Cybersecurity, the new “IT” word (see what we did there?), has everyone’s attention, from small firm lawyers to the BigLaw front office. It’s also the focus of the 2018 College of Law Practice Management (COLPM) Futures Conference, “Cybersecurity: This Way There Be Dragons.”
The Futures Conference, presented with Suffolk University School of Law, will take place Oct. 25-26 in Boston. While the two-day event is chock-full of useful information, one session in particular caught my attention: “Security as a Team Sport: Collaboration — An Essential Tool and a Security Hole.”
It raises an interesting question: Can all the departments that make up a law firm advance its cybersecurity efforts? Not just IT, but management, finance, human resources, marketing, PR?
The answer is yes.
Teaming Up to Respond to Cyberattacks
Futures Conference co-chair Sharon Nelson points to DLA Piper and its response to the NotPetya malware attack in June 2017 as one good example. NotPetya was a piece of malware disguised to look and act like Peyta ransomware, but designed to spread quickly and destroy data rather than hold it for ransom. Other large corporations infected by NotPetya included international ad agency WPP, pharmacy company Merck and shipping giant Maersk.
The attack originated in Ukraine via a supposed update to accounting software opened by a DLA Piper user with administrative privilege. Once DLA Piper was attacked, it responded by proactively shutting down some systems and issuing two brief status announcements. “The firm had a plan in place and managed the crisis well. Its client relations team was on its game quickly, and systems that had not been engineered correctly underwent remediation,” says Nelson.
Such swiftness requires coordination, or, in a word: teamwork. Shutting down systems involved management and IT, as well as internal communications to ensure that employees did not log on or connect any devices to the network. Then there’s notifying clients, and being prepared to answer questions and address concerns, not to mention addressing the public.
Everyone has a role to play in cybersecurity incidents, even inadvertently triggering them. So how can law firms better prepare for cyber-threats?
Your goal, says John Simek of Sensei Enterprises, who is Nelson’s partner, is to create a “culture of cybersecurity.” And he has a simple solution: Train your employees.
“One way to get employees involved is through periodic training. Make the training mandatory. Provide food and beverages (lunch is always a good time). Ban the usage of all cellphones. The employees should be concentrating on the information and not checking email, texts or surfing the internet.”
Your training needs to cover various examples of phishing attacks and BEC (business email compromise), Simek says: “The phishing attacks are improving every day and the bad guys are even hiring native English-speaking personnel. That means the grammar and spelling will be spot on. At the end of the day, one training session in phishing attacks has been found to reduce your risk by 20 percent.”
Considering the amount of time DLA Piper systems were down, and how long the firm went without being able to bill a single hour or do any client work, time spent training employees on phishing attacks, and cybersecurity in general, is worth it.
Remember, however, that cybersecurity training is not a “one and done” kind of thing. Hackers continually try new things, iterate and adjust. Periodic training keeps your employees up to speed, and your firm better prepared.
Earning Client Trust — and Business
This begs another question: Can law firms use cybersecurity efforts as a way to distinguish themselves in the marketplace?
One obvious way to do so is to give presentations and write blog posts and articles about cybersecurity best practices. They’re quick wins and get your firm associated with security best practices. That can go a long way toward putting both current and future clients at ease.
And don’t forget to address cybersecurity issues when pitching new business. In“Notes on a Law Firm Pitch from an In-House Attorney,” Dennis Garcia, Assistant General Counsel for Microsoft Corporation, reminds law firms that cybersecurity is a top-of-mind issue for all in-house counsel: “During your presentation to in-house counsel be transparent about the steps your law firm takes to properly safeguard client information.”
But can you show clients, rather than just tell them?
Dennis Kennedy, a well-known legal technologist and a speaker on the “Team Sport” panel, says one good way to “show, not tell” your clients is to make your client-facing cybersecurity efforts visible. For example, says Kennedy, if you have a client portal, require strong passwords and regular changes of passwords, and offer multifactor authentication options. “Use client portals and newsletters to offer cybersecurity tips, introduce your cybersecurity team, and highlight your cybersecurity practices.”
Head to the Futures Conference
Take a look at the full agenda for “Cybersecurity: This Way There Be Dragons” here and, for more actionable items to secure your firm, register for the COLPM 2018 Futures Conference.