The ABA issued Formal Opinion 498 in March of 2021. In it, the ABA addresses some of the pressing concerns about data security, data privacy, and maintaining privilege in a technological world. If you haven't read it, you should. Missteps will not be treated lightly.
Cybersecurity in law firms, especially smaller firms, is terrible; but doesn't need to be. Here's how to fix it:
Two of the big issues that solo practitioners and small firms have faced when it comes to cybersecurity:
Cybersecurity resources for small firms have been unavailable
When available, cybersecurity resources for small firms have been extremely expensive
Add to this that historically small firms and solo practitioners haven't been hit with ransomware, thereby creating an opportunity to blissfully avoid addressing cyber risk beyond buying insurance coverage.
Over the past 2 years, there have been some major shifts that have turned this bliss upside-down.
6 Reasons Law Firm Cybersecurity has become Critical:
Big companies and law firms have secured their environments, making it more difficult for data to be leaked or stolen
The value of data, especially actionable data, has increased
Ransomware has become automated, lowering the bar of entry and increasing the number of hacking gangs
Insurance carriers are demending greater diligence on securing data
Clients are demanding greater diligence in data security
The ABA has placed the onus of data security and privacy on the attorney
Unfortunately, it is now time for firms of all sizes to take action. These are the steps you want to take:
Retain an outside firm to provide you with a security risk assessment. Request that the assessment be aligned to the NIST CSF (Cybersecurity Framework). If you are a small practice (less than 100 employees), a modified version will suffice. Why is this important? The weight and credibility of an independent expert providing a review of your security posture is greater than you telling people your firm is secure. Additionally, someone with experience in providing assessments may find risks you hadn't considered and help you prioritize how to improve your security posture.
Create a Written Information Securty Plan (WISP) that outlines what your firm has for technology and uses for technology services. This is a plan that includes usage and response policies for your firm. Include information about your Internet Service Provider (ISP), servers, and service providers/services you use. PRO TIP: Implement a policy for verifying payment changes (how your firm pays an invoice AND how your firm accepts payment from clients) with a second person. Best situation is to have the second person call a previously captured phone number to help ensure you don't become a victim of fraud. Why is this important? Your insurace carrier and clients are going to want to know that you know what hardware and software your firm uses and that you take their data security seriously.
Create a Written Incident Response Plan (WIRP). This should include, a prioritized list of users, computers, and services. I understand you are an attorney, however we strongly suggest you have outside counsel that you can contact and rely upon in case of a data breach or ransomware attack. Attorney/Client privilege applies to you as well. Why is this important? If you are unlucky enough to lose data or be hit with a ransomware attack, this plan will reduce the amount of thinking and discussion required to act and reduce the time it takes to recover.
Sign up with a cloud-based backup service to back up your data. If possible, use a different username and password so that if your machine(s) is compromised by a hacker, they can't take those credentials as well. Why is this important? The average downtime due to ransomware for a small business is more than 30 days. That is 30 days your firm can't work (aka bill clients). Immutable backups from the cloud can provide access to your data and likely have you up and running quickly. Are you financially and operationally ready to be down for 30 or more days?
Start using Multifactor Authentication (MFA) to secure your computer, email, and applications, including web-based applications. Why is this important? MFA reduces the ability for a hacker to access your computer or files by requiring users to verify that they are who they say they are. This is typically done by requring a user to type their username and password into their computer and verfiy on their phone that they are infact trying to log on. Consider it evidence that the person using your computer is you.
Install antivirus (AV) or endpoint detection & response (EDR) software, even on your macbook. Configure the software to update regularly. Why is this important? AV & EDR are tools that look for malicious software and activity on your computer. If a hacker attempts to install software on your computer, these tools should detect (and stop!) it from happening. If you do not have these tools installed, it shows a lack of concern about data security.
Even if you are a solo practitioner that works out of your home, install a firewall and sign up for the scanning and detection subscription services. Why is this important? Firewalls clean internet traffic before data from the internet reaches your computer. Additionally, if your computer is attempting to connect to a known malicious website, the firewall can stop the computer from connecting.
Use a 24x7 monitoring, threat hunting, and vulnerability detection service that logs activity in a SIEM so you can create reports to show clients, partners, and your insurance carrier that you are "cyber compliant". Why is this important? The collection of monitoring, hunting for threats, and scanning your computer(s) is the evidence you need to show diligence should you be the victim of data loss or ransomware. Easy to read reports can be autmatically generated should a client ask about your data security posture... and clients of all sizes have started asking.
Install a phishing protection tool. This will scan emails to determine how likely they are to be legitimate. This can protect your firm from Business Email Compromise (BEC) attacks. It ties back to having a policy in your WISP that addresses payment changes. Why is this important? Most payment change requests come in via email and this tool can help identify whether or not the request is real.
Implementing file encryption software is a great way to protect unstructured data files. Structured data is information inside a database, unstructured data are all the other types of files including word documents, PDFs, pictures, spreadsheets, downloaded emails, etc. Why is this important? Files that are encrypted and leaked or stolen cannot be accessed without your approval, significantly minimizing the damage of a cyber attack.
Ongoing employee training around firm policies and procedures and emerging cyber threats is another great way for firms to show thier cyber-diligence. Modern day automated SaaS solutions allow firms to customize training by employee role, add and remove lessons, and provide the training in large blocks or micro-sprints over time. NOTE: we find that micro-sprint training, or short little clips of training, are easier to digest, more effectively hold employee attention, and provide improved learning as it is used throughout the year. Why is this important? Ongoing employee training is often a requirement to obtain cyberinsurance; most vendors are asked about employee training as it relates to data security; and is an excellent way to teach and reinforce awareness and proper behaviors to protecting data.
Once all of these tools are implemented, there are 3 more that should be considered. REMEMBER, it is not reasonable to expect a small firm to be using all of these or all of these "right now". However, it is reasonable to assume that some of these tools are installed, configured, and running and that firms have a plan for their cyber-future.
Ok, the last 4 tools firms should be utilizing:
Governance, Risk, Compliance (GRC) tracking. This tool captures and tracks specific tasks users and machines in a firm need to do. For example, it holds copies of vulnerability scans, software updates (patching), employee training, employee onboarding, terminations, malicious software detections, and more. These platforms are the "ERP" tool for managing risk. Similar to any billing and financial software you use, a GRC tool provides a real-time view of how secure your firm is, where the firm stands on improving its security posture, and identifies where the firm may require outside support and assistance. Why is this important? Firms need to be able to provide evidence that they are aware of cyber risks and taking cybersecurity seriously. This cerntalized dashboard collects data and tracks security posture and improvements over time.
Privilege Access Management (PAM) restricts user access by the role they are in. Where MFA verifies who is logging into the device, network, or application, PAM defines what that user has access to. Why is this important? When it comes to cyber compliance, PAM solutions capture and document user activity at the meta-data level. For example, do you want to know who added a printer on your network or who deleted a file or want to restrict a user from being able to delete a file off a network share? A properly configured PAM solution provides that functionality and can alert you that a user is attempting to do something they shouldn't be doing. Beyond visibility and control, PAM, like many of the other tools, provides indepedent reporting that can be used to validate compliance.
Web Application Firewall (WAF) protects your website and any applications you run from being hacked or otherwise disrupted. Where a firewall is configured to protect users, a WAF is designed to protect applications with many vendors including or offering up-time redundancy. Why is this important? Many of today's applications are created by taking code from publicly available services and data using API's (Application Programming Interface - nerdspeak for lines of code or data). For multiple reasons, API's can be difficult to secure increasing the ease for a hacker to access the backend of an application, which could contain case file information, client information, or banking information. A WAF acts like a "bouncer at a bar" to restrict malicious users from entering your applications.
For firms that do work in Europe or states that have strong data privacy protection laws (OR for firms that want to do the right thing), Data Privacy Management (DPM) drives proper data maangement. Why is this important? GDPR (Article 25) and California's CCPA & CPRA require firms to know what PII data they have, where it is located in their network, servers, and databases, and how to remove (delete) it when requested.
Don't be Cyber-Overwhelmed
There are lots of firms out there that can help you, but here is how Arcas Risk Management works with clients:
Conduct an Assessment
Create the WISP and WIRP
Provide recommendations on tools or services needed to reach a reasonable security posture for a firm your size (different size firms have different needs)
Provide the tools and services we offer
Help you find vendors to provide the tools and services we do not offer
What does this cost?
Here is what I would estimate for a small to mid-size firm. Obviously, there are many ways to price services out, but with much of the cybersecurity industry hiding pricing, we felt a little bit of transparency would be fair.
Modified NIST Security Assessment: $10K
WISP & WIRP: $5-10K
Cloud Backup Service: $1/day per machine
MFA: $15/month per user
AV & EDR: $100-150/yr per machine
Firewall: $1000 to purchase and install (1x) and $30/mo in subscription services
Monitoring, Threat Hunting & Vulnerability Scanning with SIEM logging: $30/mo per machine
Phishing Protection & BEC: $15/mo per user
File Encryption: $1/day per machine
Data Privacy Management: $10-30,000/mo
NOTE: These are ballpark estimates in 2022 dollars. Prices will change and vary.
What are the tools we like and use when working with small firms?
Cloud Backup solutions for solo practioners and small firms: N-Able Cove Data Protection. We use this inhouse. Super easy to install and use, offers big firm protection at small firm pricing.
MFA: Yubico & Duo (and sometimes BOTH! - reach out and ask why). We use these inhouse. Independent of other services that may store your username and password, these 2 solutions are consumer friendly and easy to install and use. Microsoft & Google also offer a MFA solution that is easy to setup and use but they also store your username and password, potentially reducing the amount of security you have.
AV & EDR: Sophos XDR, SentinelOne, TrendMicro, Microsoft Defender for Business. There are lots of great solutions, and everyone has a favorite or hated one. We have seen many small organizations appreciate the effectiveness of the Sophos and SentinelOne solutions, the support of TrendMicro, and the cost of Microsoft Defender.
Firewall: Firewalls are based on size, and larger firewalls often have more features. However, for solo practioners and firms with small offices, Eero offers a solution that is easy to set up and has great customer support. Other vendors we like include Sophos, Cisco, Palo Alto, and Fortinet.
Monitoring, Threat Hunting, & Vulnerability Scanning: I would be remiss if I didn't suggest the Arcas solution(s) - Arrow, Edge, & Carbon - which include many if not all of the tools you would want AND is fully managed by our team here in the US so that you can maintain any client or regulatory compliance requirements. Other services we recommend include Arctic Wolf and SentinelOne.
Phishing & BEC protection: Cybernite. We use this platform inhouse and it has proven to be extremely effective at detecting phishing emails AND has a feature that will send employees test (aka simulated phishing) emails to teach us what to look for. NOTE: We track the success of detecting phishing emails and I am the clear winner at Arcas!
File Encryption: Actifile. Not only does Actifile allow for easily managed encryption, you can use Actifile to search your network for PII, SSNs, and other sensitive information.
GRC: CyberSaint is the industry goto for small law firms. There are a number of emerging platforms but we have not seen one as robust and flexible as Cybersaint.
PAM: Delinea & Wallix are great solutions for smaller firms that want (need!) to contol access. This is especially true for firms that utilize contract lawyers and paralegals for large matters or crunchtime support.
DPM: PrivacyCode is the platform of choice for small and large firms. Easy to set up, easy to manage, it provides the guidance necessary to properly handle PII data plus it can connect to your GRC platform and be used as part of case review.
I would be remiss if I didn't also mention SaaS Alerts, Nubeva, and Interrosec, three addtional tools we use for Arcas Arrow, our Monitoring, Threat Hunting, & Vulnerability Scanning service. SaaS Alerts monitors cloud applications and connects them to our SIEM platform (Elastic Search - the worlds most popular SIEM platform, used by most commercial software tools and services for data logging) while Nubeva allows us to decrypt machines hit by ransomware. Interrosec observes machine behavior to quickly create a baslein of normal intranetwork communication, allowing us to determine which machines are secure and which need to be isolated. While our Monitoring service is scalable, it is designed for solo practitioners and small firms. For our larger firms, we work with Arctic Wolf, SentinelOne, and Sophos to meet a clients specific needs.
We will continue to update this guide as technology and risks evolve. If you would like to learn more, please contact me at email@example.com. - Rob