Cyber Security, Part 2: Firms Should Avoid These Common Mistakes
May 9, 2016
J. Randolph Evans and Shari L. Klevens
The idea of cyber security may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
Often, when a cyber breach reaches the news, it is because something bad has already happened. Some cyber attacks may be inevitable, but there are common mistakes that many practitioners make. Here are some mistakes made by other firms and attorneys, and how those mistakes can be avoided.
'Prevention' Is a Goal
Many law firms develop plans for what to do once a cyber attack happens. However, it is just as important for firms to focus on prevention of attacks. Notably, preventing a cyber attack is not solely an IT issue, but rather, is a risk management issue.
Firms that have successfully prevented cyber breaches have generally followed four key steps. First, some law firms have implemented a cyber security program, incorporating some common elements, such as anti-virus protections, firewalls, secure connections and requiring passwords for mobile or desktop devices.
An often overlooked principle of a cyber security program is determining what actually constitutes a "breach" that will require a response or, possibly, notification of authorities and impacted individuals. For some law firms, any unsanctioned access of a firm system may be a "breach;" others may not call it a "breach" until someone has taken something (like data or files or money) that does not belong to them.
Second, some firms have adopted a robust incident response plan. Once a breach event occurs, it is easy for panic to set in. That is why many law firms design a response plan before a breach occurs. It may also help a law firm defend against any claims of negligence should a breach occur.
There are a few common elements that most firms consider for their incident response plan: appointing a person to be in charge of the response upon a breach, the reporting chain of command for addressing a breach, physical locations of servers and where certain information is stored (to help support the internal investigation), a plan for conducting interviews and collecting and preserving evidence, a policy of determining when to involve authorities, a plan for notifying employees or affected parties (which ideally will reflect legal disclosure requirements) and media strategy.
Third, firms often test their systems. Law firms experienced in this arena routinely review their records and activity logs to determine a baseline for what activity on the system is "normal." Most hacks, malware or phishing emails do not alert the law firm: "You have been compromised." More often, evidence of a hack is more subtle. Other times, the law firm notices the impact (i.e., money missing from an account) but did not notice the breach.
A law firm can only really determine what activity is "abnormal" after it knows what activity is "normal." Some law firms treat this issue like their corporate clients might—by hiring a "white hat" hacker to try to test the system. This shows a law firm where the vulnerabilities are in the law firm networks. It also helps a law firm identify what sort of suspicious behavior to look for in the future.
Fourth, many firms train their employees to recognize what some risks look like, what the firm's security policies are, and how to report a suspected breach. Firms may also consider whether certain information, programs, or files should be limited to specific employees to reduce the risk of inadvertent disclosure, loss, or an internal incident.