Earlier this year, I wrote about making it right after a data breach and identified theft concerns here. In April, the Group Legal Service Association (GLSA) had a panel focused on the broader topic of cybersecurity. The presenters included Caren Shiozaki, Executive Vice President and Chief Information Officer for TMST, Inc; Stephen Zetzer, founder and CEO of eWranglers, LLC, Al Harrison, a patent attorney practicing intellectual property law with the boutique firm of Harrison Law Office, P.C. These experts discussed imminent threats to cybersecurity for attorneys and also reviewed techniques designed to help legal services providers better secure their businesses.
The panel identified the following threats:
- Ransomware: Where malicious software is placed on your machine and/or network and your computer access is held hostage until money is paid.
- Technology Obsolescence: If software updates and new technology are not implemented in a timely fashion, breaches can occur.
- Encryption: Keeping client data safe on all devices.
- Bring Your Own Device (BYOD): When employees and contractors bring their own laptops and phones onto your network, security can be compromised.
- Remote Access: Part of working remotely is having a secure link to the office.
- Email Phishing scams: Even savvy employees fall for emails that look like they come from contacts.
- People: Many breaches trace back to human error or action so your employees can be the weakest link but, with training can become the strongest link.
One panelist referred to a 2017 PwC study that reported that employees and outside vendors make 50% of the top threat, 30%, and 20% respectively. We are all targets but the key is to become a difficult mark; a company that is hard to hack or take over.
The panel presented some tips for defense or protection:
- Build a Culture of Cybersecurity: Embed security in the daily routine and provide training for employees and vendors alike, even customers if necessary. Many say that what people do or do not do is the biggest contributor to exposure. Awareness and standards for appropriate conduct are key.
- Establish IT Governance: Understand and manage your IT hardware and software, including ensuring adequate support and upgrades, whether using inside or outside experts. Scrimping on technology can leave you wide open to a breach. For example, many firms do not upgrade to the latest browsers which comprise security.
- Regularly Review Internal Policies and Procedures: Security is just as important as finance and administration and should have the same level of review. Hire an outside firm if you lack the expertise; this is an area where outsourcing makes sense.
- Ensure your 3rd Party Partners are not Weak Links: When you link or use others’ software or have contractors on your network, invest in proper training and security for those users. Vet all the software partners and vendors. Again, if you are not sure about this, hire an outside company that specializes in setting up this process.
- Invest in Skills of your Team, IT and beyond. Regardless of firm size, adequate training and resources for the IT Team on security is a must. However, do not stop at with the technology people because anyone employee or vendor can be the weak link and source of a breach.
In the end, it comes down to having a well-established culture around cybersecurity, complete with training and an understanding of the necessary investment. From the results in the 2017 ILTA Technology Survey here, overall firms are making the necessary improvements, such as training; phish testing; requiring two-factor authentication for remote access, and funding intrusion detection and prevention systems. It’s no surprise that the firms surveyed cited balancing security with usability, user acceptance and behavior, and user education and awareness as the top three biggest law firm security challenges. Also, half of the firms reported that they have an external firm do an annual security assessment. This all impacts personal security when you are using your own device. You can learn more about what to do about identity theft concerns after a breach here. And as always, please reach out to me on Twitter @gundog8.