Nearly every day we hear news of some new, large-scale cyber hack. For instance, the recent OPM database hack compromised personal information for over 21 million past and current federal employees and contractors. This attack, along with those on Target, Home Depot and several large insurance companies, have certainly brought the issue of cybersecurity to the forefront. Opinion polls consistently report the risk of a cyber-attack as one of the top three issues keeping executives up at night.
Earlier this year, our 100-lawyer firm, Lewis Thomason, made cybersecurity a higher priority. We are focusing more time and energy on several critical issues around cyber-risk. In addition to strengthening our own internal security processes, we also expanded the cybersecurity services we offer our clients by leveraging existing relationships with a number of firms including Sword & Shield Enterprise Security, a prominent national information security firm.
We’ve learned some interesting things about cybersecurity, including why it’s so important for law firms to immediately address the following five “deadly sins.”
1. The door is open.
Passwords are the one security routine we all know to be essential. But not all passwords are created equal, and inferior passwords often live too long. Hackers only need to successfully capture one user’s password to open the door and access your data. Some experts believe passwords have outlived their usefulness and stronger safeguards, such as dual-authentication tools, are now necessary.
At a minimum, firms need to ensure that the password door is closed to intruders. Implementing policies that reinforce strong passwords can go a long way in this effort. We suggest implementing the following criteria for more secure passwords:
- Update passwords quarterly
- Do not repeat passwords
- Require passwords to be a minimum of 10 characters in length, using a combination of numbers, letters and special characters
- Exclude use of names or so-called “dictionary words”
2. People are helpful.
As a provider of professional services, most law firms view timely attorney and staff response as highly important. A too hasty, less-than-thoughtful response, however, can have serious security ramifications. Hackers can exploit these service-oriented behaviors, such as sending “spoof” emails which appear to be from a familiar client’s email address. When opened, the email or an attachment deploys malware, allowing the hacker access to your network.
Hackers do their research. Clients and attorneys are often highlighted on firm websites, and a simple phone call can often reveal which client works with a specific attorney. With those details a hacker can then send a spoofed email under the mask of a client’s question. Here at Lewis Thomason, we recently experienced an attempted spear-phishing attack where the CFO received a spoofed email “requesting” a $95,000 wire transfer. Had the wire been sent, it would have almost certainly been unrecoverable.
As phishing attacks continue to increase in sophistication, the weakest security link in a firm’s perimeter—its people—are increasingly exposed. Awareness training among staff of all levels is therefore critical and, moreover, should be viewed as a continuous process and not a one-time annual undertaking.
3. Awareness is not translated into priority.
Law firm leaders and administrators are bombarded with information and training on cybersecurity issues, and yet for many this awareness does not appear to be translating into protective security plans and actions. It is easy to rationalize away the risk. After all, isn’t it the billion-dollar companies and government entities, which have the high volume of personal data, financial assets or intellectual secrets, the ones that the bad guys are after?
We’re a mid-to-small law firm so we’re under the cyber-hack radar, right? As it turns out, law firms generally are an attractive target to hackers. They have cash to be stolen, client data that can be exploited, and employee personal information that can be sold. Furthermore, law firms of any size have information on clients that a hacker can use to access other systems.
While important, awareness training alone will probably not be a satisfactory response if your firm has the unpleasant task of notifying its major client that confidential information has been breached. You need a security plan, and the first step in that plan is to assess the risk your firm faces. That analysis should consider the two drivers of risk—business or practice risk and technology utilization. Business or practice risk results from the types of law you practice and clients you serve. For example, a boutique firm working in intellectual property is at a higher risk than a general practice. A firm with a high percentage of its billable work in one or a few clients poses a higher risk than a firm without this concentration. And finally, those that have institutionalized employee cybersecurity continuous training programs have reduced risk.
4. Monitoring and detection tools are not utilized.
As cybercriminals are getting bolder, the tools to identify attacks are also becoming more sophisticated. Effective information security is about due diligence, intelligence and having insight into who is interacting with the data and how they do it.
Some of the most important protection tools available to firms include a monitoring device to capture logs and an intrusion detection system to watch live traffic as it comes through the firewall. Sadly, not all firms feel these tools are important. They often take the “I don’t have anything of value” stance, when in truth any data available to a cybercriminal is worth taking.
To protect the firm’s valuable data asset, at a bare minimum it should deploy detection and monitoring systems and services.
5. Perception that security controls are cost prohibitive and hamper billable work.
The mindset of many is that security controls make their job harder and have a negative impact on productivity (billable hours, in particular). However, a properly designed and managed cybersecurity program takes into account the specific business requirements of the firm and will actually enhance productivity over time.
Productivity killers come about when unsecure and non-compliant business practices create an opportunity for data loss and breach situations. Not to mention, both the cost of lost revenue in real dollars when clients take their business elsewhere or elect not to do business with a firm due to its inability to show due diligence in securing data.
In summary, the time for action is now. The risks these five “Deadly Sins” pose to your firm are very real in our technology-driven world. Choosing to ignore these security threats may result in damage to your brand and loss of valued clients. Your firm can start addressing security today by creating a risk-based security plan that is implemented and understood by all employees.
About the Authors
William Kunkel is the Chief Financial Officer at Lewis, Thomason, King, Krieg & Waldrop, P.C., a firm using Aderant Total Office for case management.
Justin Joy is an attorney at Lewis Thomason, providing counsel on information privacy and cybersecurity, focusing on security awareness, policy drafting, incident investigation, response management and other areas of cyber risk management.
Brent Cantrell is Sword & Shield’s Director of Managed Security Services and has 29 years of in-depth IT expertise, as well as extensive experience in business and technical leadership.
Fred Cobb is the Director of Enterprise Security Solutions and Healthcare Compliance Services for Sword & Shield and serves as both an analyst and as a Virtual Security and Compliance Consultant for a variety of high profile projects for Sword & Shield’s customers in the healthcare and retail industries.