Welcome to 2012: Cybercrime is on the rise, and if data breaches, theft of proprietary information, hacking and malware incidents cannot yet be said to have become routine, they can hardly be considered unexpected. These problems are driven by exponential advances in computer technology, the explosion of data, the increase in its value on the black market, and the eye-popping storage capacity of small, inexpensive digital devices. Recently, federal law enforcement officials have been quietly visiting major law firms to explain they may be vulnerable, which makes sense given the confidential nature of the data law firms store on their information technology systems. Such warnings are underscored by recent headlines. For example, on Jan. 31, Bloomberg reported that in 2010, Chinese-based hackers infiltrated the networks of at least seven different Canadian law firms, as well as Canadian government agencies. At this point, it’s fair to say that firms that fail to implement thoughtful and appropriate cybersecurity measures may well be held to answer in the wake of a serious data breach incident. While each law firm faces its own unique cybersecurity challenges, there are certain steps that all firms should take this year to reduce their cyberrisk.
1. GET EXECUTIVE LEVEL BUY-IN
Not all law firms view cybersecurity as a management-level issue. Indeed, to the extent law firms formally assign responsibility for incident prevention and response, these duties often go to IT managers on the assumption that “computer issues” should be handled by “computer people.” This approach simply fails to appreciate that computer security and information management are two entirely separate fields of expertise. IT managers may be perfectly competent to run a firm’s computer system without necessarily having the skills necessary to prevent, detect and respond to cyberincidents. More importantly, however, IT managers cannot effectively protect a law firm’s data without management-level endorsement. If your firm is serious about reducing your risk profile, the issue needs to be addressed at the executive level.
