♫ I’d say an ounce of prevention
Is worth a pound of attention span... ♫
— Music & Lyrics by K. Hearn, S. Page,
E. Robertson, recorded by the Barenaked Ladies.
One of the oldest legal traditions has been the duty of confidentiality owed to a client. In today’s world of constantly evolving change, this duty has come under unprecedented attack, as illustrated by the rising level of cyber incidents targeted against law firms. These cyber attacks take many forms, but they engender the need for firms of all sizes to have in place measures designed to prevent attack, guard the firm’s data from being hacked, stolen or exposed, and allow the firm to quickly respond to an attack in a comprehensive and secure manner. A cyber response plan together with having your systems hardened to the point where they can repel an attack are both requirements today.
How bad is the problem? A survey, conducted by Blake, Cassels & Greydon in 2020, showed just over half of Canadian organizations hit by ransomware last year paid cyber criminals to get decryption keys for restoring scrambled data.
Cyber defences start with technological competency. Cyber security is not solely about hardware and software. It starts with having all users coming up to speed on the role that they, as carbon-based processors, play in opening up the silicone-based systems to attack and repelling them in the first place. According to the American Bar Association’s (ABA) 2022 Legal Technology Survey Report, 75% of all respondents reported having some type of technological security training available at their firm.
Cybersecurity for Law Firms: What Legal Professionals Should Know, published by the ABA, states:
In the 2021 Verizon Data Breach Investigation Report, phishing was present in 36% of breaches. Other reports show that over 90% of cyber attacks begin with a phishing email and more than 97% of users cannot recognize a sophisticated phishing email.
Clearly having users recognize and stop phishing attacks is an important first step.
Once awareness has been raised, the next step would be to put into place your firm’s technological policies, that codify what is and what is not, the proper use of the firm’s IT resources. This would include your written cyber incident response plan to be used in the event of an incident. The Blake’s report noted that: “Only 29% of organizations that suffered a cyber incident had an effective incident response plan that they followed.”
Next would be to put into place your security tools, including firewalls, password managers, anti-malware, anti-spyware, email encryption and scanning. One important component would be a zero-knowledge, encrypted file storage service such as sync.com. This is a Canadian product that backs up your data in the cloud in a manner that only you have the ability to decrypt the data, hopefully rendering it impervious to a ransomware attack.
Have an expert conduct a regular cyber assessment of your systems and policies to ensure that all is working as it should and that you can recover your data in the event of a breach.
Lastly, assess your cyber insurance coverage and benefits. LIF offers cyber insurance and cybersecurity coverage, including security monitoring and alerts, security services and training through Coalition, Inc.
When it comes to protecting the time-honoured tradition of solicitor-client confidentiality, it is good to know that an ounce (err, millilitre?) of prevention is worth a pound of attention after the fact.