Arm Yourself With Knowledge To Prevent a Cybersecurity Attack
The legal profession has undergone more technological adoption and change in the last two years than the last two decades.
The Commercial Division has issued rules endorsing the use of virtual depositions, major law firms have announced plans for indefinite work-from-home arrangements, and judicial proceedings are here to stay.
The benefits include an increase in diversity, equity and inclusion; improved access to justice; and reduced costs of litigation.
However, the increase use of technology has also led to a higher risk of cyberattacks.
To help lawyers understand and prioritize cybersecurity, the Committee on Technology and the Legal Profession has issued four key takeaways from its Third Annual Cybersecurity Thought Leadership Conference. The areas are: Insider Threats, Phishing, Cloud Technology Best Practices, and Security Assessment Vendors.
Every organization faces cybersecurity risks. Making sure you and everyone in your organization are aware of those risks and of the ways in which insiders can perpetuate – and minimize – them, is critical to mitigating the cybersecurity risks and potential losses your organization faces.
“Insider” threats, whether intentional or inadvertent, are a significant percentage of cybersecurity events. Insiders can be involved in breaches of personally identifiable information, can allow access to a firm or company’s computer systems, and can be unknowing participants in funds transfer frauds.
All entities, whether small or large, public or private, can and should take reasonable steps to anticipate such threats in their environments, prepare in advance as to how they will respond to threats that have been executed, and educate employees at all levels on how to recognize and avoid insider threats. Many of those steps are relatively low cost and require a commitment to a culture of cybersecurity rather than significant financial expenditures.
Business entities can take steps before an incident occurs to minimize the risk of a successful threat, to reduce the damages that can occur if there is an incident, and to comply with applicable legislative and regulatory cybersecurity requirements. Simple steps can include: developing policies and procedures to plan for and respond to insider threats and their aftermath; instituting multi-factor authentication for access to computer networks, and obtaining cyber insurance.
Phishing, whaling, oh my…
Phishing is the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in a communication. Phishing scams range in sophistication, from a shotgun approach to a highly targeted approach. Phishing is widespread and appears in text messages, robocalls, and emails. Whaling is often directed specifically at senior executives and other high-profile targets.
In 2019, one third of all data breaches involved phishing. Phishing is the most common way to penetrate a system.
But there are ways to reduce the risks. The successful efforts to reduce phishing come from establishing a culture of cybersecurity within the organization. Regular training and phishing tests can help users become the front-line defense for any of these attacks.
To establish a culture of being cyber aware, organizations must require frequent data security and social engineering training. Knowledge is the best prevention method that helps everyone learn the signs of malicious emails or the indications of an attack.
Implementing multi-factor authentication can decrease the risk of an account breach by 99 percent.
Best practices for cloud computing
Cloud computing is a delivery model for information technology (IT) services, permitting users the right to use computing and data storage services (both hardware and software) to access and store information and/or software functionality on remote servers owned or operated by third parties, usually through the internet or private networks.
Vetting cloud vendors must be handled carefully. Questions to ask include: Who has access to client data? Does vendor limit access to client data within its own company? Does the vendor maintain, implement, and comply with a written data and information security program?
Security assessment vendors
Security assessments are periodic exercises that allow companies, including law firms, to test their data security systems. Security assessment vendors are contractors who are retained by organizations to conduct assessments to test the organization’s security preparedness.
These vendors should be expected to know and follow industry standards in undertaking security assessments and reporting the results of assessments.
Attorneys should know enough to be able to satisfy themselves that the vendors they select to conduct security assessments are qualified and that the assessment is done in accordance with industry standards.
When applicable, there should be an acknowledgement by the vendor that it has been retained for purposes of assisting counsel to provide legal advice and that attorney-client privilege will apply to any communications made for those purposes.