The COVID-19 pandemic forced most law firms to conduct business in ways they had not done before. Many firms were forced to transition to work from home on short notice and were required to make the transition without ample time to consider best cyber practices. This situation is not ideal for law firms as lawyers are a main target of cybercrime. Cybercriminals have much to gain by accessing confidential, financial, and transactional information held by law firms.
Attorneys were not at the top of their cybersecurity game pre-pandemic. In 2019, the ABA conducted its Legal Technology Survey, noting that, “the biggest concerns from the ABA 2019 Legal Technology Survey were the poor—and worsening—cybersecurity approaches lawyers are taking to the use of cloud applications.”[1] The report further indicates that, “the lack of effort on security has become a major cause for concern in the profession.” Coupled with this lack of effort, the cause for concern is compounded by the results of a survey cited in the ABA 2019 Cybersecurity TechReport[2] which reports that 26% of the lawyers surveyed had experienced some sort of security breach in their law practice.
To make a vulnerable cyber situation worse, COVID-19 has accelerated cybercrime. Forbes.com reported that, in a report released on May 5, 2020, by security firm Mimecast, “Between January and March…spam and opportunistic detections increased by 26.3%, while impersonation was up 30.3%, malware by 35.16% and the blocking of URL clicks up by 55.7%.”[3] Here at ALPS, our information technology department reports the number of potentially harmful cyber activities identified by Zscaler rose from approximately 120,000 during the month of February 2020 to 4,331,833 during the month of April 2020.
Ethics and business considerations make today a perfect time for all lawyers to check-in on the adequacy of their law firm’s cybersecurity. The following list includes ideas for firms to assess their current cybersecurity risk and take steps to better protect both the law firm and its clients.
- Consider or reconsider security basics to include a frequent change of password with adequate password strength.
- Make sure firewall and antivirus applications are in place as a first line of defense.
- Begin cybersecurity awareness training. Training assists with understanding, identifying, and appropriately dealing with cyber threats.
- Encrypt web connection, email messages, and stored information.
- Use a virtual private network (VPN). Even if firm members are not using a public Wi-Fi network, a VPN for work from home is still a good idea and can better protect confidential information.
- Implement dual or multi-factor authentication for any work account.
- Consider purchasing a cyber policy, if your firm does not already have one, or take the time to evaluate the firm’s existing cyber policy coverages and options. Once the best cyber policy for the firm’s needs is in place, make sure the policy reporting requirements and coverage are understood.
- Establish an incident response plan aiming to identify risk, minimize damage, and reduce the cost of a cyber breach. Timeliness is a key factor with most cyber issues. The incident response plan is best established in conjunction with the firm’s cyber policy.
- Consider whether a secure client portal best serves the needs of the firm and the clients.
In sum, attorneys are not known for having the most up-to-date cyber practices to begin with and COVID-19 has significantly increased cyber risk. While there is no one-size-fits-all procedure for dealing with cyber threats, the list above should provide the framework to begin an assessment. At the present time, considering cyber issues and implementing procedures for dealing with cyber risk as a necessary component of any law practice.
—
[1] https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/cloudcomputing2019/
[2] https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/cybersecurity2019/
[3] https://www.forbes.com/sites/emmawoollacott/2020/05/05/exclusive-cybersecurity-and-covid-19the-first-100-days/#25da3e039d5d
Mark Bassingthwaighte, Risk Manager : Aug 3, 2022
