Law firms can learn from other industries' missteps on cybersecurity awareness and prevention
Doctors and Lawyers
Unfortunately, the biggest cybersecurity transgressors are often the people who think they have more important matters to concern themselves with than the protection of information, Chon says.
In the health care industry, he says, it is the doctors, not the administrative staff, who can be most resistant to cybersecurity awareness. The problem, he says, is that doctors often operate in a “VIP mode.”
To put it bluntly, says Chon, “doctors often put the convenience and speed of accessing patient records above the safety of patient information, and nobody wants to correct them.”
“Think of the last time you went to an emergency room. What did the doctor do? The doctor pulled up your medical records while seeing you,” Chon says. “Your personally identifiable information was probably in plain sight of everybody else—and anybody could have just walked up to the terminal and gotten access.”
Hospitals and medical offices have had to focus on training doctors on the importance of ensuring the safety of medical information. And senior partners, he adds, aren’t much different than doctors.
“They tend to operate with a sense of privilege, the same way doctors can,” says Chon. Therefore, when law firms are establishing and reinforcing their cybersecurity protocols, partners need to be leaders, not rule breakers, by following the same procedures that apply to associates and administrative staff.
No Silver Bullet
According to Verizon’s 2018 Data Breach Investigations Report, businesses need to be especially alert for ransomware attacks, which are often disguised as a file an employee is tricked into downloading. Businesses such as banks have been specifically targeted for ransomware attacks.
Employees need to be trained in proper data security protocol and must understand that cybersecurity should always be a top priority, says Michael Mason, chief security officer at Verizon Communications.
“It is important to develop a culture of security,” Mason says. “Bake it in on the front end as you grow your firm.”
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
That culture extends to third-party vendors. Law firms also must make sure that the companies they do business with have adequate cybersecurity safeguards in place, as well as a culture of security.
For instance, in 2013, Target found itself in a public relations tailspin when hackers stole massive amounts of sensitive payment card data. In the end, it turned out that the attackers gained access to Target’s network with a username and password stolen from an HVAC company that had serviced Target.
“When you hire a baby sitter for your child, what sort of background check do you use? Hopefully, something so precious is not put into the hands of strangers without a background check,” Chon says. “Your firm’s data is also precious.”
There is, according to cybersecurity experts, a plethora of experienced outside consultants to help law firms with risk assessments. Once a third-party vendor has been vetted and hired, says Chon, it’s not over. Every year, a law firm should still conduct risk assessments to ensure that the vendor is maintaining its data security protocols.
Michelle Dennedy, vice president and chief privacy officer at Cisco Systems Inc., says law firms should be examining the vulnerability of information from every case that has been closed but is still kept in storage.
“How are we managing the storage and deletion of data so we are not exposing information at the end of its life cycle?” Dennedy asks. “There’s technology to help delete information that is left exposed long after you are done utilizing it.”
To Mason, the most important lesson for lawyers is the same one businesses have had to learn through their mistakes: Cybersecurity must be a way of life. Never stop paying attention.
“At the end of the day, you can never put your silver bullet on the table and say, ‘My work is done’ and go riding off into the sunset,” he says.
“You need people who are being constantly trained and updated. You need to be constantly aware of what tools and services are coming into the marketplace.”
This article was published in the September 2018 ABA Journal magazine with the title "Outside Help: Other industries are well ahead when it comes to cybersecurity awareness and prevention. What can the legal industry learn from them?"