Prioritizing Cybersecurity on a Limited Budget
Cybersecurity measures on a budget can include regular training, safe email practices, secured systems and a good cyber insurance policy.
Our dirty little secret is out. A cursory review of recent articles in ABA magazines and webzines, let alone a full-fledged search on Google, reveals the unsightly truth—law firms are prime targets for hackers. Ironically, some of the very lawyers marketing themselves as cybersecurity experts have been the victims of preventable cyber breaches.
While your firm may escape the sting of irony if it does not practice cybersecurity law, a breach is devastating no matter what your area of concentration. The publicly available information is abundant, and the stakes are too high not to budget for cybersecurity and to fix your firm’s most glaring vulnerabilities. Treat the creation of a cybersecurity budget and implementation of cybersecurity measures as an exercise with a limited timetable that requires the prioritization of major issues.
Think John Travolta’s and Samuel L. Jackson’s characters’ dilemma in Pulp Fiction. They find themselves in hot water when Travolta’s gun accidentally goes off during a leisurely drive, creating a mess in the backseat. The protagonists park in a belligerent Quentin Tarantino’s garage, and he demands the mess be cleaned up before his wife, Bonnie, gets home. Travolta and Jackson are humorously beset with a deer-in-the-headlights look until Harvey Keitel’s iconic character, the Wolf, arrives to help them game plan and prioritize their next steps.
Training Your Employees
When it comes to your law firm’s cybersecurity, start with the chief problem areas that require no budget whatsoever to address. No one thing will make a bigger difference than getting your partners, associates, and staff trained on the most common trick of today’s cyber thieves: phishing. At February’s RSA security conference in San Francisco, the premier cybersecurity conference in the industry, a surprising statistic emerged: 97 percent of cybersecurity problems begin with phishing emails and an impulsive click on a link or an attachment. Depending on the size of your firm, annual training will not be enough; the prevailing opinions is that quarterly training is the only way to significantly cut down on phishing and other risks.
Quarterly training may seem like a hassle, but recall that the days of the ludicrous Nigerian prince emails are long gone. Cyber thieves will social engineer you and your employees to create emails that look like the real thing. SANS institute and KnowBe4 provide great free training resources and ideas to keep your people engaged. Of course, you can also hire outside vendors to train your emplo9yees on the latest phishing techniques, which a lot of law firms do. If you are working with a limited budget and are willing to devote the time to keep trainings entertaining and updated, you can save money and use the extra budget for items requiring outside expertise.
Alerting employees to business email compromise scams, including wire transfer scams, should also be an integral part of training. If your firm has not changed your wire transfer policy in response to the latest alerts (see ic3.gov and Symantec.com), then you are missing a glaring opportunity to reduce risk.
Pushback against change is inevitable. If you have employees who need hand-holding, as John Travolta did when he was told not-so-nicely by the Wolf to get to work and clean the car, impress upon them the gravity of the situation. These cyber thieves are real and so numerous it’s frightening. We live in a new era, a near lawless, consequence-free, Wild West for cyber criminals. Great training and a shift in firm culture will wipe out a vast percentage of the statistical risk. At the very least every employee and partner at your law firm should know that clicking on a link or attachment from an unknown source is the 2017 equivalent of leaving the bank vault wide open. Take the opportunity to incentivize training exercises, create contests and get people excited about protecting your firm’s more precious resources. If you do not hire an outside vendor to conduct training, all this takes is some time and enthusiasm.
From New Technologies to Cyber Insurance
While you can limit your budget expenditures when it comes to dealing with the human factor, there is no skirting certain technological must-haves. Your firm must have systems and firewalls that are up to date and regularly patched. If you firm is running an out-of-date system, this will require an expenditure to replace—and it must be a top priority. The firm should also institute restricted access policies. Only the folks who absolutely need it should have administrative privileges with access to all your firm’s files. Furthermore, if your firm permits remote login, implement two-factor authentication. Hackers are breaching organizations through remote login vulnerabilities at an alarming rate. No employee should be permitted to log in to your firm’s system without an excellent password and a second authentication factor.
In the end there is only so much that can be done with a healthy budget, let alone a limited one. As Sharon Nelson and John Simek stated in Law Practice’s November/December 2015 Hot Buttons column, it’s not if a breach will happen, it’s when. Every FBI and Secret Service agent I’ve spoken to in the past year has echoed this mantra. With those kinds of cold, hard facts, there is only one option to hedge the risk: insurance. A good chunk of our cybersecurity budget should be allocated to a comprehensive cyber risk policy that covers, at a minimum, privacy liability, breach notification, business interruption and cyber extortion (say, via ransomware). Do not be fooled by the attractively priced cyber insurance add-ons to your existing professional liability policies as these are often full of exclusions and heavily sub-limited (i.e., much lower limits for the riskiest types of coverage). The insurance industry as a whole lacks the actuarial data on cyber events to create a form policy, so a conscientious consumer will find a wide variety of products in the cyber insurance marketplace, including policies by insurers like SafeLaw, designed specifically for law firms.
Acquiring insurance has secondary benefits as well. The act of applying for cyber risk insurance, while not as intensive as it once was, requires the candidate seeking insurance to understand what system security and controls it has in place. Frequently, insurers provide proactive breach preparation services and educational resources, including employee training materials, the law firm can leverage to improve its cybersecurity posture.
Taking these steps will not cause your firm’s cybersecurity problems to permanently disappear in a hydraulic compactor at Monster Joe’s junkyard. I have not even discussed end-to-end encryption, lost devices, insecure wireless networks, or data retention policies. Undoubtedly, as time passes, our clientsparticularly those in health care, financial services and retail—will demand more of us as cyber thieves and regulators double down on their efforts. Indeed, the Association of Corporate Counsel was sending law firms a message when it released its Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information in January 2017.
Before your law firm can be perfect, it has to be security competent. So (as Wolf would say), pretty please prioritize cybersecurity at your firm. Be your own Wolf and set aside the budget—and commit the time necessary—to address the indispensable items that will make the biggest difference.