How can lawyers find cybersecurity solutions that work for them?
Once the assessment is completed, law firms must put a cybersecurity plan into place. But do they know what they’re doing when it comes to setting up a plan and picking from among the plethora of privacy and security options?
Law firms face an array of options. Big tech companies, such as Cisco and IBM, have expanded their cybersecurity services and products. On top of these cybersecurity portfolios, boutique privacy and security businesses offer their own services and devices. So it can be challenging for law firms to determine their best route for protecting data.
“It’s like anything else—you have to pick carefully,” says Westby. “First, understand your needs. Then try to find the right match. Check which companies have won awards. Look at their personnel, and ask for references.” She advises that firms looking at small cybersecurity companies “pay close attention to the people in charge and their track record.”
“If a company says something that sounds too good to be true, it may be,” Westby says. “On the other hand, a small company with good personnel and a good reputation could be the right fit for your firm.”
John W. Simek, vice president of Sensei Enterprises Inc., a cybersecurity firm in Fairfax, Virginia, says what no lawyer wants to hear: There are no easy answers. There is no single piece of technology or even multiple products or services that can protect your data from breaches. So any company that says it can completely protect information isn’t telling the truth, Simek says.
“People think it’s like the old days. You can just buy anti-virus software and be protected,” he says. “One piece of technology will not be your silver bullet. ... We can’t keep the folks out anymore. Building the wall by itself doesn’t work.”
According to Simek, companies and law firms—no matter their size—must now be focused on more than just keeping threats out. They must also be able to quickly detect and react to threats when they occur.
Another concern is that some companies purporting to offer data protection might actually be vulnerable to attacks themselves. When choosing among cybersecurity options, how can a law firm avoid increasing, rather than decreasing, its vulnerability?
Bob Siegel, president of Privacy Ref, warns of privacy-related product companies that developed their software for one purpose—and then try to claim it can do more than originally intended.
“Sometimes companies stretch the abilities of the functionality they provide to try to meet their prospect’s needs,” says Siegel. “So my advice is, if you are looking at a privacy product, make sure the vendor demonstrates that it can do what they say it can do.”
Pick a company, Siegel advises, that understands not just the legal industry but also the way your firm is managed and business is conducted. “If the privacy and cybersecurity protocol gets in the way of business, employees are likely to ignore what they are supposed to do,” he adds.
ONE SIZE DOES NOT FIT ALL
Cybersecurity experts also emphasize looking for the most affordable but reliable way to meet your company or firm’s specific needs.
For example, Levine says, there is technology out there that may be ultrasophisticated and able to pinpoint exactly who is trying to attack your company. “That’s nice technology, but can you afford it or is your money better spent somewhere else?” Levine asks.
Simek’s advice to small law firms: Don’t pay for services intended for multinational law firms. This means, says Simek, “stay away from the big guys. They are too expensive for you. They are for the major law firms.”
Simek also advises lawyers to attend continuing legal education classes that are now being offered on cybersecurity and related topics
In fact, there is one area in which law firms should not be stingy: employee training. A law firm’s carefully crafted cybersecurity can be useless if an employee is unaware of the firm’s security protocol.
Law firms, experts say, should prioritize hiring outside security companies to conduct a variety of safety and privacy training of their employees. Training should include making employees aware of the impact to the firm and the customers when they ignore cybersecurity protocol.
“The first line of defense and the weakest link is the human factor,” says Levine. “Everybody can buy firewalls and anti-virus software, but the easiest breach still comes from that pesky email someone clicks on.”
Unfortunately, despite all these best efforts, even the smallest law firm may still have to handle the fallout from a cyberattack.
The Verizon Data Breach Investigations Report found that last year, 61 percent of cyberattacks targeted smaller companies. In addition, according to UPS Capital, cyberattacks can cost small businesses between $84,000 and $148,000, and 60 percent of small companies go out of business within six months of a cyberattack.
Given the likelihood that even the best-protected company will be breached, cybersecurity experts advise every law firm to buy cyber insurance.
“Most of the premiums are highly negotiable,” Levine says. “If you don’t have a policy in place, repairing the damage from a breach could easily run in excess of a million dollars. For some companies, a breach like that could wipe them out.”
This article was published in the May 2018 issue of the ABA Journal with the title "Big Business: With so much money at stake, it’s no surprise that cybersecurity is a rapidly growing industry—so how can lawyers find what works for them?"