Tuesday, May 3, 2016

Cybersecurity: Big Problem for Small Firms?

By Zosha Millman | LXBN | May 2, 2016

Cybersecurity should be a major priority for all firms in 2016. The problem is, not everyone is playing with big law resources.

According to the ABA, of the more than 1.3 million lawyers practicing in the U.S. today, 89 percent of them are in firms with ten people or less. And although they might not have the same cybersecurity team and assets that bigger firms do, it’s becoming increasingly vital for small firms to ensure security for their clients.

These days all businesses are at risk, because all businesses likely interact with the internet. Put simply there’s just more ways than ever for data breaches to occur. Which means that when companies do decide to hire out, they’re doing it carefully—and are likely to be unhappy when they find out that in the last year organizations spent an average of about $10 million to respond to security incidents as a result of negligent or malicious third parties. Losing that much money—and, worse, sensitive information—in translation is definitely a major loss.

But while a Nationwide survey last year found that 63 percent of small businesses had been attacked at least one, a survey by Towergate found that 82 percent of small business owners were safe from being attacked, because they had nothing to steal. In reality, they couldn’t be more wrong.

“In modern business supply chains, a series of companies are connected to build a product or deliver a service,” David Burg, global and U.S. cybersecurity leader at PricewaterhouseCoopers, told Forbes. “When the little guy is compromised, the hacker goes up the supply chain to the client.”

Smaller businesses and firms often lack the technical capacities and insight to protect themselves against hacker activity. And with lawyers that threat is only compounded: Hacking a small firm is more than just a potential foothold in the path to bigger fish, it’s a step with its own sensitive information that can bring down companies and firms alike. Lawyers uniquely deal with confidential details and business transactions more than almost any other business, and the countless number of classified materials that pass by a lawyer’s eyes could mean big dollar sign eyes for hackers. Especially as the type of attack shifts from nation-states and hacktivists to more of a daily assault, more akin to burglary and common criminals, as LegalTech News writes:

The attacks [in 2010, says Joseph Abrenio, vice president of commercial services at Delta Risk and president of the Midwest Cybersecurity Alliance], were mainly executed by “script kiddies”—unskilled perpetrators with little technical knowledge that deploy scripts and programs developed by experts—”who just wanted to make a name for themselves.”

But now, “you’re seeing much more of what we call ‘advanced persistent threats’ that are targeting lawyers,” Abrenio says. “So I think not only have the frequencies of attacks increased on law firms, but the complexity, too.”

With their tranches of highly confidential and sensitive information, law firms are increasingly finding themselves in cybercriminals’ crosshairs “because [they] are traditionally weak in cyber, not only in their technology but in their employee training and processes as well,” Abrenio adds.

And for hackers it’s paying off. Cybercrime is reportedly a $2 trillion industry these days, and shows little sign of slowing down, especially with increasing adoption of cloud networking and the Internet of Things.

Which may be one of the reasons the FBI reports that only 20 percent of businesses are actually reporting the crimes and turning to law enforcement. Breaches aren’t exactly good for business, and won’t inspire people to work with your firm in the future. And after paying for your own information back, the idea of losing clients is just salt on the wound and money out of the bank. Not to mention that for some small firms, a lost client could be the future of the firm.

But just because small firms don’t boast the same resources as big law doesn’t mean they can’t protect their clients. They just have to be strategic and vigilant about it—expecting to set aside some time to work and review it with some regularity. As Peter S. Vogel writes for the Internet, Information Technology, & e-Discovery blog, the first line of defense can be the law firm, if they work at it:
Of course the advice in Osterman’s Report is not limited to lawyers, these phishing and malware scams affect all industries.  Here a 3 of the 8 key takeaways:

·         Cybercriminals are getting better, users are sharing more information through social media, and some anti-phishing solutions’ threat intelligence is not adequate. This makes organizations more vulnerable to phishing attacks and other threats.

·         Users should be considered the first line of defense in any security infrastructure, and so organizations should implement a robust training program that will heighten users’ sensitivity to phishing attempts and other exploits.

·         IT and business decision makers should implement best practices to help users more carefully screen their electronic communication and collaboration for phishing and other social engineering attacks.

Without question these cyberattacks will not abate anytime soon, so every employer should be training employees continuously.


No comments:

Post a Comment