[ad_1]
Whether you’re going to court or advising a client on a legal matter, success depends on preparation—good, thorough, highly disciplined preparation, to be precise. The better prepared you are, the more efficient you are, and the more efficient you are, the more likely your client is to return home at the end of the day with a smile from ear to ear.
The same is true for the basics of cybersecurity. The better prepared you are to prevent attacks on the electronic systems and devices you use in your legal practice, the more likely your clients’ sensitive data will remain safe (and therefore the more likely the bearer of that huge smirk on this time it will be you.
Unfortunately, attackers are working long and hard every minute of every day in the hope of infiltrating and robbing your data vault. Hence, it is important that you put in place effective cyber security policies and procedures to thwart these criminals.
The Federal Cybersecurity and Infrastructure Security Agency (CISA) has kindly outlined these policies and procedures. From my point of view, as a provider of cybersecurity solutions, I can tell you that CISA’s advice is indeed correct.
CISA encourages you to create a “cybersecurity culture in your law firm.” This culture, according to CISA, did not come about in one big bang, but in about half a dozen small steps. Let’s take a look.
Cybersecurity Fundamentals: It all starts with you
You, CISA says, are the foundation of all cultural change affecting your office, and cybersecurity readiness is no exception.
So you have to make the ball roll. Start by assessing the extent to which your practice is reliant on information technology (so you can understand how much you need to invest in a cybersecurity solution that can adequately protect sensitive data entrusted to your firm).
Next, you need to establish a trusting external relationship, the most important of which is the relationship you develop with the cybersecurity company. These groups know all the tricks hackers and phishers rely on to break your defenses; Without a cybersecurity company, it’s like stepping into the boxing ring blindfolded, with both hands tied behind your back, and gum glued to the soles of every shoe.
Another way to recoup your relationship with a cybersecurity company is that you don’t have to develop policies yourself. These services, including mine, have policy templates ready for you to accept.
Train your employees to be vigilant
People who work for you are at risk of becoming victims of phishing and email compromise. The reason is that they just don’t know what to look for. Accordingly, training is an important part of cyber readiness at the staff level.
Staff training is central to my cybersecurity solution because, as has been repeatedly proven by data breaches, the weakest link in protecting a law firm from cyberattacks is usually employees who have poor data hygiene due to a lack of knowledge (good data hygiene, by the way). , includes things like requiring the use of multi-factor authentication to log into computers and requiring password managers to create secure individual and shared passwords).
A word of caution: don’t think that staff training is a one-time annual event. This is something that should continue throughout the year. And it should be based on storytelling, which makes the instruction memorable (as opposed to rote memorization presented as a PowerPoint slideshow).
Know Your Systems
Do you know how many and what types of electronic systems are deployed in your office? Do you even know the exact location of these systems? If you’ve lost count (or worse, lost track of their whereabouts), you need to take stock immediately. Only then will you be able to assess which computers and devices are vulnerable to attacks due to outdated or corrupted software, or even software that doesn’t make sense to load on your systems.
Letting a cybersecurity company help you with this will greatly simplify the process of constantly monitoring your systems for vulnerable software and then quickly patching those security holes.
Don’t let anyone have access
A useful statement to include in your firm’s cyber policy manual is that only those employees who are in good standing and considered trustworthy should ever have access to the digital ecosystem you have created. Find out who is on your network, and then exclude all unauthorized users (you will benefit from the second policy, which determines how to deal with users who leave your company, are fired, or are transferred from one department to another). For those you want to have access to, your policy should be to grant authorization based on need to know and least privilege.
Also make it a rule that anyone who leaves their computer should first put it to sleep with the screen locked and use their assigned password created by the password manager to unlock the machine upon returning to it. The reason for this is that an unattended and wide-open computer screen presents a huge vulnerability – it’s so easy for a disgruntled employee from another part of the office, who happened to be nearby, to flop into a temporarily vacant user’s chair and start accessing files. which should be closed to the criminal.
Data and system backup is vital
Data is surprisingly easy to lose (especially through malware and ransomware attacks). That’s why your availability plan should include conditions for backing up your data: daily is good, hourly is better, and continuous is perfect.
Regardless of your backup schedule, the process should be automatic—the person doesn’t have to remember to do the job at the scheduled time (because there’s a chance the person will forget more than once).
In addition to backing up your data, make it a policy to back up your systems and make sure all such backups are protected electronically and physically (the smart game is to encrypt them before storing them in a secure location geographically remote from your office ).
Have a crisis response plan
You may have the best system and data protection on the planet, but there is still a possibility that a determined thief will break it. In this case, you need to go into crisis response mode.
In response to a cyberattack, your first action should be to disconnect from the Internet. Your second action should be to contact your insurance company.
Of course, you can only get help from your cybersecurity company if you take steps to get a cyber insurance policy before an attack. The beauty of this coverage is that it can save you from the disastrous consequences of a successful cyber heist: financial ruin, reputational damage, and possibly even suspension or loss of your legitimate license.
Another step in preparing for a crisis is to make a list of third-party individuals and organizations, as well as law enforcement agencies, that you should contact immediately after discovering a violation. And one more step is to make a list that will indicate which systems should be restored in the first, second and third priority, depending on the nature and consequences of a particular attack.
Finally, you will need a communication plan that will guide you through the difficult task of informing the public (and your state council) that cyber crooks have managed to rob your data vault. And you will want to print this guide and put it in an accessible place.
—
Cyber attacks can happen to you, whether your law firm is large or small. When it comes to online hacker schemes, there are no exceptions in size, which, by the way, are many and growing. Thus, you must be prepared for any attempt to steal data that you are legally and ethically required to protect.
Think of it this way. Usually the one who approaches the battle better prepared wins. Cyberthieves are ready – very prepared. You can defeat them, but only if you are better prepared than them.
Tom Lambott
CEO Boba Guard
This article was provided by Tom Lambott, a cybersecurity expert who has been in the tech support industry for over a decade. In 2019, Tom founded BobaGuard, which provides turnkey solutions for individual lawyers and small and medium law firms. In addition, Tom is also the CEO and Founder of GlobalMac IT, a recognized managed services provider specializing in serving Mac lawyers nationwide through the implementation of the Proven Process™.
[ad_2]