Cybersecurity for Law Firms: What Larger Offices Should Know
Cybersecurity incidents are on the rise. And unfortunately, law firms are attractive targets for cybercriminals.
Here’s a breakdown of why larger law firms need to invest even more in cybersecurity and what they can do to keep their offices safe.
Why Large Law Firms are Popular Targets
The primary reason law firms are often the victims of cyberattacks is because they have sensitive (and valuable) information about multiple companies or entities housed in a single database. In essence, this makes firms “one-stop shops” for cybercriminals since they can obtain the desired data on multiple companies via a single source.
Further, were a cybercriminal to attempt to access an individual company’s database directly, she would likely encounter more sophisticated security measures than those employed by the law firm. More data + easier access = prime targets.
Larger law firms are especially popular targets for cyberattacks. In the ABA’s 2018 Legal Technology Survey Report, the percentage of firms that reported a security breach generally increased as firm size grew. For example, whereas only 14 percent of solo firms claimed to have had an incident, 42 percent of firms with 50-99 employees reported experiencing a breach.
There are three major reasons big law firms are targeted more often:
- They have more employees and, thus, more devices, which means more access points to the network or database the cybercriminal can exploit.
- They have more clients, which means cybercriminals can access data from a greater number of companies in one fell swoop.
- They have bigger clients with deeper pockets, which means, in the case of ransomware attacks, cybercriminals can demand larger sums of money.
It’s no surprise, then, that a third of the participants in the 2018 Aderant Business of Law and Legal Technology Survey (which featured respondents mostly from larger firms) cited cybersecurity as one of their top challenges. In the U.S. in particular, cybersecurity rose from sixth place the previous year to the number one most-cited concern.
Protecting Your Firm in 3 Steps
There are plenty of actions you can take to reduce the likelihood of experiencing a cybersecurity incident. To help get you started, here are three things you can do.
Draft an Acceptable Use Policy
An acceptable use policy (AUP) explicitly outlines the rules employees must follow in regards to the firm’s network, software, computers, laptops, and mobile devices. It clearly states how employees should and shouldn’t use both employer-provided technology and personal mobile devices like smartphones and tablets.
One of the main reasons to implement an AUP is the ability of employees to either deliberately or inadvertently compromise the security of your company. Ipswitch, a provider of IT management software, reported that nearly ¾ of security breaches are due to employee actions (either intentional or accidental).
An AUP ensures employees understand their responsibilities in regards to technology use and helps educate them on identifying possible cybersecurity threats. A comprehensive yet easy-to-read AUP can substantially decrease your firm’s risk of cyberattacks and data breaches.
Adopt Cloud-Based Technology
Many (if not the majority of) law firms that favor on-premise or hosted solutions to cloud-based platforms will cite security as the reason they refuse to move their data to the cloud. But the truth is, cloud-based solutions are considerably more secure than on-premise or hosted software (and nearly 30 percent of the respondents in Aderant’s survey agree.)
An on-site IT team may do periodic network vulnerability checks, but they have dozens of other responsibilities to worry about, too. Providers of cloud legal solutions have employees dedicated exclusively to ensuring their IT infrastructure is as strong and secure as possible.
Additionally, because updates to cloud solutions are deployed automatically, you’ll know the platform always has the latest patches and the provider has addressed known vulnerabilities. As an added bonus, cloud-based solutions are also generally less expensive and easier to maintain than hosted or on-premise options.
Develop an Incident Response Plan
Ideally, your firm will never experience a data breach or cyberattack. Realistically, you need to be prepared for the day when it happens. That’s why an incident response plan is an essential part of any large law firm’s cybersecurity program.
The steps your firm takes immediately upon discovery of the issue will determine just how extensive (and expensive) the damage will be. An effective incident response plan includes the following steps:
- Designate an incident response planning team
- Classify the type/extent of the incident
- Complete initial reporting
- Escalate the incident, as appropriate
- Inform affected individuals and organizations
- Investigate and collect evidence
- Mitigate further risks
- Execute recovery measures
Your incident response plan (in addition to any other security policies and procedures) should be regularly evaluated and updated. With existing threats continuously evolving and new threats appearing almost daily, your firm must take a proactive approach to maintaining strong cybersecurity protections.
Don’t let your law practice become a cautionary tale for other firms. Take the necessary steps today to ensure your office is safe from external and internal threats.