February 2023
VOLUME 42, ISSUE 2
Cybersecurity breaches have become an all-too-common occurrence at all types of businesses, including law firms. Many firms have cybersecurity insurance, but they don’t realize they can lose their policy if they do not maintain compliance with its requirements.
As executive managers of the firm, legal administrators are ideally positioned to ensure the firm stays compliant with its cybersecurity insurance policies so they are active and enforceable. Here are 10 ways to make sure your firm’s cybersecurity insurance doesn’t lapse.
Every law firm’s IT infrastructure is unique, so securing the firm sufficiently requires a detailed examination of several areas of protection. Some of the firm’s technology may be on-premise, traditional desktop hardware and software, while other applications are self-hosted or in the public cloud. The firm has a network and endpoints (desktops, servers) which need to be secured. Lock down user access to both the network and endpoints as well as key applications. Protect against email attacks with email threat protection, encryption and archiving.
Often, risks come from blind spots — areas no one realized were problematic until a breach occurred. Conducting a risk assessment involves uncovering problematic areas and fixing them proactively. Perhaps the firm has passwords — for users or administrators — that never expire. Or the firm owns risky applications that make them vulnerable to exploitation. Are those applications essential, or could they be replaced with a more secure alternative? Acknowledging these security risks and eliminating them before they cause a crisis simply makes sense.
The odds are in favor of the firm facing at least one cybersecurity breach, if not more. Therefore, devising a business continuity and disaster recovery strategy will provide a roadmap the firm can follow if a breach occurs. Business continuity and disaster recovery plans are also helpful in the wake of natural disasters, power outages, health crises or other emergency situations.
When a cybersecurity incident occurs, in the heat of that moment is not the time to make an incident response plan. Instead, create the plan preemptively in calm circumstances. The plan should clearly state how the firm will respond to a cybersecurity incident, step-by-step, and which departments will be involved — all in compliance with the firm’s cybersecurity insurance policy.
Some questions your plan should answer:
The firm’s staff is its greatest asset but also its largest potential liability because human beings make mistakes. Phishing emails, a typical security breach source, have become incredibly convincing and sophisticated, sometimes even tricking IT professionals to give up passwords and sensitive data. Make sure the firm’s employees receive specific training regarding cybersecurity risks like phishing to build awareness of existing threats and reduce the chance of user error leading to a breach.
Some law firms have their own dedicated IT staff, while others rely on systems integration/IT consulting companies to provide technology services.
“Often, risks come from blind spots — areas no one realized were problematic until a breach occurred. Conducting a risk assessment involves uncovering problematic areas and fixing them proactively.”
Regardless of which approach the firm takes, ensure the firm’s IT professionals are on board with deploying sufficient malware defense tools. This can include tools such as Next-Generation Antivirus (NGAV), which guards against many threats including malware, viruses and ransomware; Endpoint Detection and Response (EDR), which protects devices from malware threats; and Managed Detection Response (MDR), a security-as-a-service offering which provides resources to help the firm protect itself from cyber threats.
Regular penetration testing allows the firm to discover its vulnerabilities and security holes before bad actors exploit them. Therefore, setting a schedule for penetration testing and adhering to it faithfully is an essential element of cybersecurity maintenance.
Encrypting all emails and documents across the board will go a long way to contributing to the firm’s cybersecurity success. Certainly, encryption may have its downsides due to inconvenience, but it is sound business practice to encrypt all communications and documents passing through the firm.
Setting up multifactor authentication is one of the best strategies for firms to prevent unauthorized users from accessing firm email and documents. Users may complain it is annoying for them to verify their logins on a smartphone or other device. However, this momentary irritation is a small price to pay for the tremendous security benefits multi-factor authentication brings to the firm.
Cybersecurity insurance companies are increasingly requiring that companies establish privileged access management and role-based access controls. Firms may like the idea of everyone having access to everything, but this is often not a wise approach. By restricting access to certain information based on roles and access rights, the firm upholds its internal security requirements including attorney/client privilege and government compliance regulations.
By following the 10 steps above, legal administrators can help their firms ward off cybersecurity risks and ensure their cybersecurity insurance policies are active and enforceable.
Step 3 above notes the importance of planning for unplanned incidents, such as a cyberattack. If you’re firm doesn’t have a plan in place, “Business Resiliency: 7 Steps to Successful Incident Management, Business Continuity and Disaster Recovery Planning” can help you formally put together an action plan for such an event.