Best Practices to Reducing Cyber Risk

By Stew Smith, CISM

The challenges associated with a data breach are changing the legal landscape.  The March 2017 issue of the ABA Journal cited cybersecurity as the biggest risk that law firms face in 2017.

The legal industry has become increasingly aware that they are considered a top target for a data breach.  As a result, firms have started allocating the necessary resources to implement a formal cyberrisk program.  This change of focus is primarily client driven—as law firms often store highly-sensitive data, clients are now evaluating cybersecurity performance and demanding a certain level of security.  No longer viewed as an afterthought, cybersecurity is becoming an integral part of a company’s overall business strategy.

How Can You Prepare?

  • Develop a plan now—There will come a day in the very near future where having cybersecurity protocols in place will play a role in business development.  Certain industries have already adopted formal requirements, think HIPAA for health care and SOX for finance.  As this standardization across industries is expected to grow, those who ignore these best practices expose themselves to liability and will lose potential business opportunities.
  • Only work with companies that have a defined cyber-program—Just as important as executing an internal plan, it is essential that vendors are like-minded.  This applies to any company you do business with—contractors, freelancers, consultants, etc.  Your company and your associates are at risk if you are working with someone that does not have the necessary cyber-protocols in place.

Initiating Steps to Success

Don’t have a formal cyber-plan in place?  Here is a checklist of best practices you can implement to insure risks are minimized:

Implement and Enforce Best Cyber-Practices

  • Conduct background checks of staff to mitigate inside threats
  • Ensure personnel utilize complex passwords, or implement advanced security measures such as two-factor authentication or biometrics (fingerprints, facial recognition)
  • Make sure computing and communication devices are secure, particularly for those traveling abroad
  • Continually test and train employees on the latest phishing schemes
  • Keep staff abreast of relevant incidents, causes and consequences
  • Make cybersecurity common sense part of performance reviews
  • Make sure appropriate surveillance and malware detection software is installed
  • Assess security needs for encrypted phones, laptops and smart devices

Know and Secure Vendors’ Networks

  • Limit access to vendor networks in accordance to need
  • Conduct necessary diligence on the backgrounds of vendors with access to your firm
  • Make sure cybersecurity protocols are part of existing contract language
  • Contractually bind vendors to security standards and protocols
  • Require vendors that provide critical data to disclose cyber incidents within 72 hours of occurrence

Identify and Protect Critical Data and Systems

  • Identify and separate critical data and systems (customer information, IP, business strategy, market-sensitive information, internal communications, etc.)
  • Confirm processes with company stakeholders
  • Implement and regularly update appropriate controls, systems and processes
  • Verify, validate and continually test security systems to ensure the continued protection of critical data

Have and Practice an Incident Response Plan

  • Develop a cross-functional plan and team that involves members from the entire firm (board of directors, marketing, technology, legal, human resources, etc.)
  • Retain necessary outside experts (technical, legal, PR) to help remediate any cyber incidents
  • Identify appropriate contacts within law enforcement and applicable regulators before a cyberattack
  • Comply with privacy laws and work with counsel to protect the confidentiality of the work

Test Your Incident Response Plan and Continually Revise

  • Utilize a reputable third-party firm to conduct annual penetration tests, identifying weaknesses in IT networks, infrastructure and employee practices
  • Report the results to the board and C-suite on a regular basis
  • Modify the plan to reflect the results of testing

In addition to the above steps, consider implementing the following to support your overall plan:

  • Create a cyber-response communications plan (messaging, distribution)
  • Maintain and engage cyber-experts to keep abreast of best practices and solutions
  • Consider retaining cyber liability/breach insurance
  • Forge relationships with key government agencies that can assist in prevention and response

Having a solid cybersecurity strategy in place is just smart business.  As the level of threats facing law firms continue to evolve, having the proper protocols in place now will better protect your firm and make your company a more attractive entity with which to work.

Stew Smith, CISM is the VP Business Development of Business Machine Technologies, Inc.  BMT offers managed IT service, IT support, data and infrastructure solutions, advanced IT security, cloud service and IT consulting, and serves as the go-to IT partner to some of the most prominent companies in the New York area.  Stew may be reached at [email protected]. 

Share this post:

Comments on "Best Practices to Reducing Cyber Risk"

Comments 0-5 of 0

Please login to comment