Cyber security is a serious issue for law firms – if a bit of an existential one. It’s hard to fight what you can’t see, and it’s even harder when you don’t even know what it is that you don’t see. However, as a profession, we certainly don’t set ourselves up to look good when the worst happens.
There are numerous challenges that any business faces in 2016, with defending from hackers being near the top of that list. Cyber security is a difficult issue. But it’s an area where lawyers and law firms tend to do pretty badly. Embarrassingly so. Here are 9 Ways Cyber Security will Embarrass Lawyers in 2016:
1) We Live in a “When – not “If” – You’ll Get Hacked” World
Most law firm cyber security plans revolve around the concept of “if” a cyber security breach occurs. While this isn’t necessarily a bad thing – after all, it shows they’re thinking about the possibility of a breach – this type of planning is necessarily incomplete.
First, planning for a possibility and planning for an eventuality requires two different mindsets. “If” your law firm gets hacked allows law firms to plan based on the possibility that they won’t, in fact, get hacked. On the other hand, acknowledging that it will happen forces decision makers to think about the tough decisions they’ll have to make.
Unfortunately, the likelihood of your law firm getting hacked is pretty high. Even a year ago, 80% of the Am Law 100 had reported a cyber security breach. In 2011. (How much you want to bet that number would be higher today?) Sadly, most small businesses in the United States, including law firms, tend not to think of themselves as a target for hackers.
“Even hackers need soft targets.”
Don’t believe the data you have is valuable? If it’s valuable enough to claim attorney-client privilege, then you’re already losing this argument.
Sadly, it’s this mindset that has left our profession vulnerable, because…
2) Law Firm cyber security is generally insufficient…
That’s right, we have really poor cyber security policies and protections in place, as a profession.
First, most law firms in the United States operate on a partnership-based decision making structure. Which is fine, if there is someone with decision making power who routinely involves themselves in running the business. This is also known as tasks that don’t make money today, but ensure the ability to make money tomorrow.
Second, even awareness of the risks hasn’t helped! While most lawyers accept that cyber security is a major issue, as of early last year, 72% of law firms hadn’t assessed what it would cost their law firm if they were attacked, and 51% have not sought cyber liability insurance for their risk. (A REALLY dumb move, by the way).
Not a good business model.
So law firms, even the smallest of which are in possession of valuable data, tend to be very unprepared for a cyber security breach, but…
3) … until a breach causes an overreaction…
Have you heard any of these from a partner at a recently-hacked law firm?
“The person who’s responsible for clicking on that email is getting fired.”
“We’re going to restrict internet access for our paralegals and assistants.”
“We’ll do whatever it takes to make sure this never happens again.”
It’s human nature to become defensive when attacked, particularly when we weren’t prepared for the attack. The Patriot Act, along with the numerous responses to the Charlie Hebdo and Paris attacks, are proof of that.
We must guard against overreactions, because on one hand, it likely restricts productive activities that had only limited relationship to the vulnerability the hacker used. So the new rules likely restrict your employees and lawyers from using tools that were good for your business.
The other option is considerably worse. Why? Because it suggests that the law firm’s partners believe there’s anything that can be done to make your law firm invulnerable to a hacker. There isn’t.
However, the bigger danger is that you won’t have time to react in a timely fashion…
4) … once it’s finally discovered.
The truly scary idea is like what happened with Target and the Offices of Personnel Management. In those cases, the hackers were collecting information for months before they were discovered. The damage the hackers caused was multiplied exponentially as a result.
The biggest reason this threat is bigger than you think is because of the nature of our cyber security. In the 1980s, the best way to protect your system from hackers was to keep them out. Sadly, that’s still how we operate today. A better model for cyber security would be home security. Protect your doors, of course, but assume someone can get in using other means, and set motion detectors inside.
Your cyber security is probably overly dependent on the perimeter – if it’s dependent on anything at all. You need to protect your doors, walls and windows. However, your cyber security needs to be set up to detect intruders who are already inside. You should be warned when files are changed or deleted at a certain rate or time.
Usually, you learn some things from the experience of others, but…
5) There is a “Culture of Silence” when it comes to cyber security breaches
Nobody wants to be hacked. That’s a given. It’s a crappy experience that might raise questions about your law firm.
However, while many major businesses have statutory obligations to report any breaches, there’s little guidance about law firms. As a result, you may be wondering why you’re the only law firm to have been hit. It’s something I’ve heard – “Why haven’t I heard about this happening anywhere else.”
It’s because, according to one study, only one third of hacked firms even reported the breach – to their clients.
Also not a good business model.
Nobody wants potential competitors to know that they’ve been the victim of a cyber attack. The biggest reason that mindset is a problem is because it automatically assumes that the law firm’s security was somehow inadequate. In criminal law, that’s referred to as “blaming the victim.”
However, unfortunately, very few people will come forward to offer up that they’ve been hacked, even if you do, which means…
6) You don’t know if your Cyber Security setup is reasonable
Yeah, you may try to put cyber security protections in place, but the only thing you know is that those policies are in place. You could give total control of your law firm to your IT consultants, you’re merely substituting their judgment for yours.
Whether you’re meeting your obligation to provide reasonable protection is difficult because this is just an area that lawyers aren’t great at. Hell, IT professionals aren’t actually all that good at it. In fact, it takes specific IT Security professionals before you even get to that point.
So they could tell you that your setup is “reasonable,” except that…
7) For Cyber Security, “Reasonable Steps” is a Moving Target
Yep, you have ethical duties that require you to take “reasonable” steps to protect your clients’ confidential information. As with the rules of negligence, several states have decided to employ a fact-based inquiry to determine whether or not your security steps met your ethical duties.
That’s a bad thing for a couple of reasons. First, it leaves lawyers without any defined minimum standard for security until a high-profile case manages to go through the process. Second, it leaves an ethics board of a state bar to make the decision as to what is or isn’t reasonable when it comes to cyber security.
You might say that it’s not a big deal, provided that the ethics panel relies on expert testimony. Well…
8) Even Cyber Security experts disagree on the biggest threats and best responses
How are we to know what security measures to implement if the experts don’t. From “6 Hard Truths Security Pros Must Learn to Live With“:
“I frequently ask IT security personnel to list every computer security defense they’re implementing at their company, the money spent, and the staff resources dedicated to each project and operation. I then ask them to tell me the most common ways their company is exploited. Rarely do I hear two answers that are the same. If the IT security employees don’t agree on what’s wrong, how can you efficiently defend your environment?”
Feeling safer? I didn’t think so.
But, in the end, that’s ok, because…
9) Even the Best Cyber Security can be breached
That same article discusses the possible solutions to cyber security breaches:
“Each security solution you buy addresses a particular set of threats on a particular set of platforms. Each tries (imperfectly) to thwart a certain problem sticking its head out of a particular hole. Meanwhile, the nimble hacker moves to the left and starts a new hole. It’s a game of digital whack-a-mole that defenders will never win.”
In the end, there is no permanent solution to cyber security vulnerabilities. Even if one existed, an exploit or vulnerability would be identified the next day. All you have to do is add a new iPad to your network or a new software to your system, and new vulnerabilities will exist.
The real question you should be asking, then, is how can you best protect your clients’ information, while acknowledging that there’s no system that will completely prevent hackers from getting past your security.
“Security isn’t cheap, and when you’ve historically underinvested in security, what it takes to catch up in both technology investment and human capital is expensive.”
– James Carder, CISO at LogRhythm and vice president of LogRhythm Labs.
Unless you’re willing to go completely off the grid.
About the Author
Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.