What Cyber Defense Measures Most Law Firms Don’t Have, and Need

The COVID-19 pandemic brought sweeping changes to the way we all live and work. And now, as remote work has become the new normal, the risk of a firm falling victim to a cyberattack has continued to increase as hackers pursue targets of opportunity. This danger is felt particularly among small and mid-sized law firms.

There is a Lack of Cyber Defense Measures

According to the American Bar Association’s 2020 Legal Technology Survey Report, fewer than half of the respondents reported having even the most basic cyber defense measures in place.

Those bare minimum cyber defense measures and the percentage of those who have them include:

  • File encryption – 43%
  • Two-factor authentication – 38%
  • Intrusion prevention or detection systems – 29%
  • Web filtering tools – 26%
  • Employee monitoring tools – 23%

Remote Work Expands Cyber Concerns

In the past, business leaders only had to worry about what went on behind the four walls of their business and on company-owned devices. Now, with employees working from home, new risks have been introduced from the use of personal computers, printers, USB drives, home Wi-Fi and smartphones. Employees are using these devices to service clients which opens new avenues of attack for cyber threats.

Many firms still have not adapted their cybersecurity policies to address these remote work risks (assuming they even had such policies in the first place).

Proper Cyber Practices Matter to Client Service

The reality is that the protection of firm data is an enterprise-wide commitment. When clients entrust their confidential data to a firm, they expect such data to be kept privileged and secure. A law firm without proper cyber practices in place can put the data of thousands of clients in jeopardy.

Business Disruption Occur with Cyberattacks

The ransomware attack in October 2020 against international law firm Seyfarth Shaw rendered several network components inaccessible. Although it is believed that the data was not accessed nor removed, the attack disrupted the firm’s ability to service its clients and demonstrated how easily cybercriminals were able to impact a firm that serves 300 Fortune 500 companies.

Cyberattacks Cause Compliance Problems

Major international firms aren’t the only victims. Hackers are targeting firms of all sizes. On February 11, 2020, law.com announced that hacker group Maze released a “full dump” of Texas boutique firm Baker Wotring’s client data. This data dump publicized data from personal injury cases, as well as fee agreements and HIPAA consent forms among others. According to the same source, at least five other small law firms have fallen victim to the hacker group within a similar time frame.

Attacks Erode Client Trust

Clients expect their legal service providers to ensure the security and confidentiality of their data. Without sufficiently robust cyber defenses, the trust that clients place in their law firms is put at risk. This risk is more than just financial. A data breach can significantly mar a firm’s reputation. If your clients’ data becomes compromised due to a ransomware attack, particularly one that could have been mitigated with sound cyber hygiene practices, how would such an impact be perceived? Would you still be trusted?

Proof Needed for Cyber Insurance Policies

Cyber insurance policies that provide access to competent professionals to help restore a business after an attack are becoming more difficult to obtain and keep. This is because insurance companies are starting to require businesses to show evidence of mature cyber practices as a condition of coverage. It’s not surprising considering that the average cost of a data breach in 2020 rose to nearly $4 million, and according to the 2020 Survey, only 36% of respondents have cyber insurance.

Keep Privileged Information Privileged

Protecting a law firm from cyber threats is a tall order that involves more than just setting up a firewall or two. It requires a comprehensive assessment of the firm’s security posture that includes assessing the firm’s current people, processes and technology and building a strategic road map.

The first step is the performance a Cybersecurity Maturity Assessment which will evaluate the maturity of your firm’s cybersecurity posture. It can then shed light on changes, both immediate and long term, that can be taken to better protect client data and mitigate the impact of a potential cyberattack. A Cybersecurity Maturity Assessment offers peace of mind to firms who are dedicated to protecting their clients’ valuable data and making sure that privileged information stays that way.

Not Sure Where to Start?

Windham Brannon’s Cybersecurity Advisory Practice is dedicated to helping law firms manage their cybersecurity risks. We can usually execute a Cybersecurity maturity assessment over two to four weeks and present results afterward. The assessment will provide you with concrete recommended next steps for protecting your firm and client data.

Email Windham Brannon’s Cybersecurity Practice Leader Al Tanju to discuss how Windham Brannon’s cybersecurity services can help you.