laptop, desktop, etc.) anti-virus or anti-malware software.
- Network and host monitoring capable of analyzing files and traffic for malicious behavior.
- Database access monitoring tools.
- Security information and event monitoring aimed at identifying potentially malicious behavior.
- Server error and uptime monitoring and alerting for suspicious events.
RESPONDING TO A THREAT
An incident response program is the cornerstone of a cybersecurity program. Incident response enables organizations to quarantine and recover from an attack, mitigating the impact. Failure to respond effectively may result in a successful breach.
To effectively limit the impact of an attack, organizations should at minimum implement the following:
- Establish a written incident response plan in case of an attack.
- Create a communication strategy for law enforcement and critical personnel necessary for coordinated response.
- Create playbooks for different risk scenarios and attack types.
- Consider retaining an external response team for staff augmentation and expertise for larger breaches.
- Perform tabletop exercises regularly to practice response techniques for various attack scenarios.
RETURNING TO BUSINESS AS USUAL
Having a plan to resume business as usual aft er a malicious cyber event is just as important as responding to it. Stopping the attack is only half the battle, and while this is happening, the organization may be at risk of being unable to perform its core business functions. In the case of a law firm, this could mean winning or losing a high-profile case.
Organizations should at a minimum implement the following:
- Securely back up critical data, systems, and applications, restricting access to prevent losing these data during the attack.
- Implement redundant network connections to ensure availability.
- Purchase cyber insurance.
- Contract emergency service level agreements with IT service providers as well as hardware and soft ware vendors to ensure quick uptime.