By Jennifer Moreno, CISA
Some law firms learn the harsh reality of cyber risk the hard wayâ€”letâ€™s make sure yours isnâ€™t one of them.
Just this year, Campbell Conroy & Oâ€™Neil was hit by a ransomware attack1Â where highly sensitive client data was accessible to cybercriminals. Itâ€™s still unclear what actual data was stolen or accessed, but any amount of exposure in a data breach for a law firm is, t best, unnerving and, at worst, could result in significant consequences for clientsâ€™ personal lives as well as liabilities for the firm.
The Institute of Risk Management (www.theirm.org/) defines cyber risk as â€œany risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information systems.â€ When it comes down to it, cyber risk easily morphs into business risk, and it should be treated as such. Cyberattacks can cause business interruption (where operational systems are down) and even reputational loss. If there is a data breach, liability claims and legal action will arise for noncompliance with regulatory agencies.
Leadership at many law firms may be misinformed, believing cyber risk management solely lies with their IT department. In actuality, cyber risk management is the responsibility of everyone within the firm.
Level-Up From Prevention to Resilience
Because data storage in general has shifted from being on premise to being in the cloud, network perimeters are no longer easily contained in your firmâ€™s local network or local internet connection. In short, IT departments no longer have physical control over the network to prevent bad things from happening. In simpler times, a firewall used to be the digital gateway managed and monitored by the IT department, but now firewalls include each of the valued team members who operate in your firm. Itâ€™s time to improve elasticity in your cybersecurity practicesâ€”we call thisÂ cybersecurity resilience.Â Here are key components to start implementing or improving upon at your firm.
IT governance directs the IT function and strategy, and assists with ensuring executive leadership is tuned into operations and verifying alignment with overall strategic, business and risk-management objectives.
Ultimately, executive leadership will be held responsible for data breaches and ransomware attacks, which is why it is imperative that there is a strong IT governance presence within your firm.
IT Policies & Procedures
Develop formal IT-approved security policies and procedures to provide guidance for essential processes. IT security policies should provide the basis for an information security program, establish the direction for processes and controls, and manage user responsibilities in their acceptable use of firm technology. Once the firmâ€™s IT policies and procedures have been documented and approved by management, remember to review them annually to ensure processes are accurately adopted and communicated to firm staff.
As technology risks grow, preventive systems need to advance. Firewalls, intrusion detection and intrusion preventions systems, GEO IP filtering, endpoint protection, advance threat protection, secure remote access, mobile device management, and multi-factor authentication are all security implementations law firms should consider to optimize security protocols and create best practices.
- Patch and update systems regularly to close the gap on software vulnerabilities.
- Research and improve data backup technology and cloud backup alternatives. Practices like these have played an integral role with data recovery after n incident.
- Conduct regular internal and external IT audits, as well as technology risk assessments, to help your firm recognize and close technology gaps and assist in prioritizing risk.
Security Education & Awareness
One of the single most important steps firms should be taking to mitigate cyber risk is to educate employees. For years, IT prevention systems have been in place to thwart off bad actors. However, a recent article from Hacker News,2Â cites IBM that 95 percent of all breaches were related to human error. Cybercriminals these days are seeking to create opportunity in hackingÂ people,Â not necessarily just systems. In your firm, the absence of a robust and continuous employee cybersecurity awareness training program leaves the door wide open for cybercriminals.
Implementing a Cybersecurity Awareness Education Program
- Ensure firm leadership understands the risks of an uneducated workforce.
- Create a program that incorporates on boarding, proactive and reactive training for all employees, contractors and temporary workers.
- Establish reporting percentages to help management measure training performance throughout the year; set a risk indicator percentage goal to keep your firm on track.
- Require training throughout the year, keeping employees engaged and up to date with new threat schemes.
- Include interactive training modules with follow-up questions to keep employees engaged.
- Phish all team members on a regular basis to provide teachable moments; implement remedial training for employees who underperform.
- Establish an approved policy and plan early on how your firm will handle noncompliance with meaningful sanctions; ensure zero tolerance for those who fail to comply with remedial programs.
Monitoring & Assessment
The average time from a data breach to detection is roughly six months, and almost all breaches are detected by someone elseâ€”often the FBI. Assessing existing monitoring systems and conducting routine penetration testing and network vulnerability scans will help identify network gaps and mitigate cyber risks. Proactive monitoring of the network with real-time alerting will assist your IT team in detecting rogue network activity. Implementing Security Information and Event Management (SIEM) provides real time visibility and analysis across information security systems.
Data Classification & Retention
Know where your clientsâ€™ sensitive and critical data is located on the network. Create a data classification and retention policy to identify the different types of data your firm maintains and how long each type of data should be retained. Conduct an inventory of all data and establish classification levels such asÂ confidential, sensitive, public,Â etc. Once this data has been mapped out, ensure employees have been provided the appropriate data-access permissions to mitigate the risk of an unintentional or intentional data breach.
Time is of the essence when responding to a cyber incident. Itâ€™s essential that your firm have a documented incident-response plan that details best practices so your IT and incident-response teams can effectively and efficiently respond to a variety of identified cyber incidents. Your incident-response plan should:
- Establish the owner of the plan and define ownership duties
- Have a cybersecurity incident response plan (CSIRP) team that will define a clear mission, roles and responsibilities
- Include training and testing requirements for the CSIRP team to ensure plan familiarity and contribution to the response and recovery process
- Identify multiple types of incidents and classify the severity of each
- Implement tools for incident detection and analysis to determine plan initiation scenarios
- Define a communication process to manage end user expectations in an incident
- Include steps for containment, eradication and recovery to ensure you are able to stop the attack, remove it from the environment, and get team members back in action
- Ensure there is an investigative process that will include evidence-handling procedures
- Ensure expectation for a post-incident event or report to document event
Business Continuity & Recovery
When the COVID-19 pandemic first hit, many businesses didnâ€™t have a business continuity plan to pivot from office environment to a work-from-home environment, which negatively affected operations. This case can also be made if an organization experiences a ransomware attack. Should a data disaster be declared, best practices for business continuity and recovery must have been previously established to assist law firms in identifying effective and efficient recovery processes. Having a documented and tested disaster-recovery plan, with detailed recovery-point objectives (RPOs) and recovery-time objectives (RTOs), is vital for ransomware recovery or any other cyber risk that affects systems and data.
Obtain cyber-liability insurance coverage to help protect your firm should there be a cybersecurity incident. Ensure youâ€™re working with a well-versed broker or consider having an independent third party review the policy to ensure necessary coverage. Look for complimentary pre-breach services or post breach services such as a â€œdata breach coachâ€ should you need guidance through the process. As many policies are unique, understand what your firm policy covers and carefully review the policy exclusions and limitations.
Key coverages to look for in a cyber liability policy are business interruption, computer fraud, social engineering, privacy and security liability, and ransomware. With the increase in cybercrime, insurance companies are taking into account best practices that their clients (or potential clients) have implemented. Not having best practices (such as a formal security awareness training program, an incident-response plan and multi-factor authentication) could make your firm an undesirable risk when seeking to obtain insurance coverage.
Third-Party or Managed Service Providers
We are repeatedly reminded of cybersecurity incidents happening to organizations through a third party (Target, Home Depot) due to the absence of IT vendor management. Unfortunately, this happens all too often to small and medium businesses who trust their third-party vendors (or managed service providers) to have robust security processes and controls in place. Law firms should be managing and vetting their vendors to mitigate cyber risk by requesting to review service provider SOC2 audit reports, confirmation of cyber-liability insurance, and by reviewing service contracts.
Itâ€™s also imperative that your firm actively monitor any vendor access to the network, and that you ensure strong security controls are implemented over appropriate vendor access to prevent them (unintentional or intentional) opportunity into your firmâ€™s sensitive data.
Creating a culture for cybersecurity awareness is essential for law firms to prevent cybercriminal access to highly sensitive client data, such as Social Security numbers, medical information, health insurance information and even biometric data. Leadership must take an active role in cybersecurity and understand that responsibility no longer belongs solely to the IT department. Incorporating proactive and resilient cybersecurity protocols in your firmâ€™s practices will help create a strong and vibrant cybersecurity posture and help your firm stay on top of ever-evolving cyber risks.
1. Brian Fung,Â Ransomware hits law firm with dozens of major corporate clients,Â CNN Bus., July 19, 2021,Â www.cnn.com/2021/07/19/tech/ransomware-law-firm/index.html.
2.Â Why human error is #1 cyber security threat to businesses in 2021,Â Hacker News, Feb. 4, 2021,Â https://thehackernews.com/ 2021/02/why-human-error-is-1-cyber-security.html.
JENNIFER MORENO,Â CISA, is an REDW Information Technology & Cybersecurity Consultant. She joined the IT consulting group in 2015 after serving in REDWâ€™s internal IT group for 13 years. She has acquired substantial experience in IT audits, IT risk assessments, cybersecurity assessments, policies and procedure development, security awareness training, and other IT consulting services for tribal and public governmental and not-for-profit entities. She is responsible for IT Risk Assessment and regulatory compliance for the firm and helps develop strategic and tactical IT plans. As a member of REDWâ€™s Business Continuity Planning Committee, she also assisted with creation of REDWâ€™s Information Technology Governance Council.