The sensitive and often personal data that law firms typically retain make them juicy targets for cybercriminals. In 2021, according to an ABA report, 25 percent of respondents reported their firms had experienced a data breach at some point. The fallout can mean more than costly fines or lawsuits; breaches can reduce the trust clients place in a firm. There are numerous defenses that firms can mount against this evolving threat, but unfortunately, one of the simplest and most often neglected defenses is staying current on software and other patches.
Patches — or updates that software or operating system vendors issue to fix performance bugs or to provide enhanced security features — are usually available without added charge and the installation and updates typically do not interfere with ongoing operations. But despite the ease of installation, many law firms and other enterprises do not bother to stay current. The results can be dramatic, as demonstrated by one of many attacks — the global WannaCry ransomware “crypto worm” that penetrated more than 200,000 computers running Windows across 150 countries in a matter of hours in 2017.
After infecting a device, WannaCry encrypted data and demanded ransom payments estimated to total billions of dollars. The kicker was that Microsoft had already identified the vulnerability and issued a security patch months before the attack, but many Windows users simply had not bothered to download and install the updates.
There is no question that law firms, particularly solos and other smaller practices, are busy and would rather spend their time on billable matters; but that excuse won’t matter to clients who question why their trusted adviser’s systems were compromised. In fact, there really is no excuse for missing out on patch updates, especially since many outsourced IT support providers offer packages that can automate the process of hunting for and installing them.
And that is just the beginning. Sophisticated automated agents can also monitor a firm’s cyber systems and devices for compliance, address a host of issues, and alert IT support providers about any problems so they can be addressed. Customized patch solutions can also be designed with such features. An audit tool can create a list of all the software residing on a system; a regression tool can check for patches and downloads and install them; and other tools can monitor for compliance — an important step because even if a patch is downloaded on time, a sophisticated attacker may be able to disable it without any obvious warning signs.
Despite the danger that hackers represent, these kinds of cyber security managed services solutions often fly under the radar of law firms, primarily because initiatives like establishing basic security protocols are not “glamorous” enough to attract a partner’s attention, until something goes wrong. Then, suddenly, it becomes a top priority. But firms that want to limit their exposure to cybercrime will stay on top of their patches, either manually or with an automated tool, and will likely avoid a lot of unnecessary “cleanup expenses” while continuing to enhance their reputation.
Carl Mazzanti is president of eMazzanti Technologies, a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].