Cybersecurity. It’s a buzz word on the tip of everybody’s tongue nowadays. In the legal world, it’s especially a hot topic thanks to the large amounts of confidential data handled on a daily basis.
Recent attacks have increased concern and spurred firms to take a hard look at how secure their data is.
Cybercriminals aren’t just a myth. They exist and will steal, ransom, and destroy confidential data. The size of the stolen data can vary, but the negative effect is still the same.
No one wants to be the next cyber victim.
With the growing interest in cybersecurity, it’s important to make sure your firm’s knowledge of it is accurate. No one wants to be implementing worthless security practices. In doing so, firms could be exposing themselves to a bigger risk.
That’s why our security team has put together the top misconceptions about cybersecurity and how to ensure your firm has proper protection.
“Our firm doesn’t have the same risk as Equifax.”
Does your firm have data? Then you’re vulnerable. It’s that simple.
Don’t be in denial. Data is valuable no matter the size and makes your firm a target for a cybercriminal.
Client information is important, and it’s critical that clients know that you’re taking precautions to protect their personal identifying information (PII). The smallest of PII leaks can generate a breach notification by law.
These common attacks are the exact reason to take cybersecurity seriously. Unprepared firms are the perfect targets for cybercriminals.
“New technology is too expensive.”
Firms may realize the need for better cybersecurity but may be under the impression that a small IT budget prevents improving their safety. This is untrue.
New IT doesn’t necessarily mean all security problems will be solved. Instead, process improvements can be implemented to make positive steps towards increased security. These improvements include:
- Limited access to sensitive information
- Security improvement budget based on penetration testing results
- Ongoing security awareness training for all staff
“Our IT director oversees our cybersecurity program.”
During the last few decades, it is common to see that IT is separated into its own department or even outsourced to a vendor. This hard separation can lead to problems as cybersecurity should be a concern for EVERYBODY.
Expertise in IT does not ensure expertise in cybersecurity. Those who have IT expertise know expected regulations and mandates. A cybersecurity expert, on the other hand, knows how to spot intruders and other forms of cybercriminal activity.
Mitigating your firm’s cyber-risk can require conversations between multiple personnel. An effective program has an internal incident response team in place that bridges all departments. This specially crafted team should include compliance and risk management, but also have input from ordinary employees who understand the risky ways that users perform that organization’s work.
Insights from the team can help develop realistic practice drills that focus on:
- Individual staff responsibilities during a breach
- The mitigation plan for affected equipment
- Internal and external communication
- Securing the network, social media, and web credentials
- Recovery procedures
“We already have a cybersecurity manual in place.”
Often after a prominent attack, companies scramble to develop a cybersecurity manual. Something is better than nothing but these hastily developed manuals can provide a false sense of security. When scrambling to assemble a manual, companies have been known to download a stock template.
These templates don’t cover the full unique needs of a firm and leave a firm underprepared and exposed to vulnerabilities. Also, in using a stock template firms neglect the practice drills that traditionally accompany building a manual.
“We’ll need to change our procedures if ABA tightens cybersecurity rules.”
In recent years the ABA has been updating their reports and resolutions to reflect the importance of cyber-preparedness. As cybercrime advances, these policies will evolve as well.
The newest policy encourages acknowledges that a single attack can have a massive impact on firms. Cyber-specific incident plans are crucial and staff at all levels “must be properly educated and trained with regard to his/her role before, during, and after an attack. Continuous education and incident plan improvement is also essential. This could include monthly cyber-preparedness meetings to discuss recent threats and to review the incident plan. Routine cyber exercises would also be effective.”
As discussed earlier, it should be a firm’s number one priority to protect their clients’ confidential information. Failure to do so is detrimental to all parties. Thus, it is crucial to stay up to date on regulations even if these rules may be altered in the near future.