Democratizing Data Security By Leveraging Best Practices Of Big Firms For Small & Mid-Sized Firms

A clear vision and prudent decision-making can help small and mid-size firms effectively handle sensitive and confidential data. Small and medium-sized enterprises can leverage some of the cyber security best practices of big firms to protect their critical assets from cyberattacks.

A cyberattack can put an organization’s finances, reputation, and information systems at risk. However, there’s a misconception that only large firms are at risk of a cyberattack, and small or mid-sized firms do not need any cybersecurity control measures when it comes to cybersecurity. These twin misconceptions have made the majority of small and mid-sized firms vulnerable and ill-prepared to detect and/or prevent cyber threats. However, small and mid-sized legal firms can leverage the cyber security best practices used by large enterprises (e.g., Am Law 200) to protect sensitive and confidential data. The reason is, most of the large firms have their cyber security posture based on robust government and industry-wide frameworks, including the NIST SP 800 series.

The image  below and, the statistics from a recent study, shows that the average cost of cybercrime in the US had increased by +29% between 2017 and 2018:

Image courtesy: accenture.com

What Makes Cyber-Security Awareness Important For Legal Organizations?

‘Humans’ are the weakest link in information security. Legal practitioners, their associates, and other employees in a law firm interact with a vast amount of the Personally Identifiable Information (PII) and Personal Healthcare Information (PHI) of their clients. If employees are not well trained and educated in the handling of sensitive or confidential data, they may:

• Click on a URL in a phishing email or download an infected attachment jeopardizing the security of the entire organization
• Reveal business secrets or sensitive information on social media platforms resulting in reputational damage
• Share the confidential information in an email to the unintended recipients and reveal the business secrets

It could result in a violation of consumer privacy requirements or loss of sensitive financial information, potentially leading an organization to pay hefty penalties for non-compliance to regulations, such as HIPAA, GDPR, GLBA, CCPA, and FISMA-2014.

When it comes to the integrity of any legal enterprise handling confidential and sensitive client data, there is no question of privacy vs. security as both are equally important and shared responsibility for a healthy cyber setup. When organizations are answering ‘privacy’ questions such as what data should be collected? Whom might it be shared with? How long should it be retained? They also need to think in parallel about the relevant ‘security’ questions of how to collect & retain the information securely, and how to ensure that it’s available to authorized users when needed? Making that balance it the key for any business to be successful.

The American Bar Association explicit emphasis on Securing Communication of Protected Client Information as mentioned in ABA Formal Opinion 477R, and the ABA Formal Opinion 483 provides a comprehensive guide on Lawyers’ Obligation(s) after a data breach or cyberattack has taken place.

The following diagram shows the top cyber security threats that organizations face:

Image courtesy: Nikhita Reddy Gade & Ugander G J Reddy, ‘A Study Of Cyber Security Challenges And Its Emerging Trends On Latest Technologies‘

Why Are Small And Mid-sized Legal Organizations Sitting Ducks?

Some of the reasons why small and mid-sized legal organizations take a back seat approach when it comes to cybersecurity  include:

• Insufficient Budget: This is one of the most common barriers when it comes to cybersecurity. However, there are cost-effective cybersecurity best practices to ensure a robust security posture.
• BYOD (Bring Your Own Device) Issues: Business transactions being processed on personal smartphones, with a managed BYOD policy, is another common reason behind cyberattacks against small and mid-sized organizations.
• Staff Shortage: Small organizations may not have enough staff to dedicate solely towards the detection, management, and prevention of cybercriminal activities.
• Lack of Prioritization: Cybersecurity may not be among the top priorities for most of the small and mid-sized organizations. However, it should be made part of day-to-day decision making and daily business operation for a cohesive implementation.

How Can A Small-sized Legal Organization Adopt Cyber Security Practices Of Large Organizations?

Here are a few cybersecurity tips that the AmLaw 200 (The top 200 law firms in America) follow, which can benefit any small or mid-sized organization:

Consistent Cyber Risk Assessment Of Operating Environment
A qualified independent third-party firm can help assess the operating environment of an organization to ensure that the critical cybersecurity controls are in place.

Cyber Security Awareness Training: Education, Knowledge & Training
Cyber security awareness training plays a vital role in bridging the gap between a successful attack and a human error or negligence. For a cyber security awareness training program to be successful and comprehensive enough, it must cover:

• Security best practice training for employees and executive leadership
• Anti-phishing training
• Ransomware detection and response training
• Physical security best practice
• Social media browsing best practices

Protective Measures and Data Backup
Employing strong passwords along with 2FA (Two-factor Authentication) can prevent unauthorized access to digital assets to a large extent. Periodic and regular data backups ensure that the critical data is up to date.

Continuous Monitoring and Configuration of Border Security (Firewall, IDS or IPS)
A firewall or IDS (Intrusion Detection System) or IPS (Intrusion Prevention System)  acts as the first line of defense. It inspects each incoming data packet, decides which messages should be allowed, and alerts you while keeping the rejected ones at bay.

Limiting Access to Confidential and Sensitive Information
Only authorized persons should get access on a “need to know” basis to confidential and sensitive data. The information must be classified (confidential, secret, and top-secret) based on it’s value to the organization.

The following graph depicts some of the latest trends in the most commonly used cybersecurity techniques by larger organizations:

Image courtesy: Nikhita Reddy Gade & Ugander G J Reddy, ‘A Study Of Cyber Security Challenges And Its Emerging Trends On Latest Technologies‘

The Wrap Up

“Prevention is better than cure!” – this phrase is well respected in the world of cyberspace, and GoldSky Cybersecurity is primarily suited to help small and mid-sized businesses enjoy the same robust cyber security controls available to larger organizations, thus allowing them to meet business objectives. Cybersecurity is an issue that has always been a significant topic of concern for the legal industry for many years, therefore collaborating with capable cyber risk professionals will ensure proper alignment of security goals with business goals.

GoldSky Security has resources in Orlando, Denver, Nashville, Washington D.C., Tampa and Phoenix who can help your small or mid-sized law firm implement a cyber security program.   Reach out for a free consultation today.