Scott Suhy, NetWatcher, Legaltech News
Cybercriminals are increasingly attacking law firms.
Here's how to stop them.
Since the "Panama
Papers" breach in which 11.5 million confidential documents and 2.6
terabytes of client data was stolen from law firm Mossack Fonseca, a greater
emphasis has been placed on law firm cybersecurity. The breach, however, wasn't
an isolated incident. As noted in the 2015 American Bar Association (ABA) Legal
Technology Survey Report, 15 percent of law firms have experienced a breach.
And yet, almost half of attorneys say their firms have no response plan in
place.
Given their abundance of valuable information, law
firms are great targets for cybercriminals. When it comes to midsized firms,
their organization's protection level is weaker than that of larger
enterprises, and many do not have the resources to buy the tools or hire the
staff to properly protect their organizations. On top of that, firms often find
themselves woefully behind what's recommended by the ABA.
While other verticals such as health care or financial
services have had to deal with security concerns for years, the legal industry
does not have any form of industry-specific compliance that mandates security
policy, leaving them beholden to state personally identifiable information
(PII) laws and client compliance.
Regardless, there are several things midsized firms
should do now to shore up their cybersecurity posture:
1. Evaluate security now and every year to determine how
well network security is managed. Poor security hygiene and bad employee
behaviors can lead to an increase in phishing and cyberattacks. Firms should
create a cybersecurity committee with players from IT, compliance, management
and security to take responsibility for the ongoing cybersecurity of the firm,
including the implementation of cybersecurity policies. The team should be led
by a senior partner in the firm and could actually be the audit committee.
Additionally, the team should conduct a yearly security risk assessment; the
NIST SP 800-30 is a great guidepost. Finally, firms should test their security
with outside experts to try to find holes that bad actors could exploit. The
tests should include penetration testing, vulnerability assessments and social
engineering testing.
2. Adopt security policies such as those
from the Office of the Comptroller of the Currency, which oversees financial
services companies. It has started focusing on the cybersecurity policies and
procedures at law firms to ensure their data is being adequately protected.
Clients want to see that policies and procedures exist and, more important, are
being followed. Policies to consider include acceptable use, business
continuity and disaster recovery, remote access, employee termination and
outprocessing, password, encryption and bring-your-own-device (BYOD) policies.
3. Get cyber liability insurance that includes
coverage for both first-party and third-party risks. The policy should cover a
breach that occurs on a noncorporate unencrypted asset such as a home computer,
since many law firm employees work at home. The policy should also cover data
if it is breached while it is with a third party; remediation of a breach;
regulatory actions against the firm; payment card industry liabilities; and
identity theft resolution services. The contingencies in the insurance contract
should also be well understood.
4. Conduct mandatory security training to keep everyone
advised of new security threats and underscore the need for vigilance,
including being watchful for suspicious emails, texts, hyperlinks, etc., as
well as social engineering ploys. Do not let firm executives get out of getting
this same training.
5. Create an incident response plan (IRP),
ensuring that someone is formally designated for managing the firm's incident
response. NIST has published a "Computer Security Incident Response
Guide" that can help firms develop appropriate policies and procedures. I
also wrote a blog post on this recently. They should include the outside
attorney (data breach lawyer) responsible for supporting the firm when a data
breach occurs; the firm's personnel responsible for each item in the IRP; the
cyber insurance policy and the contacts at the insurance agency; the number for
the local FBI office and any other government agency responsible for cyber
incidents in the agency's jurisdiction; the name and number of a cyber
forensics specialist; the process for containment and recovery of the breach,
and for determining what was lost and the potential damage of the loss; what
system logs to preserve and how to preserve them for forensics purposes; the
process for communicating with employees, customers and suppliers of the firm;
and a link to the state data breach notification laws for your firm's offices.
Practice by running through exercises with the incident response team at least
once a year to ensure that the processes are working as expected.
6. Secure the perimeter with
a managed firewall and intrusion prevention system. Ensure all network devices
(servers, routers, Wi-Fi, switches, firewalls, etc.) with access to the
internet have updated firmware and/or patches and difficult-to-guess
administrative passwords that are often changed. All servers should only have
services and/or ports open for those applications that are required to support
that system's users.
In addition, any server application built with open source
software should have a full bill of materials of all open source libraries
contained in the system and all the updates for each of those libraries should
be managed. Finally, all other countries using these systems should be
firewalled off.
7. Secure the network from damage from
unintentional threats caused by employees of the firm. Ensure computers do not
have administrative privileges by default. Do not let users download items
freely from the internet and invest in a content-filtering solution to control
what sites users have access to on the internet. Make sure there is a process
to keep users operating systems, applications and support applications patched.
Try not to enable risky software such as Adobe Flash or Oracle Java as they are
primary targets for ransomware. If you need them, be sure to keep them up to
date as the older versions are highly vulnerable to attack. Provide offline
backup facilities for users' data in case they get ransomware. If you will
allow BYOD, consider investing in a mobile-device-management solution and
ensure the phones can only connect to a guest Wi-Fi. Consider the options in
mobile phone operating systems allowed to connect to the network as many
Android devices have many security vulnerabilities.
Keep anti-virus software up
to date and consider investing in an end-point technology.
No one has been educating midsized firms about
security. Many executives believe that firewalls and anti-virus software will
protect them from a bad actor exploiting their organization. And while that is
partially true, the biggest issue is not a bad actor breaking in, it's an
employee unintentionally letting the bad actor in without knowing they did.
Firewall and anti-virus protections are still necessary, but they are not
enough in today's cyber threat landscape. Midsized firms must move forward and
build a robust security infrastructure both from a policy perspective and from
a technology perspective or they will lose customers either due to lack of
controls mandated by those customers or due to reputation loss after a serious
breach.
Scott Suhy is the CEO of NetWatcher.
No comments:
Post a Comment