Summary of Key Points
- Legal organizations store and handle large volumes of sensitive client data, making them particularly likely to be targeted by cybercriminals.
- Legal firms and other organizations in the legal sphere require carefully crafted policies that carefully consider their unique and specific needs.
- Cybersecurity insurance (also called cyber liability insurance) can help defray the costs associated with cybercrime if your customer data or technological systems be targeted by cybercriminals.
Technology has become a fact of life in the business world, and the legal sphere is no exception. With unique cybersecurity considerations, strict codes of ethics that must be adhered to, and a technological landscape that can sometimes make security feel like an afterthought, legal organizations of all stripes, including law firms and the SaaS companies that serve them, need to take extra precautions to ensure all sensitive data is secure and all regulatory and ethical guidelines are being adhered to.
Legal Organizations Have Unique Cybersecurity Considerations
Legal organizations store and handle large volumes of sensitive client data, making them particularly likely to be targeted by cybercriminals. When a lawyer is hired, one of the first things they do is gather large amounts of sensitive client data, including occupation, personal finance details, criminal disclosure information and other sensitive data such as abuse material or violent crime scene evidence.
If this highly sensitive information is unintentionally disclosed via a data breach or through a more targeted attack such as phishing, victims of crime may find themselves revictimized, compounding their trauma. Failure to safeguard sensitive data can also cause severe reputational damage, impacting the firm’s future.
Unfortunately, robust cybersecurity policies and practices are still not universal among law firms. According to a 2021 American Bar Association Report, only 53% of surveyed firms have policies in place to manage the retention of data and other information held by the firm, and only 36% of firms have an incident response plan in place. Furthermore, 17% of firms have no policies in place at all, with 8% stating they didn’t even know about cybersecurity policies.
When it Comes to Cybersecurity Policies in the Legal Sphere, There’s No One-Size-Fits-All
While more general organizations may be able to meet their needs with a copy-and-paste approach to implementing a cybersecurity policy, legal firms and other organizations in the legal sphere require carefully crafted policies that carefully consider their unique and specific needs. While large firms with generous cybersecurity budgets may have the people power and funds to invest in state-of-the-art cybersecurity infrastructure and well-trained in-house cybersecurity teams, smaller firms may not have the same resources at their disposal. As such, smaller organizations often choose to partner with trusted Managed Security Services Providers (MSSPs), who possess the technical and security knowledge needed to craft a comprehensive and robust policy.
SaaS: What You Need to Know to Serve Your Legal Clients Effectively
SaaS (Software as a Service) companies that serve legal firms and other organizations in the legal sphere need to be cognizant of the unique regulatory and ethical requirements such organizations face. A SaaS company that can offer the high level of data security required to handle sensitive legal information and who is equipped to meet the regulatory and ethical requirements legal organizations are governed by is more likely to wake up to an inbox full of client inquiries than an organization that takes a more general approach.
If your SaaS organization is looking to entice legal clients, you should consider tailoring your product offerings to meet their unique needs and ensure your organization is equipped to address their specific security concerns.
Safeguarding Sensitive Data in a Legal Setting
Like financial institutions and health care settings, legal organizations such as law firms handle high volumes of highly sensitive personal data that needs to be heavily safeguarded. However, while there is no such thing as a one-size-fits-all approach to developing a robust cybersecurity posture, there are some basic steps all organizations should be taking to best safeguard their data.
If your organization has experienced or is currently experiencing a cybersecurity incident, please contact our team of experts immediately and consider reviewing our educational article: Hacked? Here’s What to Know (& What to Do Next).
Conduct a Risk Assessment
You can’t solve a problem you don’t know exists. All organizations should begin by conducting a thorough risk assessment, including a vulnerability scan. A risk assessment evaluates your existing infrastructure for vulnerabilities and threats, giving you a better sense of the risks you face. A comprehensive risk assessment will also include recommendations for mitigating identified risks.
Once your initial risk assessment is complete, it is important to remain vigilant. Risk assessments should be conducted regularly and after any major system changes or upgrades to ensure that any new vulnerabilities can be quickly identified and addressed.
As part of your risk assessment, you may also want to consider investing in a pen test. Pen (penetration) testing involves hiring an ethical hacker to stress test your organization’s cybersecurity defenses, searching for gaps and vulnerabilities that they can exploit to gain access to sensitive data and systems. Once the test is complete, the hacker sits down with your team and reviews their findings, including recommendations for addressing your current cybersecurity shortfalls. Pen testing is particularly useful because it gives you a chance to view your security posture from the point of view of an attacker and can help uncover vulnerabilities and other shortcomings so they can be addressed before cybercriminals are able to exploit them.
Develop a Tailored Cybersecurity Policy & Incident Response Plan
Once your initial risk assessment has been completed, you can begin developing a tailored cybersecurity policy, including an incident response plan. Cybersecurity policies are becoming more common, with The American Bar Association’s 2022 Cybersecurity Survey reporting that 89% of respondents have one or more policies governing technology use in place (up from 83% in 2021 and 77% in 2020). However, only 76% of respondents have an email policy in place, and only 63% have a computer acceptable use policy, including 60% for internet use, 59% for remote access use, and 53% for business continuity and disaster recovery.
The same 2022 survey also found that only 42% of respondents have an incident response plan in place, including 72% of firms with over 100 attorneys, 46% of medium-sized firms (10-49 attorneys), and a mere 9% of solo respondents.
These statistics are concerning in a world where technology permeates nearly every aspect of business, including the legal sphere. A well-developed cybersecurity policy is critical for ensuring that all software and hardware used by your organization is capable of safeguarding sensitive client data and is being used in ways that promote, rather than hinder, your cybersecurity posture.
An incident response plan is equally important in a world where, sadly, it is less a question of if an organization is hacked but when. A well-crafted incident response plan offers detailed instructions for your team regarding detecting, responding to, and recovering from a cybersecurity incident. Please consider reviewing our Guide to Creating an Effective Incident Response Plan for practical, expert-driven advice on how to draft and implement an incident response plan.
Consider Cybersecurity Insurance
Cybersecurity incidents can be costly, and not just in terms of a firm’s reputation. In addition to the loss in productivity an incident such as a ransomware attack can produce, organizations often find that the costs associated with recovery and mitigation can quickly add up, easily overwhelming smaller firms with more modest budgets.
Cybersecurity insurance (also called cyber liability insurance) can help defray the costs associated with cybercrime if your customer data or technological systems be targeted by cybercriminals. Your exact coverage will vary depending on your insurance provider and other factors, but most policies typically cover legal costs and damages such as:
- Incident response costs: This includes the cost of access to a 24/7/365 cyber incident response team and the costs associated with hiring a dedicated team to help you manage and coordinate your incident response after an incident.
- Legal, forensic, and incident management costs: This includes the cost of any legal advice required from other firms, as well as notification fees, crisis management services, and, if applicable, credit monitoring services for affected clients.
- Social engineering coverage: Some plans may cover cases where an employee was tricked into providing access to a system or sending funds to fraudsters.
- System business interruption: This includes losses sustained due to system outages, which can curtail or even halt productivity.
- System damage and restoration costs: This includes replacing or repairing damaged equipment and restoring any software damaged during the incident.
For more information about cybersecurity insurance, please consider reviewing our article What is Cybersecurity Insurance (& Does Your Business Need It?)
Invest in Ongoing Cybersecurity Training
A lack of employee training can undermine even the most detailed, robust, and comprehensive cybersecurity posture. All partners and employees should receive comprehensive cybersecurity training as part of your organization’s onboarding process. This training not only sets the tone that cybersecurity is important to your organization but can also help team members understand why cybersecurity is important and why their actions can either safeguard or expose sensitive client information.
Legal organizations should also consider offering all team members regular refresher training to help keep best practices top of mind and ensure that all changes and updates to your cybersecurity policy and incident response plan are communicated in a timely manner. This also provides an opportunity for team members to ask any questions they may have about your policy or offer any insights they might have regarding your current cybersecurity posture.
As part of your ongoing training, you may wish to consider staging tabletop exercises. Tabletop exercises are analogous to cybersecurity fire drills: Your team is presented with a hypothetical cybersecurity incident and tasked with responding. Tabletop exercises allow team members to leverage your current incident response plan, testing both its efficacy and their own skills. Once the exercise is complete, you can then review your team’s performance and address any shortfalls while also gathering valuable feedback regarding any gaps or deficiencies in your current cybersecurity posture.
Partner with Cybersecurity Experts who Understand Your Unique Security Considerations
As any good lawyer knows, not everyone can be an expert in everything. By partnering with an MSSP that understands your unique security considerations as a legal organization, you can rest assured that your security is in good hands and free up your team members to focus on your business. A good MSSP will employ a wide variety of cybersecurity and IT experts and monitor your network 24/7365 for suspicious activities. They can also help you develop tailored employee training guides and help you ensure your current cybersecurity posture and incident response plan are able to meet your needs.
VirtualArmour offers a wide variety of cybersecurity services, including managed open XDR, managed SIEM, endpoint detection and response, managed infrastructure and firewall, vulnerability scanning, and SOC as a service. We also offer comprehensive packages based on your level of need, including essential core services, premium services, and consulting-level services.
Common Cyber Risks & Mitigation Tactics
Cybersecurity risks can exist where you least expect them. To help keep your team, and your data, safe, this next section will discuss several common cyber risks and offer practical advice regarding appropriate mitigation tactics.
Since the beginning of the COVID-19 pandemic, video conferencing software has become increasingly mainstream and is often used in judicial and legal settings alike. Incidents of Zoom bombing, where malicious parties interrupted and disrupted Zoom calls, were distressingly common and disrupted at least one virtual court case. While Zoom has since rolled out end-to-end encryption in response to these incidents, it is still not enabled by default. As such, all law firms, courts, and other legal organizations and entities must ensure that this feature is enabled for all remote legal proceedings and client meetings.
Legal organizations should also consider adopting other security controls, including requiring participants to register before calls and requiring authentication, in order to help ensure private proceedings, meetings, and other forms of communication remain private.
The sudden shift to remote work brought with it some growing pains, and while most organizations that continue to allow employees to work from home have smoothed out the most serious wrinkles, some security gaps may remain.
If attorneys or other team members are going to be accessing sensitive client data from outside the office, you should consider investing in secure connections and VPNs (Virtual Private Networks).
Secure connections refer to connections that have been encrypted using one or more security protocols. This ensures that all data flowing between two or more nodes is secure, preventing unauthorized third parties from accessing sensitive data and preventing this data from being altered or viewed by unknown parties. To help ensure security, secure connections require users to validate their identities.
On the other hand, VPNs leverage public internet connections to create private networks by masking your IP (Internet Protocol) address. By obscuring the user’s activities from outside view, a VPN user’s online actions become virtually untraceable, making this technology ideal for team members handling sensitive client data.
Decentralized Client Data
Decentralizing client data storage is the digital equivalent of not putting all of your eggs in one basket. Rather than storing all sensitive data in a single encrypted location, data is split into multiple pieces, each of which is encrypted and stored in a different location. Encryption has long been a vital part of any cybersecurity posture, but like any tool, it is imperfect. Encryption rests heavily on encryption key management, and its efficacy depends on choosing a key randomly and never reusing encryption keys. Encryption efficacy also depends on correct implementation, leaving room for error.
However, by decentralizing your client data and encrypting it, you can make it all but impossible for cybercriminals to reconstruct the data unless they can gather all the pieces before they are discovered. Even if a cybercriminal is able to gain access to sensitive data, the information they get may be either unusable (due to how it has been split up) or limited in scope since only a few clients may be impacted. This makes the attack both easier to contain and easier to recover from and minimizes potential damage to clients.
The cloud is a collection of web-based applications that allow users to remotely access programs via the internet, in contrast to the traditional approach of purchasing a program, installing it on your computer, and running it locally. While the cloud has revolutionized how many organizations approach work, it has also brought with it new security vulnerabilities that need to be addressed. For example, a misconfigured cloud could leave your organization vulnerable by allowing unauthorized third parties to intercept, view, or even alter sensitive data. Because the cloud is specifically designed with data sharing and accessibility in mind, it can be difficult to ensure that only authorized users are able to access data. A common example is link sharing, where any party with a link can access, even edit, steal, or delete data. This lack of control over where your data is stored can also leave you vulnerable to other forms of data loss, including data lost via a natural disaster that destroys physical servers or human error. In order to counteract this risk, functional and tested data recovery and backup processes need to be in place, and security needs to be baked into every network layer to best safeguard sensitive client data.
One of the main advantages of the cloud is the ability to access your organization’s data from anywhere, which is, unfortunately, both a boon and a security risk. Cybercriminals often target cloud-based networks because they are more easily accessed from the public internet. However, if team members are accessing sensitive data from their own devices, they may not have the same level of security as you do internally. As such, organizations that rely on a BYOD (Bring Your Own Device) policy rather than providing team members with laptops, smartphones, and tablets should take steps to minimize security risks. For more information and practical advice on how to achieve this goal, please consider reviewing our article Keeping Your Network Secure in a “Bring Your Own Device” World.
Using the cloud also means relying on a third party to handle your data, limiting your organization’s visibility and control over your infrastructure and trusting that your cloud provider takes security as seriously as you do. As such, if you choose to leverage the cloud, you should vet potential providers carefully and make sure their security posture meets your high standards. You should also explicitly ask how threat notifications and alerts are managed so that you can ensure your team is notified as soon as possible if an incident does occur.
Your email servers should also be assessed for vulnerabilities. This is particularly important since email is a common way organizations share sensitive files both internally and with authorized third parties such as clients.
There are several steps you should be taking at the organizational and personal levels to improve email security. This includes:
Developing Strong Password Guidelines
By insisting that users adopt strong passwords, you can help make it more difficult for cybercriminals to access team members’ emails illicitly. To help you design a strong password policy, NIST (the National Institute of Standards and Technology) offers password guidelines in section 5.1.11. Memorized Secret Authenticators of their Digital Identity Guidelines.
Implementing Two-Factor Authentication Requirements
Two-factor authentication (also called multi-factor authentication) adds an extra layer of security by requiring users to enter their password before sending an authentication prompt to their personal device, which they then have to accept. Not only does this make breaking into an employee’s email more difficult since the cybercriminal would also need physical access to their phone, but it can also serve to alert team members if someone is trying to break into their account.
Scanning All Incoming Attachments
Anti-virus software may seem basic, but it still plays an important role in any robust cybersecurity posture. Anti-virus and anti-malware tools can be used to scan all incoming emails and flag suspicious attachments, which can help prevent team members from inadvertently downloading viruses or granting unauthorized users access to sensitive data.
Staying Off Public Wi-Fi
We’ve discussed the dangers of public Wi-Fi in our article Airports are a Hacker’s Best Friend (& Other Ways Users Expose Themselves to Risk), but it bears repeating here. Unless you know that a publicly accessible network is safe to use, the best course of action is to avoid connecting to it. One tactic cybercriminals use is to set up plausible or innocent-sounding public Wi-Fi networks, which are often named to closely resemble legitimate networks (think Coffee-Shop-Guest, which makes users think the network is owned by the coffee shop they are currently visiting). When unsuspecting users connect to the network, their traffic is intercepted, compromising both the user’s and your organization’s security.
Investing in an unlimited data plan can remove the need to search for free Wi-Fi, but this is one of those cases where the mantra “when in doubt, go without” strictly applies.
Keeping Your Personal & Business Email Separate
Not everyone needs to have your business email, and in fact, it is better from a security perspective if they don’t. By limiting your work-assigned email address to work-only tasks, you can reduce the chances of that address being leaked to cybercriminals. As such, it is always a good idea to have both a personal email address and a work email address. That way, if your personal email address is compromised when you sign up for that interesting-looking newsletter, you aren’t potentially handing over sensitive information.
Depending on how much you rely on your email for networking and other professional, but not strictly-internal-work-related, activities, it may even be beneficial to set up an email address specifically for professional networking purposes to print on your business card so that you can keep your work-issued email address on a strictly need-to-know basis.
Logging Out When You’re Done
Even if you are absolutely sure that the device you are using is secure, it’s good practice to log out of your email when you are done. That way, if you lose your phone or your laptop is stolen, and the cybercriminal is able to guess your device’s password, you aren’t inadvertently handing over access to your email as well.
Keeping an Eye Out for Phishing Attacks & Other Suspicious Activities
Phishing attacks are a type of social engineering attack used to steal user data such as login credentials, payment card information, or PII (personally identifiable information) or trick unsuspecting users into installing malware by clicking a link or opening an infected file.
Phishing typically relies on text-based forms of communication such as email, SMS (text messaging), or other messaging apps and involves a cybercriminal pretending to be someone you are already primed to trust (such as your boss, a colleague, or an employee from your bank) and tricking you into performing an action you otherwise wouldn’t perform. For more information about phishing scams and steps you can take to avoid them, please consider reading our article Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe.
Workers are also more likely to fall for social engineering attacks if they work remotely. This is because more official communication (such as a directive from your boss) happens over text-based channels such as email or the phone as opposed to in person. This makes it easier for cybercriminals to mask their identity and offers ready-made excuses such as asking you to hop on a video call while keeping their own camera off because of “poor internet connectivity”, preventing you from visually verifying who you are speaking to.
For more information about how to recognize potential social engineering attacks and what steps you can take to safeguard your organization, please consider reviewing our article In a Remote World, Social Engineering is Even More Dangerous.
Law firms and other organizations that interact with or are part of the legal sphere interact with vulnerable individuals regularly and handle high volumes of highly sensitive personal information. As such, they have a high ethical and regulatory bar to clear when it comes to safeguarding client information that requires a tailored approach to cybersecurity.
Safeguarding your digital assets can be difficult in an increasingly connected world that often values connectivity and ease of use over security, but you don’t have to handle it all alone. By partnering with an MSSP that understands your organization’s unique security needs, you can thoroughly assess your current security posture, implement an incident response plan, develop targeted employee training, and take other critical steps to secure your network and your data.
For more information on how to get started improving your security posture, please contact our team today.