Washington Lawyer - November/December 2024 - 24
FEATURE
operate), operating systems, all kinds of applications like office software
and web browsers, as well as their plugins and extensions. Uninstalling
any software that is not needed for business is a sound
idea. The less software you have, the fewer vulnerabilities your network
contains. Whenever possible, enable automated updates; most
modern software has this feature available. On a side note, briefly
documenting your patch management policy and procedures will
greatly enhance your cybersecurity documentation.
4. Enact firm-wide data minimization and encryption strategy. The logic
is simple and straightforward: Even the most experienced cyber
gangs will not be able to steal the data that you do not have. Data
minimization is arguably the cornerstone of privacy, expressly imposed
by some state and federal laws. An additional benefit is a cost
reduction for storage, backups, and other data-related needs. Furthermore,
encryption is a must-have security control that should be
enabled on all devices and layers of data processing, spanning
from laptops and smartphones to emails, databases,
and backups
5. Configure continuous monitoring and threat detection
systems. Proactive monitoring, detection,
and neutralization of incoming cyber
threats is essential to avoid falling victim to
a costly data breach. Implement continuous
security monitoring of all businesscritical
systems and data flows to scan all
files and incoming emails and their attachments
for malware and other malicious
content. Outbound anomalies should also
be detected and intercepted. A data leak prevention
system can be beneficial, especially for
large law firms, in detecting and preventing data
exfiltration by malicious insiders and disgruntled employees
trying to send a list of your most valuable clients
to their personal email before moving to a competitor.
6. Set up a secure remote backup. A properly configured backup is the
airbag of your cybersecurity. Storing backups only in your local network
has proven to be a bad idea because ransomware groups
swiftly locate such backups and encrypt them as a first priority. The
best practice is to have a local backup for rapid recovery of accidentally
deleted or lost files, combined with an external backup at a secure
location managed and operated by a vetted third party. This
will help your firm survive virtually any ransomware attack or other
incident. Needless to say, backups should be encrypted.
7. Implement an identity and access management system with multifactor
authentication. It may sound trivial, but managing user accounts,
ranging from customer relationship management (CRM) and
email accounts to admin credentials from a cloud backup management
system, is a complex task that requires a thoughtful approach.
Ideally, firms will create and maintain a holistic inventory of all accounts.
The more privileges an account has, the more attention it
deserves, including complex password requirements, logging of all
its activities, and linking to a verified human identity authorized to
use it. Last but not least, enable multifactor authentication wherever
possible, covering all third-party platforms and websites, including
LinkedIn.
24 WASHINGTON LAWYER
* NOVEMBER/DECEMBER 2024
8. Perform risk-based due diligence of your trusted third parties. Cybercriminals
are smart and pragmatic - they always hit the weakest
link. Frequently, they target underprotected IT support vendors,
consultants, expert witnesses, or small accounting firms to grab the
data of firms' wealthy and well-protected clients. It is paramount to
understand and ensure, both technically and contractually, that any
sensitive data entrusted to third parties has at least the same level of
protection as your data stored locally. Creativity when drafting liability
and indemnification clauses in a vendor contract may help; however,
bear in mind that tech giants will unlikely accept any nonstandard
wording, while small firms may readily accept any unorthodox
obligations but become insolvent and judgment-proof if a major incident
occurs.
9. Conduct cybersecurity training and awareness. These two concepts
should not be used interchangeably. The former is about developing
new skills and sharing knowledge, while the latter is a continuous
process to unobtrusively remind people to use and
apply the newly acquired skills. For example, phishing
training may be remembered for a couple of weeks,
but if no reminders are made, the knowledge will
gradually fade eventually, negating all your training
efforts. Gamification with token rewards for
the best performers is probably one of the
most productive approaches to both training
and awareness.
10. Address mobile and Internet of Things
(IoT) security risks. Consider using privacy
screens on laptops and mobile devices to avoid
accidental exposure of client emails and the like to
a neighboring passenger on a train or airplane. Ensure
that any mobile devices used to access law firm
data are encrypted, protected against password guessing
attacks, can be wiped remotely in case of loss or theft, and have
security hardening enabled, such as Lockdown Mode on iOS devices.
Large law firms may consider using mobile device management
systems to scale and automate secure device configuration and
management. Finally, remind all employees to pay attention to their
home IoT devices: Alexa or other smart objects may overhear a confidential
discussion with a client and automatically send it to the
cloud, raising serious questions of professional misconduct.
Although these 10 recommendations are not a silver bullet, when properly
implemented they can help to considerably minimize the number of
security incidents and data breaches, avoid bad publicity and unnecessary
litigation costs, and comply with data protection and privacy laws
and regulations.
Remember, as a lawyer you can proficiently manage your cybersecurity
without pursuing a PhD in computer science. It's all about applying
reasoning, logic, and common sense that you certainly learned in law
school.
Dr. Ilia Kolochenko is a cybersecurity and cybercrime investigation expert
with more than 15 years of practice focused on data protection, privacy, and
cybersecurity law. He is a member of the American Bar Association Information
Security Committee, an adjunct professor of cybersecurity and cyber law
at Capitol Technology University, and a CLE faculty member at the D.C. Bar.
Illustration: iStock
Washington Lawyer - November/December 2024
Table of Contents for the Digital Edition of Washington Lawyer - November/December 2024
Washington Lawyer - November/December 2024
Digital Extras
From Our President
Calendar
Practice Management
Toward Well-Being
Court Simplified feature
Erin Larkin feature
Navigating the Court feature
Demystifying the Corporate Transparency Act feature
Erin Larkin feature
Data Breach Readiness feature
Member Spotlight - Murray Scheel
On Further Review
Newly Minted
Worth Reading
Attorney Briefs
Speaking of Ethics
Disciplinary Summaries
Pro Bono Effect
A Slice of Wry
Washington Lawyer - November/December 2024 - Washington Lawyer - November/December 2024
Washington Lawyer - November/December 2024 - Cover2
Washington Lawyer - November/December 2024 - 1
Washington Lawyer - November/December 2024 - 2
Washington Lawyer - November/December 2024 - 3
Washington Lawyer - November/December 2024 - Digital Extras
Washington Lawyer - November/December 2024 - 5
Washington Lawyer - November/December 2024 - From Our President
Washington Lawyer - November/December 2024 - Calendar
Washington Lawyer - November/December 2024 - Practice Management
Washington Lawyer - November/December 2024 - Toward Well-Being
Washington Lawyer - November/December 2024 - Court Simplified feature
Washington Lawyer - November/December 2024 - 11
Washington Lawyer - November/December 2024 - 12
Washington Lawyer - November/December 2024 - 13
Washington Lawyer - November/December 2024 - Erin Larkin feature
Washington Lawyer - November/December 2024 - 15
Washington Lawyer - November/December 2024 - Navigating the Court feature
Washington Lawyer - November/December 2024 - 17
Washington Lawyer - November/December 2024 - Demystifying the Corporate Transparency Act feature
Washington Lawyer - November/December 2024 - 19
Washington Lawyer - November/December 2024 - Erin Larkin feature
Washington Lawyer - November/December 2024 - 21
Washington Lawyer - November/December 2024 - Data Breach Readiness feature
Washington Lawyer - November/December 2024 - 23
Washington Lawyer - November/December 2024 - 24
Washington Lawyer - November/December 2024 - 25
Washington Lawyer - November/December 2024 - Member Spotlight - Murray Scheel
Washington Lawyer - November/December 2024 - 27
Washington Lawyer - November/December 2024 - On Further Review
Washington Lawyer - November/December 2024 - 29
Washington Lawyer - November/December 2024 - Newly Minted
Washington Lawyer - November/December 2024 - 31
Washington Lawyer - November/December 2024 - Worth Reading
Washington Lawyer - November/December 2024 - 33
Washington Lawyer - November/December 2024 - Attorney Briefs
Washington Lawyer - November/December 2024 - 35
Washington Lawyer - November/December 2024 - Speaking of Ethics
Washington Lawyer - November/December 2024 - 37
Washington Lawyer - November/December 2024 - Disciplinary Summaries
Washington Lawyer - November/December 2024 - 39
Washington Lawyer - November/December 2024 - 40
Washington Lawyer - November/December 2024 - 41
Washington Lawyer - November/December 2024 - Pro Bono Effect
Washington Lawyer - November/December 2024 - 43
Washington Lawyer - November/December 2024 - 44
Washington Lawyer - November/December 2024 - 45
Washington Lawyer - November/December 2024 - 46
Washington Lawyer - November/December 2024 - 47
Washington Lawyer - November/December 2024 - A Slice of Wry
Washington Lawyer - November/December 2024 - Cover3
Washington Lawyer - November/December 2024 - Cover4
https://washingtonlawyer.dcbar.org/novemberdecember2024
https://washingtonlawyer.dcbar.org/septemberoctober2024
https://washingtonlawyer.dcbar.org/julyaugust2024
https://washingtonlawyer.dcbar.org/mayjune2024
https://washingtonlawyer.dcbar.org/marchapril2024
https://washingtonlawyer.dcbar.org/januaryfebruary2024
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/novemberdecember2022
https://washingtonlawyer.dcbar.org/januaryfebruary2022
https://washingtonlawyer.dcbar.org/januaryfebruary2022
https://washingtonlawyer.dcbar.org/januaryfebruary2022
https://washingtonlawyer.dcbar.org/januaryfebruary2022
https://washingtonlawyer.dcbar.org/januaryfebruary2022
https://washingtonlawyer.dcbar.org/novemberdecember2021
https://washingtonlawyer.dcbar.org/julyaugust2021
https://washingtonlawyer.dcbar.org/julyaugust2021
https://washingtonlawyer.dcbar.org/marchapril2021
https://washingtonlawyer.dcbar.org/marchapril2021
http://washingtonlawyer.dcbar.org/novemberdecember2020
https://washingtonlawyer.dcbar.org/novemberdecember2020
https://washingtonlawyer.dcbar.org/septemberoctober2020
https://washingtonlawyer.dcbar.org/julyaugust2020
https://washingtonlawyer.dcbar.org/june2020
https://washingtonlawyer.dcbar.org/may2020
https://washingtonlawyer.dcbar.org/march2020
https://washingtonlawyer.dcbar.org/january2020
https://washingtonlawyer.dcbar.org/november2019
https://washingtonlawyer.dcbar.org/october2019
https://washingtonlawyer.dcbar.org/september2019
https://washingtonlawyer.dcbar.org/julyaugust2019
https://washingtonlawyer.dcbar.org/june2019
https://washingtonlawyer.dcbar.org/may2019
https://washingtonlawyer.dcbar.org/april2019
https://washingtonlawyer.dcbar.org/march2019
https://washingtonlawyer.dcbar.org/january2019
https://washingtonlawyer.dcbar.org/november2018
https://washingtonlawyer.dcbar.org/november2018
https://washingtonlawyer.dcbar.org/november2018
https://washingtonlawyer.dcbar.org/august2018
https://washingtonlawyer.dcbar.org/august2018
https://washingtonlawyer.dcbar.org/June/July2018
https://washingtonlawyer.dcbar.org/april2018
https://washingtonlawyer.dcbar.org/March2018
https://washingtonlawyer.dcbar.org/February2018
https://washingtonlawyer.dcbar.org/january2018
http://washingtonlawyer.dcbar.org/december2017
http://washingtonlawyer.dcbar.org/November2017
http://washingtonlawyer.dcbar.org/september 2017
http://washingtonlawyer.dcbar.org/september 2017
http://washingtonlawyer.dcbar.org/august2017
http://washingtonlawyer.dcbar.org/july2017
http://washingtonlawyer.dcbar.org/June2017
http://washingtonlawyer.dcbar.org/may2017
http://washingtonlawyer.dcbar.org/april2017
http://washingtonlawyer.dcbar.org/march2017
http://washingtonlawyer.dcbar.org/february2017
http://washingtonlawyer.dcbar.org/january2017
http://washingtonlawyer.dcbar.org/december2016
http://washingtonlawyer.dcbar.org/november2016/
http://washingtonlawyer.dcbar.org/october2016
http://washingtonlawyer.dcbar.org/september2016
https://www.nxtbookmedia.com