In prior columns, I’ve written about cyber attacks that can be very costly or even fatal to a law firm. Now let’s look at the steps your firm can take for discovering and planning to plug the cybersecurity gaps that are leaving your firm’s data and your client’s data vulnerable to attack or theft.
This analysis is not something you will want to attempt yourself. You’ll need an outside consultant that specializes in cybersecurity and is current on the almost daily new forms of cyber attacks.
REALFIRM, LLC
While every law firm is a potential target, real estate firms are sometimes the biggest targets for hackers because of the size of wire transfers which are vulnerable to interception.
I’ve created a cybersecurity plan for a mythical residential real estate law firm called, RealFirm, LLC.
RealFirm provides real estate services and consulting to consumers. It has five employees who work remotely, often from their homes or hotels. The firm leverages Microsoft Office 365 for email and office collaboration. RealFirm wants to achieve compliance with its cybersecurity system that meets minimum acceptable implementation of cybersafety policies, protocols, and controls and level up as required by clients or market conditions.
HERE ARE THE FIVE STEPS.
Let’s start with the first three steps, Discovery, Initial Report, and Situation review. They would be analogous to going to the doctor with an ache or pain, the doctor running tests then reading the results. During Discovery, we’d be looking for these gaps:
- Failure to identify and block cybercrime such as phishing attacks.
- Breached regulations for privacy and confidentiality.
- Inadequate training of RealFirm’s staff in basic cybersafety.
- Insufficient protection of Real- Firm’s physical offices and workers.
- Unauthorized access to RealFirm’s other high value areas such as network operating rooms.
1. DISCOVERY
Discovery involves a set of interviews with Real- Firm’s partners, attorneys, key staff, and vendors.
We would start with a self-reported inventory (input worksheets) of endpoints, network equipment, connected wearables, installed software, cloud accounts, and information security controls.
We would remotely scan and inspect what RealFirm has in place such as its information technology: hardware, software, and services to determine threat landscape and potential vulnerabilities. We may also use a Wi-Fi app that detects and profiles all connected/hackable devices.
Many of RealFirm’s employees work at home and access the Internet via their consumer Internet Service Provider (ISP) to which all family members attach an average of 19 endpoint devices, such as computers, tablets, phones, home security, ebook readers, and thermostats, etc.
This is an easy fix right now with a Virtual Private Network (VPN) for all business-related work segment business- related endpoints from home/ consumer endpoint (on a business class router). Providers like Norton can do this for around $8/month.
2. INITIAL REPORT OF FINDINGS
RealFirm would have a comprehensive, easy to understand summary of its current vulnerabilities. This would include scoring risks and potential infractions (that could lead to penalties/ fines).
3. SITUATION REVIEW
The Situation Review would look at the broad landscape of areas where the firm’s cybersecurity needs to be beefed up. We’d establish priorities, a timeline, and begin to discuss a budget.
4. REMEDIATION PLAN
The remediation plan for RealFirm would be based on the Situation Review and the level of security the firm wants to implement. The cost to create or update the cybersecurity plan revised and in place would be about 5% of revenue for that first year.
The annual cost for on-going support and maintenance would be around 1% of annual revenue. Contrast that with the potential damages from a cyber attack that could cost RealFirm as much as $300,000.
Cybersecurity has become a cost of practicing law, just like the various kinds of business insurance your firm buys. You hate writing that check … but with the protection and peace of mind it provides you don’t dare run your firm without it.
In my next column, I’ll tell you about the gaps we found in RealFirm’s information system and the plan, cost and timeline to achieve the firm’s compliance goals. Craig A. Petronella