Re: A Cybersecurity Action List for Law Firms

ChuckDBrooks · ‎05-10-2018

https://highperformancecounsel.com/a-cybersecurity-action-list-for-law-firms/

A Cybersecurity Action List for Law Firms

By Chuck Brooks

There is a congruency with the legal community’s mission of preparedness and the practice of cybersecurity. A primary requirement of the legal profession is to obtain data and explore evidence, access the implications of that evidence, and prepare accordingly to protect and serve the client. Cybersecurity also follows that framework.

There is, however, an urgent need for the legal community to add an element to their operations to make them more in line with cybersecurity; actions to enable providing better protection of their data against breaches.

Unfortunately, most law firms (and companies for that matter), lack the critical awareness, policies, and technologies to best secure the crown jewels. These jewels include private firm interchange, records, and especially privileged attorney client communications.

The risks to law firms are already very high. A 40-year law firm Mossack Fonseca, closed as a result of a data breach that revealed the Panama Papers. About two-thirds of law firms have experienced some sort of data breach, according to a 2017 cybersecurity scorecard from Logicforce, a LexisNexus company.

With increasing risk to revenues and reputation, law firms should consider hiring cybersecurity professionals to augment their IT shops. If possible, they should also explore bringing in outside expertise from SMEs who understand the latest developments in technologies and compliance directives in the cyber ecosystem. The growing amount of sophisticated phishing, ransomware, and DDoS attacks are challenging and outside help is becoming more of an imperative.

I have assembled a list of basic questions that can set the foundation of how firms can access vulnerabilities in data protection and take steps to protect themselves. My list includes:

Are the latest security patches applied on the firms operating systems and software?
Have the servers been monitored and checked and confirmed to be free of malware?
Do the firm’s firewalls block everything not specifically necessary for business?
Is anti-virus software loaded and active on all systems?
Is all sensitive data identified, encrypted and stored securely?
Is a Virtual Private Network (VPN) used for general browsing on employee laptops and smartphones?
Are servers and sensitive computer data kept in secure locked areas?
Are WiFi access-points configured securely?
Are employees required to learn and adhere to cyber-hygiene policies to prevent social engineering and phishing attacks?
Is there a clearly written and enforced cyber security framework in place for the firm?

While these general questions can serve as a first step, a technical vulnerability assessment is a good idea for any law firm, small or large, in this increasingly risky work of connectivity. Data breaches are a compelling threat and one that should not be taken lightly.

Chuck Brooks is the Principal Market Growth Strategist — Cybersecurity and Emerging Technologies for General Dynamics Mission Systems. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 500 million members. He has published more than 150 articles and blogs on cybersecurity and technology issues. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. In academia, Chuck is an Adjunct Faculty member at Georgetown University in their Applied Intelligence Program was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

Dain · ‎05-25-2018

nice work, from my personal experience with law firms there is, I would say, a lack of money and effort put into Information Security in the legal environment. I find it particularly odd as the folks we are talking about typically understand the true meaning of due care and due diligence, as well as the importance of confidentiality. The powers that be seem to be no more advanced in infosec than the average commercial enterprise of a comparable size. Those firms engaging publicly with high profile clientele, handling hipaa data, or dealing with M&A would seem to be at a higher risk of a targeted attack as a means to get to either the data referenced, or as a specific target for getting more information on or about clients.

Items listed may seem basic to us, but as a mechanism to begin to raise awareness it seems like a good post (particularly for a legal mgmt arena).

Have you considered pointing the target audience at specific low cost tools (e.g. openvas/kali) or resources (basic patch policies, etc) to help them take the first step?

ChuckDBrooks · ‎05-25-2018

Thank you for your affirmation and for your own insightful comments on Cybersecurity and the legal community!