The following article was included in the Winter edition of TOPICS, the quarterly newsletter of the BC Legal Managers Association:
The Evolving Cybersecurity Landscape for Law Firms
Brian Mauch BCom, JD
CEO, BMC Networks
I first began consulting to law firms on technology 25 years ago, fresh out of law school and determined to combine my interest in computers and the law.
In 1997, the concept of cybersecurity was foreign to law firms, primarily because there was limited access to data from outside of the physical office. The internet was in its infancy, and any forms of remote access (does anyone else remember Norton pcAnywhere?) were so cumbersome that they presented enough of a roadblock to would-be hackers.
With the turn of the century came advances in technology and broadband internet speeds. In the 2000s, lawyers incorporated email and Blackberries into their practices. In the 2010s, lawyers started using remote access via the internet so they could work anytime, anywhere. In the 2020s, lawyers and their staff started working from home more regularly, and got serious about adopting cloud. This rapid evolution of law office technology, and the ease of which lawyers can access their data from anywhere, has created a perfect storm that all law firms face today. Enabling multiple forms of remote access for lawyers has provided bad actors with multiple avenues to try to access that data.
Law firms have tasked their internal IT teams and outsourced IT providers to determine and implement 100% effective cybersecurity systems. This is a tall order, because if a “silver bullet” existed that could prevent all cyber threats, then everyone would happily buy it and hacking would no longer exist. The reality is that no such silver bullet exists, as evidenced by the constant news of large organizations with unlimited IT budgets that are still being hacked. IT teams have followed best practices in implementing multiple layers of security, but it is a rapidly evolving field and new threats (and countermeasures) are being developed like never before.
BC lawyers often ask me if their industry regulator provides guidance on cybersecurity requirements for law firms. However, the Law Society of BC has long taken the approach that their role is to regulate lawyers, and not regulate technology. To my knowledge, LSBC has not published any mandatory technology requirements for law firms to follow. To be fair, LSBC has produced a comprehensive working paper and due diligence checklist on cloud computing, which provides an extensive list of issues and questions to consider when utilizing cloud technologies. But the cloud computing documents don’t specifically contemplate cybersecurity for on-premise systems (which most law firms still have), nor do they provide mandatory requirements to follow… only things to consider.
In a significant development, LSBC published a Notice to the Profession email in June 2020 that contained a significant list of recommended security precautions, entitled “Ten simple steps you can take to protect your system against a data breach”. This list was significant, because to my knowledge it was the first comprehensive list of cybersecurity recommendations that LSBC has ever published. The Ten Simple Steps article was then posted on a new Cybersecurity page on the LSBC website, and then moved to the Lawyers Indemnity Fund (LIF) website when it launched in June 2021. The current URL is https://www.lif.ca/risk-management/fraud-prevention/cybercrimes/ and the list is as follows:
- Create secure passwords for each account. Change them regularly and never share passwords with anyone. Use two-factor authentication. A reputable password management system that includes a random password generator may assist.
- Properly configure a firewall between the firm’s system and the internet. Talk to your IT professional about conducting security audits.
- Use up-to-date antivirus and malware endpoint protection on computers, laptops and handheld devices.
- Backup your data – talk to your IT professional about frequency (including staggering).
- Use encryption to protect hard drives, laptops, removable media, and back up media. Enable remote wipe capabilities for mobile devices and laptops.
- Make sure all critical patches and security updates and applied as soon as possible.
- Actively monitor systems for suspicious activity and log and archive systems events as an audit trail.
- Use VPN or other encrypted connection to access public wireless networks. Avoid public Wi-Fi, and do not use an unsecured Wi-Fi to connect to your work server, to do any banking, or to send any confidential or personal information.
- Keep servers and equipment physically secure. Avoid working in spaces where third parties may view screens or printed documents.
- Cancel access to the network when employees are terminated. Maintain abandoned domain names after law firm mergers or acquisitions.
A further sign of increased concern about law firm cybersecurity was the June 2021 inclusion by LSBC/LIF of group cyber insurance coverage for all BC law firms, underwritten by Coalition. This coverage will provide a forensic cybersecurity response team and privacy lawyer to assist and guide law firms if their data is breached. While the included group insurance has nominal limits, additional cyber insurance can be purchased from Coalition or other insurance providers at an additional cost. If a BC law firm suffers a data breach, their first call should be either to Coalition or to their alternate cyber insurance provider.
Coalition has released a top ten list of their own, in their 2021 Coalition Cybersecurity Guide. This list has some overlap with the LSBC/LIF list, and provides guidance on the most effective steps that law firms can take to reduce the chances of a breach. This guide can be found at https://info.coalitioninc.com/rs/566-KWJ-784/images/DLC-2020-12-2021-Coalition-Cybersecurity-Guide.pdf
- Increase email security
- Implement Multi-factor Authentication (MFA)
- Maintain good data backups
- Enable secure remote access
- Update your software
- Use a password manager
- Scan for malicious software
- Encrypt your data
- Implement a security awareness training program
- Purchase cyber insurance
The cybersecurity landscape for law firms has changed considerably over the last 25 years, and it will continue to evolve in coming years. Lawyers are increasingly relying on IT to run their practice and deliver their services, new security threats are being discovered all the time, and IT itself continues to change and evolve. Unfortunately there is still no “silver bullet” that will completely protect law firms, but following the above lists of recommendations will provide substantial coverage from existing security threats.