There can be no greater mandate for a law firm than the protection of client and business information. Cybercrime can be committed from within an organization by an unhappy employee, or it can strike from outside via organized criminals. Fortunately, if appropriately used and regularly revisited, law firms can rely on a virtual armory of security measures that go a long way in protecting their most precious commodities.

Assess the situation

Begin by determining where the firm is most vulnerable. If uncertain, consider undergoing an independent cybersecurity assessment to understand risks to the firm. Cybersecurity is a multi-factorial challenge that requires a multi-disciplinary response to analyze security, operational, technological, and governance elements simultaneously. Even if an organization possesses these substantive areas of expertise internally, these business units are often disparate functions among dislocated teams, each with separate, if not conflicting, objectives.

Performing a data classification methodology is a necessary first step, which, daunting as it sounds, is quite an intuitive process when explained to business leaders in the appropriate context. As a starting point, buried within a firm’s total data universe are various “crown jewel” data sets — the gold cyberattackers troll for. Where and how is this data stored? How is this data used, and by whom? It likely resides in more places than one may think, including in the cloud, emails, laptops, and external drives as well as cameras and recorders, third-party file shares, and even copiers and fax machines.

The human factor must also come into play. Identify who in the firm has access to private client data. Does leadership have confidence in all the individuals identified? It is up to them to determine if this group should be entrusted with this responsibility and if more significant limitations would provide greater security without interrupting workflow. This evaluation is critical if any third-party service providers have access to the firm’s data.

Build a team and educate them

Deputize a senior professional as the cybersecurity team leader. This individual will work with the firm’s technology and operations professionals and assemble a cybersecurity risk management team with designated responsibilities that will be ready to act if and when a cyberattack occurs. This team should be appropriately empowered, incentivized, and accountable. Initiate employee training on cybersecurity matters. A firm’s professionals are the first line of defense in detecting and reporting suspicious activities that could indicate a breach. Arm them with specific policies and practices, which should be regularly communicated and updated as conditions change. This communication can be built around an overall awareness program to keep cybersecurity matters top of mind. Since social engineering attacks are one of the more prevalent tactics used by cybercriminals, consider sending simulated phishing emails to employees to gauge their ability to detect and avoid future attacks.

Five key to-dos

Some practical and achievable imperatives for any effective law firm cybersecurity program include:

Update and harden external-facing systems. Cybercriminals are constantly probing for vulnerabilities in firms’ lines of defense. External-facing systems, such as firewalls, should be monitored in real-time and updated with the recommended patches from the manufacturer. Software and hardware companies regularly release these to address new vulnerabilities, and it is critical to apply the relevant security patches to help ensure a secure technology environment. Enlisting the aid of vulnerability management professionals to perform penetration testing on a periodic basis is an excellent way of identifying and remediating vulnerabilities in external cyber defenses.

Require multi-factor authentication. This security feature requires multiple means of identification at login and is widely recognized as the most secure software authentication method for verifying access to data and applications. Multi-factor authentication ensures that a user is who they claim to be, and the more factors used to determine a person’s identity, the greater the trust of authenticity.

Insist on complex passwords. Passwords are deemed one of the most critical Windows vulnerabilities; therefore, firms should take great care in establishing their password policy. A “good” password is easily remembered by the holder but not easily guessed by anyone else, so avoid simple passwords, such as “ABCD1234,” or using accessible information, like birthdays and wedding years. Sound passwords contain a complex combination of at least three upper and/or lowercase letters, punctuation, symbols, and numerals. They should be eight characters at minimum, but any password with a length in excess of a dozen characters is virtually invulnerable from today’s brute force hacking techniques. Additionally, passwords are only effective if properly managed. Set a fixed time for them to expire and be replaced, and never allow the same one to be used again.

Maintain a robust screening policy. When hiring a new professional or accepting a lateral transfer, make sure that background checks look into any history or experience with cybercrime. Previous activity may be a red flag, and it should require some inquiry. Apply this same policy towards hiring outside vendors, requesting and reviewing their service organization controls (SOC) reports to ensure they are taking the necessary precautions to keep their environments safe.

Be prepared. Even the strongest defense is not perfect, so it is wise to be prepared with an appropriately crafted Incident Response Plan should the firm suffer a successful cyberattack. At the moment of such an occurrence, the cybersecurity risk management team that was assembled must be prepared to jump into action. Their job is to limit or contain the damage, lock down the affected technology, and see that access to affected systems is terminated. News spreads quickly, so firm leaders need to designate a spokesperson that will communicate a unified message to all impacted parties. All inquiries should be directed to this person who will act as the single source for firm information and updates. Make sure that all members of the firm are aware of this policy and comply.

There may also be legal obligations to report the breach to state and/or federal authorities. Firm leaders can consult with their insurance provider to understand what steps are necessary. While having a plan is critically important, it is equally crucial that the plan be reviewed and tested on a periodic basis so that it is kept up to date and all personnel are familiar with their roles and responsibilities.

Strengthen your cyber defense with Citrin Cooperman

Cybersecurity threats are simply part of the cost of doing business today, and they will continue to be moving deeper into the 21st century. Having a robust and adaptable prevention and defense policy designed to blunt, inhibit, or deflect an attack should be the first order of business for all law firms going forward, as the alternative is unthinkable. For more information on how Citrin Cooperman’s Cybersecurity Practice can help improve the protection of your organization’s data and significantly reduce the chance of your law firm becoming the next victim of a cybercriminal, contact Kevin Ricci at kricci@citrincooperman.com or Michael Camacho at mcamacho@citrincooperman.com.