This article has been provided by Tom Lambotte, founder and CEO of BobaGuard, a partner of Embroker. Tom advises law firms on cybersecurity and helps protect them from cyber attacks, including cybercriminals. In this article, Tom explains that law firms, particularly small and solo, need to understand who and what cybercriminals target.
There’s a target painted on your back.
It was put there by cybercriminals intent on stealing all your clients’ confidential information or breaching your computer systems and online accounts with vicious viruses and malicious ransomware.
You’re only kidding yourself if you think—as a solo attorney or a small law firm—that no hackers would be interested in targeting you. It’s a mistake to imagine yourself invisible to them, to believe that the only law offices showing up on hackers’ radar screens are the big ones that have as clients Fortune 500 companies, A-list celebrities, and world-class athletes.
The reality is that the smaller your firm the bigger the target on your back. That’s because cybercriminals have figured out—quite correctly—that solo attorneys and small law firms make the easiest pickings.
This is no idle claim. Inc. magazine recently relayed findings from a cybersecurity outfit indicating that bad actors tend to “set their sights on small businesses since smaller companies usually have weaker security safeguards in place compared with those at larger companies.” Indeed, per Inc., more than 30 percent of U.S. small businesses have exploitable computer system weaknesses.
And, as a law firm, are you not a small business? Yes, you are.
However, it gets worse. Small business owners it seems are rather apathetic about all this.
Earlier this year, the CNBC|SurveyMonkey Small Business Survey reported that just 5 percent of small business owners deem risk of cyberattack to be their biggest worry. Also, the pollsters confirmed that the smaller the small business the less the concern.
Defenses Spotty at Best
My long-standing observation as a cybersecurity consultant and vendor is that, when it comes to storing sensitive data, the computer systems belonging to small law offices typically are configured with the fewest (and thus weakest) defenses.
In too many instances, that’s attributable to a failure to accept the existence of the painted target I mentioned. However, the problem can also be blamed on lawyers convincing themselves that the effective technologies and methodologies necessary to adequately secure their computers are too costly.
They’re not too costly. On the contrary, even solo practitioners can afford them. It is unfortunate they think otherwise.
Secondarily, cyberattack defenses are usually lacking in solo and small law offices because lawyers tend to feel lost when it comes to addressing cybersecurity threats. Accordingly, the temptation is to let data security issues slide and hope for the best.
If I’ve just described your mindset, an analogy might be in order to help you see this matter in a different light. So, let’s assume you own the home in which you live. That being the case, you owe a duty to yourself and to everyone else who resides with you to prevent termites from wrecking the place and rendering it uninhabitable.
Yet to satisfy that duty you don’t need to be a structural engineer, a dwelling rehabilitation expert, or a licensed and bonded pest-control specialist. You just need to be able to recognize you’ve got a problem that needs fixing and then have the gumption to seek out appropriate help. It’s no different with regard to your computers and the threat of cyberattack.
Of course, you wouldn’t be at so great a risk for cyberattack but for the figurative ton of sensitive information and passwords you possess. These items are worth a lot of money on the Dark Web.
To get their clutches on your data, cybercriminals employ many time-tested ploys. One such approach entails sending you phishing emails. Another involves inviting you to download or directly open virus-laden email attachments. There is also the ruse of leading you to a trap website.
Burden Is on You
One super-huge reason why you can’t ignore the target on your back is that you have obligations described by the American Bar Association’s Model Rules of Professional Conduct to safeguard the sensitive information entrusted to you.
In whatever state (or states) you’re licensed to practice law, your retention of that grant is to some extent conditioned upon how well you live up to ABA Model Rule 1.6(c). Virtually every jurisdiction’s licensing body has adopted some version of Rule 1.6(c), but in a nutshell it declares that you have a continuous duty to take reasonable steps to safeguard client information wherever and in whatever format it exists.
The ABA has curated a list of factors that your state bar’s disciplinary committee members should use when trying to decide following a successful cyberattack whether or not you took reasonable steps to safeguard client information. These factors are:
- Sensitivity of the information
- Likelihood of disclosure if additional safeguards are not employed
- Cost of employing additional safeguards
- Degree of difficulty implementing those additional safeguards
- Extent to which extra safeguards would get in the way of your ability to represent clients
Pro tip: one way of convincing bar disciplinary committee members that you did take reasonable steps to safeguard data is to show that you encrypted all emails containing client information. Encryption makes it orders-of-magnitude harder for cybercriminals to intercept emails they have no business seeing let alone capturing.
Encryption is just one layer of security. There are others you can add beyond that. Indeed, the more security layers you add to your systems, the less of a case for breach of duty that disciplinary investigators can make against you, post-breach. And to be frank about it, the more layers you add, the less likely you’ll end up in the hot seat to begin with—extra layers won’t make your systems impregnable, but they sure will discourage a multitude of cyberattack attempts.
Accepting that the threat of cyberattack is real is half the battle. The other half is implementation of appropriate security measures. Even at that, there’s no guarantee you’ll fully eliminate that target on your back. But at least the target will cease to be a flashing neon beacon for cybercriminals looking to hit and knock over the softest possible targets.