Making Good Cases Extraordinary: FOUNDER OF EMPLOYEES FIRST LABOR LAW P.C. TAKES LEADERSHIP POSITION IN 21ST CENTURY LAW -... COVID-19: How to Prepare for Potential Future Disputes. Pandemic-Related Uncertainty Means Business Decisions Will Be Highly Scrutinized.: As the COVID-19 pandemic continues to develop, guiding a business through this time of... Eight Ways to Keep the Business Development Engine Running During COVID-19: By now, most of you are settling into your new work environment. Some have greater... Don’t Let Your Blogs and Content Fall Victim to COVID-19: With so many business and personal challenges brought on by the COVID-19 pandemic, it’s... 16 Easy Ways to Network, Connect with Clients, and Build Brand While Social Distancing: ... your job right now is to lay the foundation for when things return to ‘normal’ -... Standing Out in the New Norm: Be the Solution ...: The past few weeks have bombarded us with a constant stream of information—not only... Leading Successful Practices Through COVID-19—Learn from Your Peers and Pay It Forward: Recently, LawVision hosted a webinar for the members of its Practice Group Professionals... Community News – May 2020: Snell & Wilmer is pleased to welcome new employment partner Gina L. Miller and new... STREET JUSTICE: From the Streets to the Courtroom, this Attorney Brings Genuine Results in Personal... 12 Productivity Tips When Working from Home: As I write this, many law firms are shutting down their physical offices and having...
Executive Presentations-468x60-1

Your Firm Was HACKED. Now What?

It looked like just another notice from your law firm’s IT guy— probably another computer system update. Your administrative assistant didn’t ponder it long, just clicked on the link to get the busywork over with. But looks can be deceiving, and that’s what cybercriminals are counting on. With one click on a fraudulent link, any employee can ignite a dumpster fire of damage that breaches the data in your files, reveals personal information of your clients, or paralyzes every aspect of your business until you pay the criminals a ransom.

With cybercrime escalating worldwide, is your firm doing enough to minimize your vulnerability?

Risks Become Routine

Unfortunately, dealing with cyberthreats is part of doing business for organizations of all sizes and specialties. According to the FBI, the costs of dealing with cybercrime doubled to $2.7 billion between 2017 and 2018. And recently, CNBC reported that the average cyberattack now costs $200,000, with 43 percent of cyberattack victims being small businesses that may be hard-pressed to take a hit of that magnitude.

One small slip-up by a busy employee or executive can leave your firm wide open for cyberattack. An August 2019 story in The New York Times cited the experience of a city employee of Allentown, Pennsylvania, who was using a laptop while on a routine business trip. While traveling, he happened to miss a software update.

After he clicked on a “phishing” email sent by Ukraine-based hackers, he unwittingly allowed malware to spread on computers throughout his office. It cost the city more than $1 million to clean up the damage.

Even digital giant Facebook has not been immune from attack. In 2018, it disclosed that a data breach had allowed illicit access to 30 million accounts. Selling people’s data is a lucrative prospect, so it’s clear that cybercrime is not going away.

Other corporations, municipalities and hospital systems have been paralyzed by ransomware attacks. It’s a more common threat to law firms than you might think. In these attacks, hackers target a firm’s digital systems to paralyze functions such as records, email and other services. Then they hold the firm hostage, saying they won’t free up the software unless they’re paid off.

Some other common types of cyberattacks are:

  • Stolen passwords. Phishing emails trick people into going to websites where they’re asked to enter their usernames and passwords. The sites look authentic enough – but they’re fake and give hackers access to a wealth of company and/or personal information.
  • Social engineering. Similarly, a phishing email is sent to employees and it looks like it comes from someone within the organization. It will ask for sensitive information such as passwords.
  • Phony hyperlinks and attachments. Again, they may look legitimate. But when someone clicks on the link or opens the attachment, they give hackers an inroad to their computer system.
  • Spam emails might look like helpful ads for beauty products or cheery promises of free stuff. But they can trick people into providing personal information, which can be sold on the black market.
  • Hacked versions of software. Fake versions of legitimate software (such as an online meeting program) let cybercriminals lift data or lock down office computers.
  • Malicious mobile apps and downloads. Mobile devices can pose risks, with so many people doing business on their smartphones. An employee who OKs permissions for a malicious app can give hackers access to sensitive company data.

Risks for Law Firms

Law firms handle a lot of information that hackers could find attractive. Firm files contain protected information on clients and employees, such as sensitive personal and professional data that they are trusting the firm to keep confidential. A February 2017 data breach at the international law firm Jenner & Block affected tax

forms for hundreds of its current and former employees, potentially exposing data including addresses and Social Security numbers.

Also at risk from a cyberattack is information gathered for use in the litigation process—a possible threat to law firms of any size. This data might include material that could come out later in court, as well as information meant to be used during negotiations.

Financial implications of cybercrime for law firms can be significant. One possible scenario: Hackers access a list of a law firm’s creditors, then send them bogus bills offering to settle for lower payoffs if they’ll ante up a partial amount.

There can be longer-term financial fallout, as well. A firm that suffers a serious breach will lose some established clients and may have trouble attracting new ones, especially those with stringent security requirements.

Consider Best Practices

How do law firms handle potential threats? A sprawling multinational firm will have entire departments and divisions dedicated to cybersecurity. But firms with fewer than 200 employees often follow a traditional model that’s much simpler. Typically, they will employ an information technology (IT) manager, plus another employee who provides desktop support. Often that means there’s no one solely dedicated to cybersecurity.

IT managers are good at solving technical problems in your computer system, but they tend to lack expertise at anticipating cyber threats and reducing or eliminating risks. That’s a drawback when it comes to designing effective cybersecurity, especially because law firms need multiple layers of protection.

As an analogy, compare it to how you secure your home. You don’t simply install a deadbolt lock. You also have other strategies: an alarm system, a link to police, fencing. You might get a watchdog. An ideal security plan will involve multiple measures designed to keep the bad guys out.

Cybersecurity protection is similar. Strategies might include network scans, encryption, spam filters, antivirus software, automated controls, access restriction, staff training, malware defenses and more. Having multiple defenses is a better way to keep the cybercriminals out.

Assessing Risks

As with a health checkup, law firms can benefit from a cybersecurity evaluation— whether the firm has already been victimized or is just trying to prevent it. For help conducting a cybersecurity evaluation, look for a company that has undergone a Service Organization Control (SOC) audit and has experience working with law firms. The company you choose should analyze systems based on the National Institute of Standards and Technology (NIST) framework. NIST is an agency of the U.S. Department of Commerce. It outlines a methodical approach to cybersecurity with five basic functions: identify, protect, detect, respond and recover.

Factors to be evaluated will cover security policies, automated security measures, efficiency of IT updates and staff training programs. Your cybersecurity status will be rated on a scale of 0 to 5. For most firms, a low ranking is an eye-opener and even a little scary. The upside, however, is that you’ll learn what you can to do reduce risks.

Time to Take Action

Common-sense strategies will include improving email security. For instance, you might be advised to strengthen password protocols, install a spam filter, and set up a reliable antivirus app on both desktop and mobile devices.

More broadly, consider outsourcing your cybersecurity management, since it could be more cost-effective than hiring a cybersecurity staff. In fact, if you are seeking clients in certain sectors, such as military or government agencies, outsourcing cybersecurity may be required to get and keep their business. The cost typically will range from $2,000 to $5,000 per month.

With a cybersecurity partner, you’ll agree on a system of policies and controls to be implemented at regular intervals. The schedule might look something like this:

  • Annually: IT security planning, risk assessment, review of requirements and cybersecurity budget planning.
  • Quarterly: Security leadership meeting, review of vulnerabilities, updates on training that’s been done and what is needed.
  • Monthly: Remediation project management to suggest further improvements, and an exercise such as testing with a simulated phishing attack.
  • Daily and Weekly: Monitoring network traffic.

While automated measures are important, informed employees are a key line of defense. They’ll need training and reminders to be alert for scams, spot possible hacking attempts, and most important, to refrain from clicking on those suspicious links.

Don’t Be a Victim

Well-publicized victims of cybercrime have included organizations ranging from entertainment conglomerates to universities to political parties. Just because it hasn’t happened to your firm yet, don’t be lulled into complacency. Your law firm could be a target, too, putting your operations and finances at risk, not to mention your firm’s reputation.

While no one is 100 percent immune from cyberattack, there’s a lot law firms can do to safeguard the security of the firm, clients, records and employees. The best strategy is to implement layers of security measures to discourage cybercriminals before they break through your defenses. Sadly, for someone else, there’s always a “softer target” to which they can turn their malicious attention.

Kevin Studley

Kevin Studley is the president of The Network Pro, Inc. a Californiabased Managed IT and Security company that specializes in the legal vertical. The Network Pro is recognized as a growth company on the Inc. 5000 fastest growing companies list, a Great Place to Work by the OCBJ, and has placed on the Top 501 Managed Services Providers list for the last seven years. Kevin Studley is an active and long-standing member of Vistage and actively participates in events that promote the business community. For more information, visit or call 714-333-9620.

More Posts

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)    Send article as PDF   

Filed Under: Featured StoriesTechnology

About the Author: Kevin Studley is the president of The Network Pro, Inc. a Californiabased Managed IT and Security company that specializes in the legal vertical. The Network Pro is recognized as a growth company on the Inc. 5000 fastest growing companies list, a Great Place to Work by the OCBJ, and has placed on the Top 501 Managed Services Providers list for the last seven years. Kevin Studley is an active and long-standing member of Vistage and actively participates in events that promote the business community. For more information, visit or call 714-333-9620.

RSSComments (0)

Trackback URL

Leave a Reply

  • Polls