Cybersecurity is an all too familiar topic as of late. From public to private to political realms, black hat hackers are working in overdrive to reap monetary gain, political stimulus, or mere notoriety associated with large and small-scale data breaches. What’s more, in 2017, the cybercrime landscaped underwent a noteworthy evolution, one that made human beings much less crucial to the equation.
Cryptoworms, for example, operate in similar fashions to their traditional malware and ransomware predecessors. They have a wide brief of purpose and pursuit, from encrypting and holding data for ransom, to accessing clients’ personally identifiable data, to destroying or exposing privy information. There is, however, one defining and frightening difference: these digital infections don’t require manual navigation from their creators.
Like its traditional counterpart, a cryptoworm requires a human creator to target and successfully penetrate an organization’s cyber defenses. But once an adversary gains access, a cryptoworm can be let loose to self-propagate through the entire network with little to no assistance from its human composer.
The advent of cryptoworms and other evolving cyber tactics compound a growingly volatile digital landscape. What’s more, the repercussions of failing to actively protect your clients’ personally identifiable information (PII) and other data are intensifying in lockstep with this increasing volatility.
The legal industry has come a long way in embracing the turn towards digital transformation and the need for accompanying cybersecurity. But, in many ways, the industry is still lagging.
Elizabeth Shirley, practicing partner at Burr & Forman and recipient of multiple Alabama and Mid-South “Super Lawyer” designations, specializes in cybersecurity, blockchain, cryptocurrency and electronic transaction law, among others. Burr & Forman regularly assists SMBs and mid-sized organizations with implementing strategies, practices, and policies concerning cybersecurity and compliance with applicable laws, as well as responding to cybersecurity breach incidents.
“As lawyers, we are trained to protect our clients and vigorously represent their interests. We have historically protected the attorney-client privilege, the work product doctrine, and other applicable privileges with regard to our clients. In the current technology environment, however, we also need to protect our clients by having cybersecurity procedures, policies, training, and IT security in our law firms. Cybersecurity is yet another way that lawyers must now protect their clients.”
The reality is, firms and other organizations in the legal space have extremely desirable data that thieves would all but sacrifice their last meal for. And with many firms inadequately prepared for sophisticated breach attempts, the legal space is shaping up to be a primary target for cyberattacks in coming years.
Three Ways Law Firms Can Keep Their Client Data Safe
As the content specialist for AssureSign, I’m adept at illustrating the cost, time, and security benefits of implementing e-signature. Yet, these benefits become moot if a firm is susceptible to a data breach, followed by a multi-million-dollar class action suit and hefty regulatory fines.
Because of the growing prevalence of cybersecurity concerns, we wanted to create a method of helping those with little to no knowledge of cybersecurity address their digital security needs. In 2017, we dedicated most of Q3 and Q4 to creating a step-by-step “how to” guide on cybersecurity strategies for SMBs and mid-sized organizations.
At the beginning of March 2018, AssureSign published “The Ultimate Cybersecurity Guide: 4 Easy Steps to Securing Your Organization,” a compilation of recommendations from The Department of Homeland Security’s cybersecurity division, standards from the National Institute of Standards and Technology (NIST), and our own internal cybersecurity experts.
The following excerpts are the three strongest pillars interwoven throughout the eGuide’s four-phased strategy.
Develop Policies & Procedures and Train Your Staff
eWranglers, a firm dedicated to bringing essential cybersecurity services to legal and professional service industries, developed a survey to assess cybersecurity readiness among small to mid-sized law firms. The survey was distributed to multiple firms at the ABA GPSolo Solos & Small Firm Summit in October 2017.
The results showed that only 33% of responding firms had implemented data protection policies, and a similar 33% had implemented employee cybersecurity training.
Among her many recommendations, Elizabeth advises firms to implement logical and explicit cyber policies that aim to protect employees and client data. These policies and procedures should be disseminated through initial and consistent employee training.
“One of the primary ways a hacker gains access to any organization’s network is through an unintentional act by an employee. Many times, they don’t even know they’ve made a mistake. Employees need to be trained to identify red flags and suspicious emails, to prevent a hacker from gaining access to the system.”
Here are four things your set of policies need to address:
- The information you care about and why it needs to be protected
- How the information will be protected
- Who is charged with enforcing your policies and procedures
- To whom do the policies and procedures apply
Specifically, your policies will need to address topics such as acceptable internet use, acceptable device and machine use, physical security and location of devices and machines, and contingency planning. Every policy should have accompanying procedures that illustrate what actions must occur.
Adopt Preventative Measures
Several prevention measures should be considered when creating the front lines of your data’s digital defense.
In the same eWranglers survey, 75% of responding firms reported having some type of anti-virus installed on one or more of their computers. Not too bad, right?
Of the responding firms, 58% reported having firewalls and email spam/phishing protection; 50% reported having backup and/or disaster recoveries; 33% with the capacity for email encryption; only 25% with device encryption, and a mere 17% with directory security.
See the problem? The lack of a fully developed prevention infrastructure was extremely prevalent among the respondents, and these numbers are indicative of what Elizabeth commonly sees in practice.
“Law firms sometimes have bits and pieces of cybersecurity-related policies to comply with various applicable laws (i.e., HIPAA), but not a comprehensive strategy, program, policy, and training that is specifically dedicated to cybersecurity.”
Prevention is arguably the most important aspect of a firm’s cyber strategy, but with many factors—employee background checks, implementing user accounts, asset controls, network security protocols, browser filters, data encryption, etc.—implementing a prevention infrastructure is easier said than done.
Have an Incident Response (IR) Plan
Prevention is key to any cybersecurity strategy, but with the growing volatility of the digital ecosystem, planning for the undesirable is absolutely crucial.
Even Burr & Forman and their team of cyber-savants have an actionable IR to navigate the aftermath of a data breach.
“Having an IR is paramount for all organizations. It brings pragmatism and order to your mode of recovery during what can be a chaotic situation.”
A qualitative IR, like a prism, is framed by its many sides, all crucial to its construct. It’s not particularly difficult to build; it simply takes some road mapping and both internal and external collaboration.
Your IR should encompass three primary roles.
- Threat Researchers. This person or team is responsible for collecting data pertinent to the multitude of cyber threats in the entire digital ecosystem.
- Triage and Forensic Security Analysts. Triage analysts screen alerts from automatic virus detections and determines if the threat is either valid or a “false positive.” Forensic analysts collect details and forensic evidence associated with a data breach.
- Incident Response Manager. This role is responsible for managing the team of threat researchers, security analysts, and any secondary roles assigned amongst your staff. In other words, they are the puppeteer of your post-breach proceedings.
Your response to a breach should encompass many activities. Identifying circumstances, safeguarding against further damage, collecting external intelligence, collecting logs and data, and notifying necessary parties should be part of your response.
These are the three main pillars of your cybersecurity strategy. Yet, once the immediacy of a breach has passed, your organization will need to have a plan for its post-response recovery.
Many international, national, and state regulations require specific disclosures within certain time-frames, among other actions (GDPR anyone!?). Additionally, you’ll want to revisit your overall strategy and identify any improvements that can be made to prevent a similar cyber-intrusion from happening in the future.
Keep in mind that many of the activities described above will likely be outsourced to a Managed Security Service Provider (MSSP) or other third-party security providers. If this is the case, before you begin your search, check out some recommendations for the selection process compiled from authorities like Elizabeth and other cyberlaw experts, The Department of Homeland Security, and NIST in the “Ultimate Cybersecurity eGuide.”
Tell them I sent you and it’s free! … just kidding, it’s free anyway.