Trimble: Is your firm ready for cyberattacks? If not, you should be

In late July, I had the opportunity to attend the Annual Meeting of the Federation of Defense & Corporate Counsel. Every year the meeting offers an array of educational sessions dealing with the very latest issues of concern to law firms everywhere, and this year was no exception.

This year, one of the hottest issues was the readiness of law firms to prevent and respond to cyberattacks. A panel of some of the foremost experts in the country shared some pointed and urgent advice about how we should protect our firms and our clients from the inevitable day when some type of cyberbreach occurs. My goal today is to share some of that advice with you.

Everyone must accept the fact that all businesses, and particularly law firms, are under constant assault from attackers. Some of the attackers try to silently pierce the defenses of a firm to get into a firm’s systems. However, the vast majority of attacks come from phishing that seeks to fool users into responding to emails or clicking on links or attachments on their computers and cellphones. The phishing methods are too numerous for examples, and the methods are changing daily. (The risk is even greater now that so many users are working remotely from home or a coffee shop.) It is safe to assume that every user within every law firm faces phishing attempts every day, and sometimes multiple times per day. All it takes is for one user to click on the wrong link and allow malware to enter the system. Once an attack is successful, firms face thousands of dollars in potential response costs and even greater exposure to liability to clients and the public. Consumer class actions are rampant, and they are often difficult to defend because of lax attention to cybersecurity.

Our esteemed panel encouraged us to view the problem on three levels, namely, 1) prevention, 2) crisis response planning, and 3) crisis communications planning.

Prevention is paramount, and it requires an investment of money and time. But the money and the time will be well spent. The following is a partial list of suggestions of ways for firms to shore up their defenses:

• Hire a qualified cybersecurity firm to study your system, test your defenses and offer software and training to minimize exposure.

• Purchase cyber liability insurance. Most insurers will provide a list of the steps that firms should take to avoid attacks.

• Engage in constant communication and training with all users to teach them to recognize and avoid phishing attacks and to avoid hacking. There are good subscription training programs that will regularly require employees to review scenarios and answer test questions about their level of awareness.

• Implement policies for the use of take-home computers and cellphones. In particular, users should avoid the use of open Wi-Fi networks that are not password protected.

• Encourage regular changes to passwords and strong passwords.

• Utilize two-factor authorization when users sign into the network or when they sign into programs within the network.

• Encourage users to report any suspicious emails or unusual changes in how their computers are operating.

• Implement policies on the subject of whether users may visit websites when using their work computers.

• Evaluate whether users will be allowed to log into the law firm network from home computers. This is particularly important if home computers are being used by children.

• Make sure key law firm managers attend cybersecurity seminars so that they will be up to date on the latest fraud schemes.

The second issue of importance is crisis response planning. Very, very few law firms have crisis response plans, but they should have one. A few of the components of a plan include the following:

• Identification of the key managers who will oversee a response when a breach occurs.

• Training of all users to immediately notify management the moment they realize they have fallen prey to a phishing attack or a hacker.

• Giving immediate notice to the firm’s cyber liability insurer. Most insurers have their own rapid response teams who will jump into action to attempt to minimize the damage.

• Having a qualified IT firm available to call on a moment’s notice to jump in to identify the problem and implement protective measures.

• Undertaking “table top” exercises before a breach occurs to verify that the plan will work.

• Being prepared to immediately work with your insurer to provide notices to third parties about the breach. There are state and national notice requirements, and you should know them.

The third and final issue is crisis communication. Lawyers are notorious for believing they are experts in communications in a crisis, but the reality is that unless they have received training, they are not experts in responding to the media or drafting notices to affected third parties. They tend to forget that what they say can be used against them in consumer lawsuits. Further, law firms often underestimate the damage to the firm that can occur from clients who feel insecure or media rumors that may develop after a breach.

So, a crisis communications plan is advised. Here are some of the elements:

• Creation of a crisis communication group within the firm who will have responsibility to respond to media inquiries or client and public inquiries.

• Creation of internal communications so that all users and partners can be updated on the breach.

• Discussion and understanding in advance of likely crisis scenarios.

• Creation of templates holding statements and talking points.

• Training of all employees to make sure they know what to say and what not to say after a breach.

• Identification of an experienced PR/crisis management firm to contact on a moment’s notice.

• Use of “dry run” crisis exercises to make sure the firm is ready to go if a breach occurs.

One of the challenges of the subject of cybersecurity is the attitude that “this won’t happen to our law firm.” We have been living in a cyber age long enough now that computer users are numb to the news and accustomed to instantaneous responses to text messages and emails. People treat this issue routinely and act without thinking.

Please take my word for it: This can happen to your law firm. Don’t ignore it a day longer. Odds are that sooner or later, you will be faced with a breach. You should try to avoid it, but you must be ready to act when it happens.

#WillYouBeThere?•

__________

John Trimble (@indytrims) is a senior partner at the Indianapolis firm of Lewis Wagner LLP. He is a self-described bar association “junkie” who admits he spends an inordinate amount of time on law practice management, judicial independence and legal profession issues. Opinions expressed are those of the author.