Cyber Security: A primer for lawyers

By Carl Mazzanti

As if legal practitioners did not have enough on their plate, cyber thieves have found that law firms, particularly small and medium-sized practices, are ripe for the picking. Ransomware attacks in general are rising: companies were affected by ransomware every 14 seconds in 2019, and every 11 seconds by 2021, with more than half of attacks targeting businesses with fewer than 100 employees.

Small and medium-sized law firms are prime choices for encryption ransomware and data exfiltration extortion attacks, according to published reports. The reason is simple: smaller professional service firms typically do not have the budget for big-ticket cyber security defenses. The numbers are daunting: in 2022, the overall ransom asked by attackers increased by 60 percent, up to $178,000 on average. By the end of 2021, $11 billion was paid to ransom criminals and in 2022, the average cost of attacks in downtime alone across industries was $283,000.

Fortunately, law firms and solos can partner with a qualified cyber security managed services consulting service to mount defenses and protect their valuable data from cyber criminals. Unfortunately, however, many lawyers feel challenged when it comes to identifying a good cyber security provider, and an aggressive advertising campaign alone should not be the deciding factor in making the selection.

A basic step in matching a firm with a sound cyber security provider is to develop a framework, or outline of the legal practitioner’s positioning and needs. One consideration is what, if any, regulations apply to the firm or its clients. Common categories include:

• HIPPA (Health Insurance Portability and Accountability Act of 1996) — a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without patients’ consent or knowledge.
• PCI (Payment Card Industry Data Security Standard) — an information security standard for organizations that handle branded credit cards.
• NIST (National Institute of Standards and Technology) — a federal agency that develops cyber security and other frameworks and standards.
• CMMC (Cyber Security Maturity Model Certification) — a federal Department of Defense-guided initiative to develop a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.
• ISO (International Organization for Standardization) — which develops standards that define specifications and requirements for products, processes, services, and systems.

Law firm partners and solos could question a prospective cyber security solutions or IT support services provider about the depth of their experience concerning the above categories and others, as needed, to ensure their background and capabilities align with those of the firm. In doing this, a firm or solo may wish to develop a template, or basic framework design, to ensure that all the needs of the firm and its clients are addressed.

The process should not be rushed since it is an evolutionary strategy. While it is important to move the development along in a timely manner, perhaps addressing one issue or step a week, the individuals and teams involved in the effort should also remain flexible and be diligent about addressing all potential exposure.

Firms should keep in mind that hackers love a good-paying customer, so a business that suffers a ransomware attack and pays up is likely to be struck again. To guard against a “first-time incident,” a firm’s framework checklist for a current or proposed cyber security provider should include the agency’s ability to deploy automated “eCare Agents” that can address a variety of layers of security. Among those layers are email filtering, 24×7 monitoring, and such features as firewall geo-blocking that can restrict access based upon an outside user’s geographical location. For example, if a law firm is not doing business in Russia, it may be prudent to block any traffic originating from there.

The goal is to develop an effective cyber security deployment that will block malware, botnets, and phishing over any port, protocol, or app, and will also detect and contain advanced attacks before they can cause damage; often utilizing DNS, or Domain Name System filters, to block malicious websites and filter out harmful or inappropriate content.

Advances like blockchain technology hold the promise of more protection, but in the meantime, the legal profession is undergoing rapid evolution, accelerated by COVID-19. Many jurisdictions have gone to exclusive e-filing platforms, and more land records are being moved to online platforms, potentially expanding opportunities for hackers. But protections like those offered by blockchain technology have yet to be fully incorporated into the legal profession.

And while third-party cloud-based storage and retrieval offer some defense, a common standard to ensure data integrity does not yet exist, so data movement and storage continue to represent big concerns in terms of security and compatibility. Law firms, solos, and other users need to remain vigilant and ensure that their IT services provider keeps up to date with application improvements to be sure they are protected. This can be accomplished in an efficient and effective manner if a framework is developed, updated, and modified as needed, and if third-party IT services organizations are periodically reviewed to ensure their abilities continue to align with the cyber security needs of the firm.

​​Carl Mazzanti is president of eMazzanti Technologies,  a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].