Whether you’re heading to trial or advising a client on a legal question, success hinges on preparation—good, thorough, highly disciplined preparation, to be exact. The better prepared you are, the more effective you are—and the more effective you are, the greater the likelihood that your client will go home at the end of the day wearing an ear-to-ear smile.
The same is true when it comes to the matter of cybersecurity essentials. The better prepared you are to thwart attacks on the electronic systems and devices you use in your law practice, the greater the likelihood that your clients’ confidential data will remain safe (and, by extension, the greater the probability that the wearer of that massive grin will this time be you).
It is unfortunate that bad actors toil long and hard every minute of every day in the hope of breaking into and plundering your data storehouse. Consequently, it is essential that you establish effective cybersecurity defense policies and procedures to thwart those criminals.
The federal Cybersecurity & Infrastructure Security Agency (CISA) has helpfully sketched the contours of those policies and procedures. From my vantage point as a cybersecurity solutions provider, I can tell you that CISA’s advice is sound indeed.
CISA calls upon you to create a “culture of cyber readiness within your law firm.” This culture, says CISA, emerges not from a single big bang but as the product of roughly a half-dozen small steps. Let’s take a look.
Cybersecurity Essentials: It all starts with you
You, CISA contends, are the foundation for all cultural changes affecting your office—and cyber readiness is no exception.
Thus, it’s on you to get the ball rolling. Start by assessing the extent to which your practice relies on information technology (so that you can figure out how much you will need to invest in a cybersecurity solution that can provide adequate protection for the confidential data entrusted to your firm).
Then you need to develop trusted external relationships, the most important of which is the one you form with a cybersecurity company. Such outfits know all the tricks hackers and phishers rely on to penetrate your defenses; making do without a cybersecurity company at your side will prove to be much like stepping into a boxing ring blindfolded, with both hands tied behind your back and bubble gum stuck to the bottom of each shoe.
Another way a relationship with a cybersecurity company will pay off is that you won’t have to develop policies on your own. These services—my own included—have policy templates ready for you to adopt.
Teach your staff to be vigilant
The people who work for you are at risk of falling prey to phishing schemes and email compromise. The reason is they simply don’t know what to look out for. Accordingly, education is a big part of cyber readiness at the staff level.
In my cybersecurity solution, staff training is a centrality because, as data breach post-mortems prove over and over, the weakest link in a law firm’s cyberattack defenses is usually employees who have poor data-handling hygiene due to lack of knowledge (good data hygiene, by the way, involves things like requiring the use of multifactor authentication to log into computers and insisting on having password managers in place to create secured individual and shared passwords).
A word of caution: don’t take the position that staff training is a one-and-done annual affair. It’s something that needs to be ongoing throughout the year. And it needs to be rooted in storytelling, which makes the instruction memorable (unlike rote learning presented via a PowerPoint slide show).
Know thy systems
Do you know how many and what types of electronic systems are deployed around your office? Do you even know the exact location of those systems? If you’ve lost count (or, worse, lost track of their whereabouts), you need to take stock right away. Only then will you be able to assess which computers and devices are vulnerable to attack owing to outdated or corrupted software—or even to software that has no business being loaded into your systems in the first place.
Allowing a cybersecurity company to help you with this will greatly simplify the process of continuously monitoring your systems for leaky software and then getting those security holes promptly patched up.
Don’t let just anyone have access
A useful declaration to include in your firm’s cyber policy manual would state that only those employees in good standing and deemed trustworthy should ever have access to the digital ecosystem you’ve built. Find out who is on your network, then eject all unauthorized users (you’ll derive value from a second policy that establishes a procedure for dealing with users who leave your firm, are fired, or do an inter-department transfer). For those to whom you want to have access, your policy should call for authorization to be granted on a need-to-know and least-privilege basis.
Make it a policy, too, that everyone who steps away from their computer must first put it into locked-screen sleep mode and use their assigned, password manager-created password to unlock the machine upon their return to it. The reason for this is that an unattended and wide-open computer screen is a huge vulnerability—it would be so easy for a disgruntled employee from another part of the office who happened along to plop down in the user’s temporarily vacated chair and begin accessing files that are supposed to be off-limits to the interloper.
Data and system backups are vital
Data is shockingly easy to lose (especially from malware and ransomware attacks). That’s why your preparedness plan must include provisions for backing up your data—daily is good, hourly is better, and continuously is ideal.
Regardless of your backup schedule, the process should take place automatically—without the need for a human to remember to perform the chore at the designated time (because chances are the human will forget on more than one occasion).
In addition to backing up your data, make it a policy to back up your systems and ensure that all such backups are protected electronically and physically (a smart play is to encrypt them before storing them at a secure location geographically distant from your office).
Have a crisis response plan
You can have the best system and data defenses on the planet, but still, there will be the possibility that a determined thief will breach them. In that event, you’ll need to swing into crisis-response mode.
In response to a cyberattack, your first act should be to disconnect from the Internet. Your second act should be to contact your cyber insurance company.
Of course, you can only get help from your cybersecurity company if you take the step, pre-attack, of obtaining a cyber insurance policy. The beauty of such coverage is that it can save you from the disastrous effects of a successful cyber-heist: financial ruin, reputational damage, and possibly even the suspension or loss of your law license.
Another crisis-response readiness step is drawing up a list of outside private individuals and organizations, plus law enforcement agencies, that you must contact immediately after discovering a breach. And another step is to compile a list telling you which systems to restore first, second, and third depending on the nature and effects of the particular attack.
Lastly, you’ll need a communication plan to guide you through the difficult task of informing the public (and your state bar) that cyber crooks managed to loot your data vault. And you will want to PRINT out this guide and put in an accessible place.
Cyberattacks can happen to you, regardless of whether your law office is big or small. There are no size exemptions when it comes to the schemes of online malefactors—whose numbers, incidentally, are legion and growing. As such, it is incumbent upon you to be ready for any attempts to steal the data you are obligated legally and ethically to safeguard.
Think of it this way. The one who comes to the fight best prepared is usually the one who wins. Cyberthieves are prepared—very prepared. You can defeat them, but only if you are better prepared than they.
CEO of Boba Guard
This article was provided by Tom Lambotte, a cybersecurity expert who has been in the tech support industry for over a decade. Tom founded BobaGuard in 2019, which offers turnkey solutions to solo lawyers and small-to-medium law firms. In addition, Tom is also the CEO and Founder of GlobalMac IT, an established managed service provider specializing in serving lawyers nationwide who use Macs by implementing his Proven Process™.