Databases of many law firms house the financial information, intellectual property data and trade secrets of their clients, making rich targets for cyber criminals.
In recognition of October being National Cyber Security Awareness Month (NCSAM), this post seemed timely to share. Particularly with the recent meeting with President Barack Obama and China's President Xi, the rhetoric of cyber security has been hotter this year than any in the recent past. The topic is now cemented into the social psyche and there is an international recognition of the importance of cyber security, from large financial institutions to small businesses on down to individuals.
Hacking computers is no longer a “cottage industry” or something done by lone disgruntled individuals or teenagers in their parents’ basement. This is now a criminal endeavor that is highly organized and getting more "weird" and sophisticated each week.
With your solo or small law firm - or any small business - the regrettable but unavoidable truth of the matter for you is not if you encounter a breach of your data, but when. This is a fact that you have to make an immediate priority by taking steps to avoid a breach and have a plan in place if a breach occurs.
"Many businesses confess that they rarely or never use complex passwords (34%) or encrypt files containing confidential or business critical information (66%) despite 10% having incurred costs to restore affected IT systems over the past 12 months." - The Manufacturer
For perspective on the vulnerability of law firm data, the 2011 International Legal Technology Association (ILTA) Survey (pdf) indicated that:
- 87% of law firms do not encrypt laptops
- 61% have no intrusion detection tools
- 64% have no intrusion protection tools
Additionally, for firms that purchase iPhones and Androids for employees, 94% don’t bother to track them. Not good for an industry that harbors highly sensitive information. In a separate 2011 study (article), at least 80 major US law firms were hacked in that year.
More specific to the small business owner, the National Cyber Security Alliance website indicates that six months after a data breach a "staggering 60%" of small and medium sized business owners have to shut their doors.
Getting Ready for a Breach
Of the many things a small business can do, here are five of the most important steps.
1. Utilize the best tech barriers your business can afford, preferably a cloud-based app. If you host your own data on in-house servers, you're definitely more prone to a breach because it's you managing your data security and not a professional firm. Adam Cohen, SeatGeek VP of Engineering says, every business is responsible for it's cyber security, "but the more that you can use reliable third-party systems, the fewer vulnerabilities you have to worry about and – perhaps more importantly – the lower the potential damage that would be caused by an attack." (Forbes)
2. Educate your self and staff on cyber security best practices. Why? Internal threats account for 80% of security problems according to the National Institute of Standards and Technology. The internal threat can come from both uninformed employees as well as disgruntled employees. But here let's focus on the former:
"Employees who are not trained in security best practices and have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments pose an enormous security threat to their employers’ systems and data." - CIO.com
To facilitate the education process, the U.S. Small Business Administration offers a free online course called Cybersecurity for Small Businesses to get you thinking in the right direction.
3. Establish a cyber security policy for staff use and stick to it. The Cyber Security Policy Guidebook (pdf) is a good place to get started. Within your policy be sure implement strategies for mobile devices, which, at any given time 11.6 million (pdf) of them are harboring malicious code that could make it back to your network.
"Having company-wide security policies in place can help reduce your likelihood of an attack." - BusinessNewsDaily.com
4. Have a cyber breach incident response plan in place and practice it. When you become aware that the worst has happened, you want to be quick on your feet and notify appropriate parties and authorities. Your reputation and - very realistically - your business are on the line.
"Commit to keeping all affected parties informed of developments related to the breach, following appropriate legal guidelines. Accept responsibility for the inconvenience caused, apologize, and make it clear that you will do all you can to help victims deal with the consequences of the breach." - BusinessNewsDaily
You can view Experian's Data Breach Response Guide (pdf) online to further understand the overwhelming need to be nimble when a breach occurs.
5. Get cyber liability insurance coverage. Cyber insurance can't prevent a breach, but it can help you get through some tough financials times. A cyber policy provides coverage for the theft of both first-party and third-party data - meaning whether the breach occurs to your business or a business whose data you're working with, you should be covered. Typically, business owners insurance do not cover cyber incidents, so this will likely be a form of additional (but necessary) coverage you'll have to purchase.
Cyber liability policies, such as ALPS Cyber Response, are available specifically for law practices and can cover:
- Claims for violation of privacy law
- Disclosures which directly result from failure of computer security to prevent a security breach
- Theft, loss or unauthorized disclosure of personally identifiable non-public information
- A computer security expert to determine the existence and cause of the loss
- Attorney fees to determine notice and other requirements under federal or state privacy laws
For additional information on buying cyber liability insurance, take a look at the article 5 Tips for Clients to Consider When Buying Cyber Liability on InsuranceJournal.com.
As you endeavor to enhance cyber security at your solo or small law firm or small business otherwise, I recommend that you take a look at the small business infographics and resources page on the National Cyber Security Alliance website. The information there will give you a realistic and sobering look at the cyber vulnerabilities of small businesses as well as information on effectively getting your "shields up."