This document discusses the importance of cybersecurity for law firms. It notes that law firms have traditionally lagged behind other industries in implementing cybersecurity measures, despite increasingly becoming targets. It provides several recommendations for best practices including implementing information security policies, employee training, testing systems for vulnerabilities, and utilizing IT professionals for guidance. The document emphasizes that cybersecurity is about managing risks, and that as technology continues to change, firms must remain vigilant and adapt their strategies to new threats. People within a firm are also noted as one of the biggest security risks if not properly trained on cybersecurity practices.
Data security, privacy protection, and information governance are inextricably linked to the attorney-client relationship. Lawyers must overcome their aversion to technology and understand that protecting data is not just the IT department’s responsibility, but theirs as well, as lawyers are stewards of their own, their clients’, and their firms’ data.
Learn insights and tips on how to better understand the data security environment from a lawyers’ perspective and how you can best communicate to clients the need for secure information governance. You’ll be prepared to answer the following questions that are being asked by corporate counsel and other prospective clients:
Is your firm positioned to handle my data securely?
What are your firm’s protocols?
Data security, privacy protection, and information governance are inextricably linked to the attorney-client relationship. Lawyers must overcome their aversion to technology and understand that protecting data is not just the IT department’s responsibility, but theirs as well, as lawyers are stewards of their own, their clients’, and their firms’ data.
Learn insights and tips on how to better understand the data security environment from a lawyers’ perspective and how you can best communicate to clients the need for secure information governance. You’ll be prepared to answer the following questions that are being asked by corporate counsel and other prospective clients:
Is your firm positioned to handle my data securely?
What are your firm’s protocols?
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Convince your board - cyber attack prevention is better than cureDave James
The business case for cyber attack prevention for organisations concerned about the rise in cyber crime and the risk to their data. Includes cyber security tips and resources.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
Cyber insurance is probably one of the top security measures each organization, big corporations, and Small and Medium Enterprises (SMEs) should look up to when it comes to a cybersecurity data breach. https://cyberpal.io/
New York DFS proposed cybersecurity regulationsBrunswick Group
Groundbreaking cybersecurity regulations proposed this month by the New York State Department of Financial Services would impose significant new compliance responsibilities. The proposed regulations raise the bar for communications and public affairs professionals in particular around cybersecurity planning and response.
The proposed regulations far surpass existing federal or state regulations on cybersecurity, and will require a deeper approach and greater integration between legal, communications, and technology planning and strategies.
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Convince your board - cyber attack prevention is better than cureDave James
The business case for cyber attack prevention for organisations concerned about the rise in cyber crime and the risk to their data. Includes cyber security tips and resources.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
Cyber insurance is probably one of the top security measures each organization, big corporations, and Small and Medium Enterprises (SMEs) should look up to when it comes to a cybersecurity data breach. https://cyberpal.io/
New York DFS proposed cybersecurity regulationsBrunswick Group
Groundbreaking cybersecurity regulations proposed this month by the New York State Department of Financial Services would impose significant new compliance responsibilities. The proposed regulations raise the bar for communications and public affairs professionals in particular around cybersecurity planning and response.
The proposed regulations far surpass existing federal or state regulations on cybersecurity, and will require a deeper approach and greater integration between legal, communications, and technology planning and strategies.
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
Learning strategy:
Create a blog in which you explain with your
words the meaning of 10 different phrasal verbs
.Give an example of how to use each one.
For digital media companies, effective cybersecurity programs a mustGrant Thornton LLP
In digital media trust is everything, without it your business model doesn’t work. Cybersecurity can be a key component, ensuring the integrity of your services. Check out this brief guide to securing your data.
Cyber security is becoming increasingly relevant within the insurance industry to the degree, that the National Association of Insurance Commissioners (NAIC) named it as the key initiative for 2015.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Choosing the Right Cybersecurity Services: A Guide for Businessesbasilmph
In today's business landscape, cybersecurity is vital for all businesses, regardless of their size or industry. Shockingly, cyberattacks have increased by 67% in the past year, impacting companies worldwide.
Let’s read more on How to Start a Cyber Security Business? Step
1: Define Your Niche Step
2: Conduct Market Research Step
3: Create a Business Plan Step
4: Legal Considerations Step
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
Safeguarding Your Law Firm Against Cyber ThreatsWithum
Law firms serve as stewards to valuable, sensitive financial and client information and must remain as trusted business partners.
With the scope and severity of cybercrimes rising, don’t wait to optimize your firm’s approach to cybersecurity. Join Edward Keck Jr., Partner and Practice Leader of Withum’s Cyber and Information Security practice, and Bill Sansone, Partner and Practice Leader of Withum’s Law Firm Advisory team, to learn:
• How to manage the cybersecurity risks affecting law firms, including data breaches
• The value of going beyond what’s required to operate effectively in today’s digital landscape
• How to apply data security best practices and maintain good cyber hygiene at your firm
Similar to Law Firm Hacked by Cyber Criminals (20)
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
Precedent, or stare decisis, is a cornerstone of common law systems where past judicial decisions guide future cases, ensuring consistency and predictability in the legal system. Binding precedents from higher courts must be followed by lower courts, while persuasive precedents may influence but are not obligatory. This principle promotes fairness and efficiency, allowing for the evolution of the law as higher courts can overrule outdated decisions. Despite criticisms of rigidity and complexity, precedent ensures similar cases are treated alike, balancing stability with flexibility in judicial decision-making.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxshweeta209
transfer of the P.I.L filed by lawyer Ashwini Kumar Upadhyay in Delhi High Court to Supreme Court.
on the issue of UNIFORM MARRIAGE AGE of men and women.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
Get insights into DNA testing and its application in civil and criminal matters. Find out how it contributes to fair and accurate legal proceedings. For more information: https://www.patronslegal.com/criminal-litigation.html
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
1. 1
Written by: Richard Brzakala
Background
“Law firm hacked by cyber criminals,” is probably one of the worst
headlines imaginable for any law firm in today’s highly competitive
marketplace. Cyber criminals are extremely well funded, sophisticated,
and tenacious. Over the past decade, law firms have become
increasingly attractive targets for numerous nefarious organizations
looking to steal any type of confidential information that has economic
value.
While many corporations and private companies have been
implementing safeguards and strengthening their technology defenses,
law firms have, unfortunately, been laggards in the marketplace. All too
often, firms of all sizes have been blissfully apathetic to either
understanding or wanting to understand the information security risks
and threats lurking in the marketplace.
This article examines cyber and information security as it relates
to the legal industry and provides strategic considerations for
law firms looking to deal with information security issues.
About the author: Richard Brzakala has
20 years of experience managing
external counsel at two of the largest
financial institutions in Canada. He has
provided leadership and global
oversight of enterprise legal
management strategies, including
alternative fee arrangements, cyber
security, sourcing and innovative law
firm performance benchmarks. He has
managed relationships with hundreds
of law firms across the globe and
developed innovative practices with
regards to in house legal management,
business outsourcing and competitive
RFP practices. He is recognized as a
market thought leader with regards to
LPM and law firm management. He
has consulted international companies
on convergence, cyber security, pricing
and sourcing strategies and written
numerous articles related to outside
counsel management practices and
matters. Disclaimer: The views
expressed here are solely those of the
author in his private capacity and do
not in any way represent the views of
the CIBC or RBC.
2. 2
As we have seen in the past couple of years through media outlets and
press reports, many firms have paid the price for neglect and ignorance
as firms have increasingly been hacked by cyber criminals or have had
their confidential data compromised in some way. Governmental and
regulatory agencies across the globe have, for years, been sounding
the alarm for law firms to become more vigilant and invest in technology
tools and risk management strategies that can help a firm safeguard its
confidential client information.
If you are a firm concerned about cybersecurity measures and your
firm’s preparedness to defend against cybersecurity breaches, consider
implementing some of the following best practices that will help
safeguard your confidential information.
Cyber Security Is About Managing Risk
For a firm to truly protect itself and its client information from being
compromised, it must understand that cybersecurity and information
security are not just about the technology tools. Too often, a firm’s initial
response to cyber threats is to look to the market to see what is
available to update their antivirus software or some other type of
solution that the firm assumes will cover them for all sorts of risk and
cyber issues. Unfortunately, this is not the best approach.
It’s not “if,” but “when” a cyber attack will
happen.
The best approach for a law firm seeking to tackle cybersecurity is to
step back and assess its current state of information technology
preparedness and work with IT cyber experts to develop a
comprehensive cyber risk strategy that not only leverages the best
available tools to protect a firm but aligns the information security
strategy with a firm’s business goals. Firms should approach the
establishment of a cybersecurity strategy from the perspective that it is
not a matter of “if” a cyber attack or security event will happen but
“when” it will happen. Firms should also consider whether they are
adequately prepared to contain and respond to such events and, if need
be, manage the repercussions of any fallout due to an event or breach.
Cyber-security is about mitigating risk
It’s not a
question of “if”
but “when” a
cyber attack will
happen..
3. 3
Therefore, cybersecurity is not just about ensuring that your firm has the
proper technology in place to mitigate against breaches, viruses, or
other security threats. A successful comprehensive cyber strategy is
based on understanding the many different risks that exist in the
marketplace and within a firm as well as the changing nature of risk and
the need to stay vigilant, mitigate, and adapt to the changes of risk.
In recent years, government agencies and regulatory bodies have
stepped up to try to provide the legal community with recommendations
and assistance on managing information security. The Canadian Bar
Association (CBA) and American Bar Association (ABA) have published
a variety of information security documents aimed at assisting law firms
with implementing greater information control and security measures.
Corporations are looking for cyber savvy
firms
Increasingly, corporate clients are looking to their law firms for
documented proof of how a firm manages its confidential information
and the preventive measures that a firm has in place to mitigate against
threats and cyber risks. Firms looking to implement cyber strategies
should also consider including containerization procedures that detail
how a firm would isolate things such as computer viruses or other data
threats to stop them from spreading through a firm’s network if a breach
or security incident were to occur. Clients are also looking for post-
incident management plans detailing how a firm will deal with
notification protocol, communication and response times, escalation
procedures, and restoration plans for lost data.
If your corporate client hasn’t asked you to provide them with a cyber or
information security strategy, chances are pretty good that they will in
the near future, or they may assume that you already have a
comprehensive information security strategy in place. What you don’t
want to have happen (aside from being hacked and compromised) is to
have to explain to a client that you have absolutely nothing in place.
In short, for the sake of your relationship you should be prepared to
answer your clients in a positive way and provide them with adequate
documentation to back it up.
For many sophisticated corporate clients, such as big banks, it is no
longer acceptable for a law firm to be blissfully IT illiterate. The
Corporate clients
consider their
information and
that of their clients
to be sacrosanct.
4. 4
expectations from clients are high. How you manage the information
that a client shares with your firm speaks volumes about your
commitment to that relationship and how you value your reputation and
that of your clients. Today, firms have to be all things to all clients, and
the answer can never be “I don’t know” or “It’s not important or cost
effective to our firm.” Clients consider their information and that of their
clients to be sacrosanct, and there is an increased expectation that
firms will do everything they can to maintain the confidentiality of
information entrusted to them.
Financial Institutions (FI’s) see information
security as table stakes
Some FIs, such as the Canadian Imperial Bank of Commerce (CIBC),
have been at the forefront of managing external counsel and
information security when it comes to law firms. In 2015, the CIBC
implemented a global comprehensive information security policy for all
of its 250 law firms. The policy included a comprehensive list of
information security re uirements and principles that its panel of law
firms are re uired to comply with to represent the CI C on any of its
matters. The CIBC saw a gap in its firms and developed a unique
standardized approach with which all of its firms must comply. The
CIBC was the first institution in Canada to launch such a
comprehensive and extensive initiative with its approved counsel. In
effect, the CIBC made cybersecurity basic table stakes for its panel of
firms.
Insurance companies represent another example of an industry that
adopted information security requirements and changes in the way they
deal with law firm clients.
Insurance companies have started to factor the cost of law firm
damages and claims attributable to cyber and information security
matters into their premiums. Consequently, insurance carriers have
included cybersecurity damage coverage in their policies for items such
as damaged software, hardware, lost information and data, and even
lost law firm revenue. In some instances, large insurance carriers have
based the costs of their premiums on the level of a firm’s cyber
preparedness and have offered well-prepared firms (with a low risk
profile) discounts on their annual insurance premiums.
The last thing clients (and law firms) want is for a data breach to occur
that has an adverse impact on their reputation or that of their clients. If
your firm is looking to implement an information security strategy,
consider calculating and understanding the cost of any lost business
should you be exposed to a cyber event. How much of an insurance
claim would you need to make to carry on or reestablish your firm’s
business in the post-cyber-event period? Aligning cybersecurity to a
firm’s business strategy and goals is critical.
Information security and RFPs
Large companies that are increasingly looking to source legal work want
to partner with firms that share their beliefs on safeguarding client
information and the importance of cybersecurity preparedness. To that
effect, corporate clients have amended their request for proposal (RFP)
Some FI’s consider
cyber security to be
table stakes.
5. 5
procedures to include requirements in regard to cybersecurity and
managing information security risk.
Once upon a time, corporate clients referred to information security only
as a casual reference in their RFPs. There were few, if any, onerous
demands or requirements placed on firms when it came to safeguarding
a client’s information. In the past, RFPs would only ask that a firm use
its “best efforts” when safeguarding a client’s information.
Today, many RFPs include specific references to a client’s risk and
reputation policy, confidentiality, records management and destruction,
communication, and third-party vendor policies. In addition,
sophisticated buyers of legal services will also include a dedicated
information security section outlining numerous prescriptive IT
requirements and expectations regarding how clients expect their
information to be protected, as well as mandatory incident reporting
requirements. Firms are also finding that client RFPs and the
cybersecurity requirements referenced in the RFPs are now requiring
never-before-seen responsibility on the part of the firm for any third-
party vendors that a prospective law firm may utilize in the course of
acting for a potential client. How a law firm responds to the information
requirements in a RFP from a potential client is as important as the
firm’s pricing proposal or the depth of legal expertise the firm has to
offer and may make the difference in a competitive bid process.
Many lawyers are information technology
neophytes
Perhaps another reason that firms have been reluctant to move
progressively in embracing cybersecurity is because they are obviously
made up, principally, of lawyers and not techies. Lawyers will argue that
they went to law school, not to an IT institute, and that they are not paid
to know all of the nuances of the latest information security practices or
gadgetry in the marketplace. Quite honestly, when lawyers view
cybersecurity and the detailed requirements thereof, it is like a foreign
language to them. Consequently, most lawyers are neophytes when it
comes to technology. They may know how to use a Blackberry or tablet,
but they haven’t a clue about its inner workings, nor do they need to
know. That is why firms should seek out trusted IT experts and
consultants who can conduct thorough assessments based on
international standards (ISO27001) and make recommendations on
how a firm can improve its cybersecurity capabilities. It is worth the
investment to have firm employees who are trained in the latest
information security practices and who know how to manage a firm’s
confidential information.
Some firms have even begun to cleverly leverage their cyber
credentials and preparedness for marketing purposes to attract new and
larger corporate clients. Other firms have tried to leverage their
cybersecurity preparedness or certification by trying to negotiate lower
insurance premiums from their carriers.
Law firms cannot afford to be in denial
Over the course of my career in managing external counsel, I have
spoken to many firms and discovered that there exists a wide gap in
cybersecurity preparedness and information security literacy.
Law firms cannot
continue to be IT
neophytes.
6. 6
The education gap ranges from extremely impressive, adequately
prepared tech savvy firms to poor, inadequately prepared and,
sometimes, unapologetically indifferent firms. Some of the firms in the
latter group have yet to see a compelling business need to invest in
cybersecurity preparedness. The mantra coming from this constituency
is usually the same; we are a small firm in a small town and we don’t
need to worry about cybersecurity; the type of legal work we do doesn’t
require cybersecurity practices; we have never had any information
security incidents; who would want to hack our firm?
Quite simply, smaller firms don’t see themselves as a prime target for
international cyber criminals and, therefore, feel less compelled (than
big law firms) to invest capital and resources in something that (in their
minds) has never happened to date, and that is highly unlikely to ever
happen. They are probably right that the likelihood of a cyber hacker in
a foreign country wanting to infiltrate the computers of a small law firm
in North Dakota or Saskatchewan is highly unlikely. It’s important to
point out, however, that cyber hackers are only one of the cyber threats
facing firms today.
Core components of a cybersecurity strategy
At its core, a cybersecurity strategy should include the following
elements:
• email encryption
• a formalized information security policy for all law firm employees
• annual cybersecurity awareness training for employees
• an incident management process
• annual testing of computers
• antivirus safeguards
• proper backup and storage of client information
• strong passwords that expire
The strategic importance of cyber and information security to a law firm
cannot be understated. As innovation continues to change technology,
and the utilization of business tools by users change and they adopt
new business processes, the relevance and importance of how
information security is managed in the midst of all of that change and
flux is crucial.
Other Information Security Threats
Aside from cyber criminals, firms need to be cognizant of other security
threats such as computer viruses, malware, phishing attacks, identity
theft, and even rogue employees looking to electronically steal
information or money. All of these threats pose a significant risk to firms
regardless of size, client base, or location and underscore the
There is a
plethora of cyber
threats…always
present and
always
changing.
7. 7
importance of why a firm should invest its resources and capital in a
cybersecurity strategy.
In addition, firms should never make the risky assumption that they are
immune to security issues simply because that have never had an
incident and assume, therefore, that they do not need to invest in a
cyber strategy or security tools. This premise begs the question: how do
you know whether you have been targeted or, for that matter,
compromised if your firm doesn’t have the security measures to monitor
and identify external and internal intruders? If assumptions are to be
made, they should be based on facts as well as quantifiable and
measurable data. A firm may have malicious spy software embedded
into its IT infrastructure, or a rogue employee downloading and stealing
information without the firm even knowing it, so making such claims
may be irresponsible and risky.
People are the biggest threat
I recall that a law firm once questioned the need for implementing any
cyber and information security requirements. Their argument was that
they were (again) a small firm of ten lawyers with six assistants and that
all of their employees were loyal and had been with the firm for at least
ten years, with some having been with the firm as long as twenty years.
The firm emphasized the trust and loyalty factor and that they had never
had an information security incident. Unfortunately, this type of logic is
flawed as described in the preceding paragraph.
Most cybersecurity experts will argue that people are, in fact, one of the
biggest security risks in a security chain. If employees are not
adequately trained and updated on the latest cybersecurity practices,
then they become the weakest link and a liability for an organization as
the most at-risk personnel are often uninformed, innocent, and unaware
employees who may compromise a firm in many costly ways, and not
the cyber hacker in a foreign locale.
IT Professionals and Cyber Consultants
For a firm to understand whether its operations and procedures are
deficient or unprotected from nefarious elements and cyber risk, it
should engage the right internal and external stakeholders. Regardless
of a firm’s size, someone, be it an office manager at a small firm or a
CFO at a larger firm, should be entrusted and dedicated to managing
Training all
employees on
cyber security
practices is
crucial
…otherwise they
are a firm’s
weakest link.