Whether you’re heading to trial or advising a client on a legal matter, success depends on preparation: good, thorough, and highly disciplined preparation, to be exact. The better prepared you are, the more effective you will be, and the more effective you are, the more likely your client will go home at the end of the day with a smile from ear to ear.
The same is true when it comes to the question of cybersecurity essentials. The better prepared you are to thwart attacks on the electronic systems and devices you use in your legal practice, the more likely your client’s sensitive data will remain secure (and, by extension, the more likely the user of that massive smile device this time will be you).
It’s unfortunate that bad actors work long and hard every minute of every day hoping to break in and loot your data warehouse. Consequently, it is essential that you establish effective cybersecurity defense policies and procedures to thwart these criminals.
The Federal Cybersecurity and Infrastructure Security Agency (CISA) has helpfully sketched the contours of those Policies and procedures. From my point of view as a provider of cybersecurity solutions, I can tell you that CISA’s advice is really strong.
CISA invites you to create a “cyber-readiness culture within your law firm.” This culture, CISA says, emerges not from a single big bang but as the product of half a dozen or so small steps. We’ll see.
Cybersecurity Essentials: It All Starts With You
You, CISA maintains, are the foundation of all cultural changes affecting your office, and cyber readiness is no exception.
So it’s up to you to get the ball rolling. Start by evaluating the extent to which your practice is IT-based (so you can estimate how much you’ll need to invest in a cybersecurity solution that can provide adequate protection for sensitive data entrusted to your business).
Next, you need to develop trusted external relationships, the most important of which is the one you form with a cybersecurity company. Such teams know all the tricks hackers and phishers rely on to penetrate your defenses; Getting by without a cybersecurity company at your side will turn out to be a lot like walking into a boxing ring blindfolded, with both hands tied behind your back and gum stuck to the bottom of each shoe.
Another way a relationship with a cybersecurity company will pay off is that you won’t have to develop policies on your own. These services, including mine, have policy templates ready for you to adopt.
Teach your staff to be vigilant
The people who work for you are at risk of falling victim to phishing schemes and email compromise. The reason is that they just don’t know what to look for. Consequently, education is an important part of cyber preparedness at the staff level.
In my cybersecurity solution, staff training is central because, as autopsies of data breaches show time and time again, the weakest link in a law firm’s defenses against cyberattacks are often the employees who have a poor hygiene in data handling due to lack of knowledge (good data). Hygiene, by the way, involves things like requiring the use of multi-factor authentication to log into computers and insisting on having password managers to create strong individual and shared passwords.)
A word of caution: Don’t take the position that staff training is a one-time, annual affair. It is something that should continue throughout the year. And it must be based on storytelling, which makes the instruction memorable (as opposed to rote learning presented via a PowerPoint slideshow).
Know your systems
Do you know how many and what types of electronic systems are deployed in your office? Do you even know the exact location of those systems? If you’ve lost count (or, worse, lost track of your whereabouts), you need to take stock immediately. Only then can you assess which computers and devices are vulnerable to attack due to outdated or damaged software, or even software that has nothing to do with loading your systems in the first place.
Allowing a cybersecurity company to help you with this will greatly simplify the process of continually monitoring your systems for leaky software and then patching those security holes immediately.
Don’t let just anyone have access
A useful statement to include in your company’s cyber policy manual would state that only those employees in good standing and considered trustworthy should have access to the digital ecosystem you have built. Find out who’s on your network, then kick out all unauthorized users (you’ll gain value from a second policy that sets out a procedure for dealing with users who leave your company, get fired, or transfer between departments). For those to whom you want access, your policy should require authorization to be granted on a need-to-know basis and least privilege.
Also make it a policy that everyone who walks away from your computer must first put it into lock screen sleep mode and use their assigned password created by the password manager to unlock the machine when they return to it. The reason for this is that a fully open, unattended computer screen is a huge vulnerability: it would be all too easy for a disgruntled employee from another part of the office to drop into the user’s temporarily unoccupied chair and start accessing files. . They are supposed to be out of reach of the intruder.
Data and system backups are vital
Data is surprisingly easy to lose (especially to malware and ransomware attacks). That’s why your preparedness plan should include provisions for backing up your data: daily is good, hourly is better, and continuously is ideal.
Regardless of your backup schedule, the process should be done automatically, without the need for a human to remember to perform the task at the designated time (because the human is likely to forget on more than one occasion).
In addition to backing up your data, make it a policy to back up your systems and make sure all those backups are protected electronically and physically (a smart move is to encrypt them before storing them in a secure location). geographically distant from your office).
Have a crisis response plan
You may have the best system and data defenses on the planet, but still, there will still be a chance that a determined thief will breach them. In that case, you will need to switch to crisis response mode.
In response to a cyber attack, your first act should be to disconnect from the Internet. Your second act should be to contact your cyber insurance company.
Of course, you can only get help from your cybersecurity company if you take the step, before the attack, to get a cyber insurance policy. The beauty of such coverage is that it can save you from the disastrous effects of a successful cyber theft: financial ruin, reputational damage, and possibly even the suspension or loss of your law license.
Another crisis response preparation step is to develop a list of outside private individuals and organizations, as well as law enforcement agencies, that you should contact immediately upon discovering a breach. And another step is to compile a list that tells you which systems to restore first, second, and third based on the nature and effects of the particular attack.
Finally, you’ll need a communication plan to guide you through the difficult task of informing the public (and your state’s bar association) that cybercriminals have successfully looted your data vault. And you will want to PRINT this guide and put it in an accessible place.
—
Cyber attacks can happen to you, regardless of whether your law firm is large or small. There are no size exemptions when it comes to the schemes of online crooks, whose number, by the way, is legion and growing. As such, it is incumbent on you to be prepared for any attempt to steal data that you are legally and ethically bound to safeguard.
Think of it this way. The one who comes to the fight better prepared is usually the one who wins. Cyber crooks are prepared, very prepared. You can defeat them, but only if you are better prepared than they are.
Tom Lambette
CEO of Boba Guardia
This article was provided by Tom Lambotte, a cybersecurity expert who has been in the helpdesk industry for over a decade. Tom founded bobaguardia in 2019, offering turnkey solutions for independent lawyers and small and medium-sized law firms. In addition, Tom is also the CEO and founder of GlobalMac ITan established managed services provider specializing in serving attorneys across the country using Macs by implementing their Proven Process™.
