4 Cybersecurity Best Practices That Law Firms Should Prioritize in 2017
James Britt & Laurie Fischer
Last year, a massive cyberattack on law firm Mossack Fonseca exposed some of the world’s most powerful people in a web of suspicious financial transactions. Dubbed the Panama Papers, the 11.5 million published documents revealed a widespread system of global tax evasion involving prominent individuals from FIFA soccer officials to the Icelandic Prime Minister.
The Panamanian law firm, however, was far from the only legal organization to suffer a major hack in 2016. A recent survey published by the American Bar Association found an additional 26 percent of law firms with 500 attorneys or more experienced security breaches in the past year.
Given the recent instances of outside cyberattacks on the legal industry, it is clear that law firms must do more to improve IT security standards. Particularly for large firms with a global presence, poor cybersecurity processes leave multiple entry points for hackers to exploit. As cyberattacks continue to escalate, the legal industry will be faced with a choice: either address internal weak spots and strengthen security protocols or face damages (both financial and reputational) when the next hacker strikes.
Cyberattacks Force Law Firms to Re-examine Information Security Protocols
Since 2011, 80 percent of the largest 100 law firms (by revenue) have been victims of cybercrime, according to the ABA report. The consequences of a cyberattack can range from unauthorized access to sensitive client information to debilitating damage of a firm’s public reputation. Law firms can also suffer excessive downtime or the loss of billable hours following a significant data breach.
Security experts note that law firms are at least three years behind data security standards, and are reluctant to adopt (or invest in) technology solutions. Although law firms are entrusted with volumes of confidential information, most have limited or no document security policies in place. And despite FBI warnings of targeted cybercrime attempts, 90 percent of law firms report assigning just five or fewer employees to oversee information security management.
The Panama Papers served as a wake-up call for law firms, forcing many firms to acknowledge a discomfort with cybersecurity. With significant revenue and client trust at stake, law firms need to invest in data protection technology tools to eradicate the processes and careless employee habits that lead to internal security vulnerabilities.
How Law Firms Can Strengthen Cybersecurity in 2017
Protecting a firm’s digital assets begins with improving end user habits and compliance with security protocols. For years, law firm cybersecurity systems were siloed and treated solely as an “IT problem” – an issue that continues to plague the industry. Today, a unified approach is crucial to plugging gaps that previously provided hackers with easy access to client information. Here are several steps the legal industry should prioritize to strengthen their cybersecurity measures in 2017:
- Establish a Holistic View of Governance: Law firms must abandon the outdated method of managing information in distinct silos and adopt a broad view of governance to protect their data. An important first step for any law firm is to establish a holistic cybersecurity program, taking stock of all firm assets (including information, hardware and software systems) that need to be protected. An overarching governance policy establishes a clear framework of accountability and designates which individual or team is responsible for security oversight. Governance policies should also include steps outlining how to prevent, detect and respond to possible data breaches, and what role employees will play in the recovery process.
- Create a Layered Defense System: With a layered defense system in place, law firms that experience a cyberattack can limit the damage left behind by cybercriminals. A multi-step defense strategy includes filtering the information going in and out of a law firm, and establishing controls for data stored on corporate networks. Two-step authentication and file encryption provide an additional tier of protection, especially for firms with remote employees. Other layered defense tactics include consistent web and network monitoring, installing anti-virus and spam filtering software, and implementing a data-loss prevention system to impede malicious hackers and end users.
- Train Employees on Best Practices: Employee compliance with information security protocols is a critical component for any successful cybersecurity program. Less than 10 percent of employees know if their firm has security policies in place, raising concerns about end user awareness. And while half of firms report having a secure email policy in place, 89 percent of lawyers admit to falling back on poor email habits, such as failing to encrypt correspondences. Cybersecurity programs are not effective if users are unaware of or do not understand best practices to safeguard their work. As law firms develop robust security measures, employees should be consistently trained on new policy initiatives, and refreshed on existing best practices.
- Develop a Comprehensive Breach Response Plan: All law firms should have processes in place in case a security breach does occur, but only 38 percent of attorneys say their firms have a disaster recovery plan, according to ABA research. A sound recovery plan should include an immediate assessment of the size and scope of a breach, and establish a formal communication plan for notifying internal and external clients and stakeholders. Firms should also consider contacting additional legal counsel and computer forensic experts to work with law enforcement in the case of a cyberattack. To avoid a complete loss of information, law firms should routinely back data up to external hard drives or secure cloud solutions. While a comprehensive breach plan does not prevent a cyberattack from happening, it can help firms more quickly recover from an incident.
As hackers continue to launch attacks against the legal industry, firms need to pay more attention to their cybersecurity posture and practices. Previously considered an IT department responsibility, information security must be treated as a holistic solution involving firm leadership, as well as end users. In an increasingly complex and competitive market, law firms cannot afford to ignore cybersecurity. Those firms that are investing in security processes are the ones that will continue to see increased value for clients, shareholders and internal stakeholders, and effect the bottom-line, while mitigating risks.
James Britt serves as a senior director for HBR Consulting and has over 25 years’ experience in technology consulting, business development and law firm management. Prior to joining HBR, he was the Managing Director at eSentio Technologies. Jim has also held senior positions at several major law firms, including Cahill Gordon, Skadden Arps, Mintz Levin, and Choate Hall & Stewart. Jim was co-founder of Discovery Systems Inc. and an early partner in Ibis Consulting, developing software and consulting with clients on complex litigation issues. As CTO for Global Risk Exchange (GRX Technologies), his team built a SaaS platform enabling oil companies to perform risk assessments related to their world-wide assets and then buy, sell and manage complex, global insurance contracts. Jim has been a regular speaker at industry events and private venues on a broad range of topics including business continuity, IT Infrastructure design and planning, security, risk management and strategic technology planning.
Laurie Fischer serves as a managing director for HBR Consulting, leading the Information Governance practice tailored to address the increasingly complex and demanding regulatory and technological challenges of today’s information management environment. Laurie has over 25 years of consulting experience partnering with clients of all industries and sizes to help them achieve their enterprise-wide compliance and governance objectives. Laurie is a recognized thought leader who enjoys speaking at industry-leading events throughout the year. Prior to joining HBR, Laurie was a managing director at Consilio and Huron Consulting Group.