Crisis Communications: Protecting law firm data and reputation: A guide to cybercrime mitigation, Part II

By Gina F. Rubel

This is the second in a series on the basics that law firm leaders must know about cybercrime.

Whether it is identifying ransomware, phishing schemes, and data breach threats, or rolling out robust cybersecurity measures, comprehensive risk management strategies, tabletop exercises, and heightened internal awareness campaigns, the goal is the protection of your reputation and data, and most importantly, of your clients.

Part I surveyed the growing cyber threat landscape. Part II provides six proactive measures to prevent cyber incidents in law firms.

 

The astronomical toll

 

Cybercrime is a full-time job for cybercriminals. According to Cybercrime Magazine, the landscape will continue to evolve rapidly, with businesses facing increasingly sophisticated threats. The global cost of cybercrime is projected at a staggering $9.5 trillion this year.

 

As criminals continuously develop new tactics, a proactive approach helps to keep your defenses strong, resilient and relevant. Implementing and regularly updating security protocols and robust cybersecurity policies are essential for safeguarding against such threats.

 

1. Audits, assessments, and vulnerability testing

Regular cybersecurity audits and assessments, including vulnerability scans and penetration testing, will identify and mitigate potential security risks within a firm’s network. These measures help uncover weaknesses in systems, applications, and processes before malicious actors can exploit them. Vulnerability scans systematically search for weaknesses, while penetration testing simulates real-world attacks to evaluate existing defenses. These assessments can help firms stay ahead of emerging threats, ensure compliance with industry standards, and continuously improve cybersecurity.

 

2. Cyber policies and protocols

Law firms should create understandable and meaningful protocols. Overbroad cybersecurity policies are common, but a mistake. Employees need to know which parts are relevant to their work, and how to comply with the overall policy. Every member of the firm’s team, from the receptionists and paralegals to the associates, partners and business professionals, has a part to play in the defense system. Robust password protocols should be in place to protect sensitive client information and maintain cybersecurity standards.

 

3. Employee training and awareness

Cybersecurity training must be part of risk management strategy, and leadership training should include C-level preparation, such as tabletop exercises. Law firm leaders must also reconsider current employee training practices.

 

According to the World Economic Forum, 95 percent of cyberattacks are due to some form of human error and 43 percent of data breaches are caused by insider threats. Research from KnowBe4 found that when employees received a once-a-month phishing simulation, employees clicking on the training email went from about a third to 17.6 percent. Some of the more recent and infamous cybersecurity breaches, such as the MGM Grand hack in September 2023, were the result of employees falling for vishing scams, indicating the need for continuous social engineering training to keep up with the most advanced cyber threats. Not all employees understand that answering the phone could potentially be as damaging as clicking on a link in an email or text message.

 

4. Cyber insurance

Law firms should carry cyber insurance to mitigate the significant financial and reputational risks caused by cyberattacks. Cyber insurance covers costs arising from a cyber incident, including legal fees, forensic investigations, notification of affected clients, business interruption, and reputation management. In addition, many cyber insurers will provide access to training modules, testing platforms, and tabletop exercises.

 

5. Tabletop exercises

These exercises, which simulate real-world scenarios in a controlled environment, enhance a firm’s ability to respond effectively should an actual event occur.

• Test response plans.Verify that the firm’s incident response plan is comprehensive and actionable. Identify weaknesses or oversights in the plan to ensure that all aspects of a potential breach are covered.
• Enhance coordination.Foster better communication and coordination among different departments, which is crucial during a real incident when swift, coordinated action is required.
• Increase preparedness.Increase the preparedness of all involved to ensure quick and efficient responsiveness in the event of a breach. This can significantly reduce the impact of a cyber incident.
• Identify training needs.Reveal areas where staff may need additional training or resources.

 

6. Technology defenses

One solution to human error comes from an increasingly sophisticated technology, artificial intelligence. While AI use is quickly becoming a “shadow IT department nightmare,” some companies, like LinkedIn, have embraced AI by implementing live cybersecurity training bots.

• Chatbots: LinkedIn’s cybersecurity chatbot answers real-time employee questions to thwart social engineering attempts. The chatbot answers questions 24/7 and provides consistent, clear security guidance.
• Data encryption: Data encryption is crucial to safeguard firm and client information. Encrypting sensitive data both in transit and at rest can protect it from unauthorized access, even if a breach occurs.
• Multi-factor authentication (MFA):MFA requires users to provide two or more verification factors to gain access to a system, application or account.
• Zero trust architecture: Consider adopting a zero trust security model, which operates on the principle of “never trust, always verify.” This approach requires continuous verification of user identity and access rights, regardless of whether the user is inside or outside the network.
• Regular updates and patch management: Ensuring that all software and systems are regularly updated and patched is a critical defense against known vulnerabilities.

 

Whether your law firm has the budget to invest in a cybersecurity chatbot or hire an IT professional who understands cybersecurity threats, investing in cybersecurity technology and utilizing advanced security tools and services is essential for crisis planning and incident response.

 

 

Gina Rubel is the CEO and general counsel of Furia Rubel Communications. She educates professionals on devising and implementing strategic communications plans to manage their reputation, develop and attract top talent, and drive business success. She is the host of On Record PR. Gina can be reached on LinkedIn at https://www.linkedin.com/in/ginafuriarubel/.