Abstract

A strong cybersecurity strategy can help protect your brand and the trust of your clients in your firm. This is where the 3Ps - people, processes, policy - come into play and aid in drawing up an action plan that can be followed by law firms everywhere.

1. Introduction

We have been talking for a while now about the possibility of everybody to be subjected to small or large-scale cyber-crime. Cyber threats are universal and they are growing both in numbers and intensity. The actors behind these threats are not only trying to break into an organizations network, but also seek to bag their data and sell it to the highest bidder.

Today, like most business out there, law firms operate online for multiple reasons: more exposure, facilitation of services and reach etc. Consequently, they are targeted more and more often. Law firms are part of an entire chain of exchange of data, being the connection node between clients, authorities, judiciary, accountants and so on. This leads to the conclusion that sensitive information is communicated between parties and is held by law firms all over the world as part of their normal course of business. Clients entrust firms with sensible personal data such as financial reports, healthcare information or trade secrets, making law companies the perfect target for cyber-criminals.

2. Pitfalls of an unprepared law firm when faced with cyber threats

Why is it so important for a law firm to not only detect and recover when faced with a cyber-attack, but also to prevent such threats as much as possible? The answer is quite clear and it comes in the form of another question that you should ask yourself: How will my clients see me if I lose their data? The trust of clients and keeping a good name is vital for any organization, more so when it comes to law firms. This is because trust, in this industry, is not only desirable, but also mandatory. Think about the lawyer-client privilege, for example.

It entails the fact that confidentiality of communications between lawyers and clients is sacred, being usually regulated at national level. The rationale behind it is that it encourages individuals to openly share information with their lawyers and to let lawyers provide effective representation. A data breach in this industry will inevitably lead to reputation damages and usually high amounts of fines, not to mention the possibility that, if your network is compromised due to ransomware, your entire business could be blocked for weeks. 

Having said all of these, it is obvious that cybersecurity should be taken seriously, this being highlighted by a recent study conducted by PwC in which 100% of the firms stated that they have been subjected to one type or another of cyber-attack.

3. 3Ps of cybersecurity

Now it is time to move on and discuss the ways in which the above-mentioned dangers can be prevented, efficiently responded to and ultimately lead to resilience from the part of the firm. Every cyber-strategy should have as objectives prevention, detection and recovery when dealing with cyber threats. This is simply because, as stated before, you want to avoid being subjected to a cyber-attack, in the first place. However, if malicious things get past your preventative measures, you should be able to quickly detect them in order to mitigate damage as much as possible and finally, have a system in place that can help you recover from the attack.

In order to achieve these three objectives, there are three types of controls that have to be taken into account when drafting a cybersecurity strategy. They are usually named the “3Ps of cybersecurity”: People, Processes and Policy. These three topics form an ecosystem and are equally important for the well-functioning of the internal cybersecurity plan of a firm. They are correlated and their development needs to be synchronized, since untrained staff could cancel the use of sophisticated technological processes, for example. I will further detail on each one of them, giving some samples of how they can be efficiently used.

3.1. People

Let’s start with the human resource of a firm. Employees are often the weak links in an organization's security and you might know how the saying goes: the weakest link in the chain defines the strength of the chain. People share passwords, can click on compromised links and open unchecked email attachments and, thus, are susceptible to being deceived. Actions of one employee are enough to compromise the network of an entire firm. Hackers use social engineering techniques to manipulate people in order to gain control over the systems. More specifically, they can use the spear phishing technique, conducting attacks after doing research on the target. These are directed attacks on a particular person/organization with internal knowledge gathered from open sources such as posts of employees on social media, open data available on the internet and so on. Malicious actors are, in this case, after confidential information, business secrets and other sensitive information, making law firms a clear target.

Social engineering and phishing account for 70% - 90% of breaches, leading to the conclusion that, against preconceptions about cybersecurity, it is not enough to have a strong technical infrastructure. You need to be able to protect your firm against human-led errors. First things first, staff has to be educated digitally and be equipped with critical thinking skills as a way of being able to detect a false email or malicious link, for example.

After investing in staff training, any firm could use a tool for testing the employees and their actions when confronted with a phishing attack. Ethical phishing simulation provided by an experienced company can be such a tool and can give you an idea of how resilient you and your firm are when faced with social engineering techniques. These simulations function by gathering data on the firm, creating an attack strategy, launching the campaign, gathering data of the employees that fell in the simulation’s trap, and ultimately creating a personalized educational program and a regular phishing campaign to test staff awareness. 

3.2. Processes

The second “P” relates to all software and hardware techniques you can implement in order to limit, as much as possible, the risk of being subjected to an attack. It refers to the entire chain of technological systems that can be used for the security of the firm and are efficient in the majority of circumstances, putting down threats even automatically, without having to manually resort to human action. Some examples could be ensuring that the network infrastructure is well built or making sure that the firm’s website is secure. Moreover, through technology, some of the human-led errors mentioned in the previous section could be fixed from an architectural perspective, by giving access to data based on the specific position and internal role of an employee.

A useful tool is a frequent penetration testing that can enable companies to discover their vulnerabilities and ways to mitigate them proactively. Here is where experts in penetration testing come into play. It is vital to test your processes in order to identify potential leaks, since such a test helps you think like the enemy, looking at your own networks from the perspective of a malicious actor searching for hidden vulnerabilities. The findings of the penetration team inform you about the efficiency and effectiveness of your security program, aiding you in enhancing your protection and reduce risks. 

3.3. Policy

The last “P” relates to policies implemented by a company as a way of providing a conduct framework for employees, partners, consultants and other similar stakeholders. In this context, policies regulate online access, data sharing, network use etc., all in order to ensure security of the firm. A well-thought-out policy system works like an action plan that can be implemented by anyone or anything and describes the general roles, expectations and responsibilities of every actor. In this way, a strong cybersecurity policy helps create accountability. 

Technical policies are the most commonly used ones and provide a comprehensive system of safeguards that, usually, aim to prevent attacks in the first place. Some examples could be implementing strict rules when creating passwords or using an email filtering or flagging system. Moreover, you may even restrict the access to certain websites such as social media pages from the firm’s network, in order to limit the danger of social engineering as much as possible.

Another aspect in which you need to implement policies is data protection and compliance with specific regulating instruments such as the GDPR (EU) or CCPA and CDPA (California and Virginia). When it comes to the GDPR, this legally binding document sets a strict standard for customers’ data, enabling them to enforce their rights. On the other hand, this may come as a burden for any organization, since processes and internal procedures/policies must be put in place in order to ensure compliance and avoid high fines. Among other requirements imposed by the Regulation, companies must have a Data Protection Officer (under some conditions), responsible for the well-handling of customer’s data and reporting incidents.

General internal procedures should also be implemented as a way of making sure that incidents are responded to in an efficient manner. Reporting suspect activity should be mandatory and a cornerstone for every security policy. In this way, a common way of thinking would be avoided: I did not fall in the trap of clicking on this attachment so everything is good. Every employee should flag any possible threat in order to catch an attack before it happens. This makes it clear that a comprehensive system of cybersecurity governance is of utmost importance for your firm as a way of complementing technical processes mentioned in the previous section and ensuring that the human resource is aware and understands the firm’s cybersecurity mitigation efforts. 

4. Importance of consultancy from experts

As you can see, there are quite a few aspects that you should take into account when drawing up an effective cybersecurity strategy. Seeking expert advice when doing this may have some advantages that can make the process less intimidating and ensure better results. Firstly, outsourcing and using a team of cyber experts only when needed makes for a cheaper alternative to a traditional IT department that would not only have to manage the usual technical assistance, but also create and manage the security plan. Secondly, an expert team helps with risk reduction since it provides guidance and the best personalized security measures to maximize their efficiency. Finally, they can help educate your staff on the latest technologies, safer workplace practices and create cybersecurity threats awareness, ameliorating the risk of human-led errors presented above.

5. Conclusion

Since security cannot be seen as a perpetual state and there is always the risk of a successful attack, firms should take charge and invest in training staff, use new technical controls and issue a system of comprehensive policies. By following the structure of the “3 Ps”, you can achieve the objectives present in every cybersecurity plan: prevention, detection and recovery. To wrap up and put it simply, any firm should first establish its biggest threats. Then, it should draw up a plan on how to prevent and discover them. Finally, a strong incident response/recovery plan should be in place in case these threats get past all the other safeguards, this entire strategy being easier to frame with the help of cybersecurity experts.