(Image by Yuri Samoilov, via Flickr)

Since the “Panama Papers” breach in which 11.5 million confidential documents and 2.6 terabytes of client data was stolen from law firm Mossack Fonseca, a greater emphasis has been placed on law firm cybersecurity. The breach, however, wasn’t an isolated incident. As noted in the 2015 American Bar Association (ABA) Legal Technology Survey Report, 15 percent of law firms have experienced a breach. And yet, almost half of attorneys say their firms have no response plan in place.



Given their abundance of valuable information, law firms are great targets for cybercriminals. When it comes to midsized firms, their organization’s protection level is weaker than that of larger enterprises, and many do not have the resources to buy the tools or hire the staff to properly protect their organizations. On top of that, firms often find themselves woefully behind what’s recommended by the ABA.

While other verticals such as health care or financial services have had to deal with security concerns for years, the legal industry does not have any form of industry-specific compliance that mandates security policy, leaving them beholden to state personally identifiable information (PII) laws and client compliance.

Regardless, there are several things midsized firms should do now to shore up their cybersecurity posture:

1. Evaluate security now and every year to determine how well network security is managed. Poor security hygiene and bad employee behaviors can lead to an increase in phishing and cyberattacks. Firms should create a cybersecurity committee with players from IT, compliance, management and security to take responsibility for the ongoing cybersecurity of the firm, including the implementation of cybersecurity policies. The team should be led by a senior partner in the firm and could actually be the audit committee. Additionally, the team should conduct a yearly security risk assessment; the NIST SP 800-30 is a great guidepost. Finally, firms should test their security with outside experts to try to find holes that bad actors could exploit. The tests should include penetration testing, vulnerability assessments and social engineering testing.

2. Adopt security policies such as those from the Office of the Comptroller of the Currency, which oversees financial services companies. It has started focusing on the cybersecurity policies and procedures at law firms to ensure their data is being adequately protected. Clients want to see that policies and procedures exist and, more important, are being followed. Policies to consider include acceptable use, business continuity and disaster recovery, remote access, employee termination and outprocessing, password, encryption and bring-your-own-device (BYOD) policies.

3. Get cyber liability insurance that includes coverage for both first-party and third-party risks. The policy should cover a breach that occurs on a noncorporate unencrypted asset such as a home computer, since many law firm employees work at home. The policy should also cover data if it is breached while it is with a third party; remediation of a breach; regulatory actions against the firm; payment card industry liabilities; and identity theft resolution services. The contingencies in the insurance contract should also be well understood.

4. Conduct mandatory security training to keep everyone advised of new security threats and underscore the need for vigilance, including being watchful for suspicious emails, texts, hyperlinks, etc., as well as social engineering ploys. Do not let firm executives get out of getting this same training.

5. Create an incident response plan (IRP), ensuring that someone is formally designated for managing the firm’s incident response. NIST has published a “Computer Security Incident Response Guide” that can help firms develop appropriate policies and procedures. I also wrote a blog post on this recently. They should include the outside attorney (data breach lawyer) responsible for supporting the firm when a data breach occurs; the firm’s personnel responsible for each item in the IRP; the cyber insurance policy and the contacts at the insurance agency; the number for the local FBI office and any other government agency responsible for cyber incidents in the agency’s jurisdiction; the name and number of a cyber forensics specialist; the process for containment and recovery of the breach, and for determining what was lost and the potential damage of the loss; what system logs to preserve and how to preserve them for forensics purposes; the process for communicating with employees, customers and suppliers of the firm; and a link to the state data breach notification laws for your firm’s offices. Practice by running through exercises with the incident response team at least once a year to ensure that the processes are working as expected.

6. Secure the perimeter with a managed firewall and intrusion prevention system. Ensure all network devices (servers, routers, Wi-Fi, switches, firewalls, etc.) with access to the internet have updated firmware and/or patches and difficult-to-guess administrative passwords that are often changed. All servers should only have services and/or ports open for those applications that are required to support that system’s users. In addition, any server application built with open source software should have a full bill of materials of all open source libraries contained in the system and all the updates for each of those libraries should be managed. Finally, all other countries using these systems should be firewalled off.

7. Secure the network from damage from unintentional threats caused by employees of the firm. Ensure computers do not have administrative privileges by default. Do not let users download items freely from the internet and invest in a content-filtering solution to control what sites users have access to on the internet. Make sure there is a process to keep users operating systems, applications and support applications patched. Try not to enable risky software such as Adobe Flash or Oracle Java as they are primary targets for ransomware. If you need them, be sure to keep them up to date as the older versions are highly vulnerable to attack. Provide offline backup facilities for users’ data in case they get ransomware. If you will allow BYOD, consider investing in a mobile-device-management solution and ensure the phones can only connect to a guest Wi-Fi. Consider the options in mobile phone operating systems allowed to connect to the network as many Android devices have many security vulnerabilities. Keep anti-virus software up to date and consider investing in an end-point technology.

No one has been educating midsized firms about security. Many executives believe that firewalls and anti-virus software will protect them from a bad actor exploiting their organization. And while that is partially true, the biggest issue is not a bad actor breaking in, it’s an employee unintentionally letting the bad actor in without knowing they did. Firewall and anti-virus protections are still necessary, but they are not enough in today’s cyber threat landscape. Midsized firms must move forward and build a robust security infrastructure both from a policy perspective and from a technology perspective or they will lose customers either due to lack of controls mandated by those customers or due to reputation loss after a serious breach.

Scott Suhy is the CEO of NetWatcher.

Since the “Panama Papers” breach in which 11.5 million confidential documents and 2.6 terabytes of client data was stolen from law firm Mossack Fonseca, a greater emphasis has been placed on law firm cybersecurity. The breach, however, wasn’t an isolated incident. As noted in the 2015 American Bar Association (ABA) Legal Technology Survey Report, 15 percent of law firms have experienced a breach. And yet, almost half of attorneys say their firms have no response plan in place.



Given their abundance of valuable information, law firms are great targets for cybercriminals. When it comes to midsized firms, their organization’s protection level is weaker than that of larger enterprises, and many do not have the resources to buy the tools or hire the staff to properly protect their organizations. On top of that, firms often find themselves woefully behind what’s recommended by the ABA.

While other verticals such as health care or financial services have had to deal with security concerns for years, the legal industry does not have any form of industry-specific compliance that mandates security policy, leaving them beholden to state personally identifiable information (PII) laws and client compliance.

Regardless, there are several things midsized firms should do now to shore up their cybersecurity posture:

1. Evaluate security now and every year to determine how well network security is managed. Poor security hygiene and bad employee behaviors can lead to an increase in phishing and cyberattacks. Firms should create a cybersecurity committee with players from IT, compliance, management and security to take responsibility for the ongoing cybersecurity of the firm, including the implementation of cybersecurity policies. The team should be led by a senior partner in the firm and could actually be the audit committee. Additionally, the team should conduct a yearly security risk assessment; the NIST SP 800-30 is a great guidepost. Finally, firms should test their security with outside experts to try to find holes that bad actors could exploit. The tests should include penetration testing, vulnerability assessments and social engineering testing.

2. Adopt security policies such as those from the Office of the Comptroller of the Currency, which oversees financial services companies. It has started focusing on the cybersecurity policies and procedures at law firms to ensure their data is being adequately protected. Clients want to see that policies and procedures exist and, more important, are being followed. Policies to consider include acceptable use, business continuity and disaster recovery, remote access, employee termination and outprocessing, password, encryption and bring-your-own-device (BYOD) policies.

3. Get cyber liability insurance that includes coverage for both first-party and third-party risks. The policy should cover a breach that occurs on a noncorporate unencrypted asset such as a home computer, since many law firm employees work at home. The policy should also cover data if it is breached while it is with a third party; remediation of a breach; regulatory actions against the firm; payment card industry liabilities; and identity theft resolution services. The contingencies in the insurance contract should also be well understood.

4. Conduct mandatory security training to keep everyone advised of new security threats and underscore the need for vigilance, including being watchful for suspicious emails, texts, hyperlinks, etc., as well as social engineering ploys. Do not let firm executives get out of getting this same training.

5. Create an incident response plan (IRP), ensuring that someone is formally designated for managing the firm’s incident response. NIST has published a “Computer Security Incident Response Guide” that can help firms develop appropriate policies and procedures. I also wrote a blog post on this recently. They should include the outside attorney (data breach lawyer) responsible for supporting the firm when a data breach occurs; the firm’s personnel responsible for each item in the IRP; the cyber insurance policy and the contacts at the insurance agency; the number for the local FBI office and any other government agency responsible for cyber incidents in the agency’s jurisdiction; the name and number of a cyber forensics specialist; the process for containment and recovery of the breach, and for determining what was lost and the potential damage of the loss; what system logs to preserve and how to preserve them for forensics purposes; the process for communicating with employees, customers and suppliers of the firm; and a link to the state data breach notification laws for your firm’s offices. Practice by running through exercises with the incident response team at least once a year to ensure that the processes are working as expected.

6. Secure the perimeter with a managed firewall and intrusion prevention system. Ensure all network devices (servers, routers, Wi-Fi, switches, firewalls, etc.) with access to the internet have updated firmware and/or patches and difficult-to-guess administrative passwords that are often changed. All servers should only have services and/or ports open for those applications that are required to support that system’s users. In addition, any server application built with open source software should have a full bill of materials of all open source libraries contained in the system and all the updates for each of those libraries should be managed. Finally, all other countries using these systems should be firewalled off.

7. Secure the network from damage from unintentional threats caused by employees of the firm. Ensure computers do not have administrative privileges by default. Do not let users download items freely from the internet and invest in a content-filtering solution to control what sites users have access to on the internet. Make sure there is a process to keep users operating systems, applications and support applications patched. Try not to enable risky software such as Adobe Flash or Oracle Java as they are primary targets for ransomware. If you need them, be sure to keep them up to date as the older versions are highly vulnerable to attack. Provide offline backup facilities for users’ data in case they get ransomware. If you will allow BYOD, consider investing in a mobile-device-management solution and ensure the phones can only connect to a guest Wi-Fi. Consider the options in mobile phone operating systems allowed to connect to the network as many Android devices have many security vulnerabilities. Keep anti-virus software up to date and consider investing in an end-point technology.

No one has been educating midsized firms about security. Many executives believe that firewalls and anti-virus software will protect them from a bad actor exploiting their organization. And while that is partially true, the biggest issue is not a bad actor breaking in, it’s an employee unintentionally letting the bad actor in without knowing they did. Firewall and anti-virus protections are still necessary, but they are not enough in today’s cyber threat landscape. Midsized firms must move forward and build a robust security infrastructure both from a policy perspective and from a technology perspective or they will lose customers either due to lack of controls mandated by those customers or due to reputation loss after a serious breach.

Scott Suhy is the CEO of NetWatcher.