Washington Lawyer - November/December 2024 - 24

FEATURE
operate), operating systems, all kinds of applications like office software
and web browsers, as well as their plugins and extensions. Uninstalling
any software that is not needed for business is a sound
idea. The less software you have, the fewer vulnerabilities your network
contains. Whenever possible, enable automated updates; most
modern software has this feature available. On a side note, briefly
documenting your patch management policy and procedures will
greatly enhance your cybersecurity documentation.
4. Enact firm-wide data minimization and encryption strategy. The logic
is simple and straightforward: Even the most experienced cyber
gangs will not be able to steal the data that you do not have. Data
minimization is arguably the cornerstone of privacy, expressly imposed
by some state and federal laws. An additional benefit is a cost
reduction for storage, backups, and other data-related needs. Furthermore,
encryption is a must-have security control that should be
enabled on all devices and layers of data processing, spanning
from laptops and smartphones to emails, databases,
and backups
5. Configure continuous monitoring and threat detection
systems. Proactive monitoring, detection,
and neutralization of incoming cyber
threats is essential to avoid falling victim to
a costly data breach. Implement continuous
security monitoring of all businesscritical
systems and data flows to scan all
files and incoming emails and their attachments
for malware and other malicious
content. Outbound anomalies should also
be detected and intercepted. A data leak prevention
system can be beneficial, especially for
large law firms, in detecting and preventing data
exfiltration by malicious insiders and disgruntled employees
trying to send a list of your most valuable clients
to their personal email before moving to a competitor.
6. Set up a secure remote backup. A properly configured backup is the
airbag of your cybersecurity. Storing backups only in your local network
has proven to be a bad idea because ransomware groups
swiftly locate such backups and encrypt them as a first priority. The
best practice is to have a local backup for rapid recovery of accidentally
deleted or lost files, combined with an external backup at a secure
location managed and operated by a vetted third party. This
will help your firm survive virtually any ransomware attack or other
incident. Needless to say, backups should be encrypted.
7. Implement an identity and access management system with multifactor
authentication. It may sound trivial, but managing user accounts,
ranging from customer relationship management (CRM) and
email accounts to admin credentials from a cloud backup management
system, is a complex task that requires a thoughtful approach.
Ideally, firms will create and maintain a holistic inventory of all accounts.
The more privileges an account has, the more attention it
deserves, including complex password requirements, logging of all
its activities, and linking to a verified human identity authorized to
use it. Last but not least, enable multifactor authentication wherever
possible, covering all third-party platforms and websites, including
LinkedIn.
24 WASHINGTON LAWYER
* NOVEMBER/DECEMBER 2024
8. Perform risk-based due diligence of your trusted third parties. Cybercriminals
are smart and pragmatic - they always hit the weakest
link. Frequently, they target underprotected IT support vendors,
consultants, expert witnesses, or small accounting firms to grab the
data of firms' wealthy and well-protected clients. It is paramount to
understand and ensure, both technically and contractually, that any
sensitive data entrusted to third parties has at least the same level of
protection as your data stored locally. Creativity when drafting liability
and indemnification clauses in a vendor contract may help; however,
bear in mind that tech giants will unlikely accept any nonstandard
wording, while small firms may readily accept any unorthodox
obligations but become insolvent and judgment-proof if a major incident
occurs.
9. Conduct cybersecurity training and awareness. These two concepts
should not be used interchangeably. The former is about developing
new skills and sharing knowledge, while the latter is a continuous
process to unobtrusively remind people to use and
apply the newly acquired skills. For example, phishing
training may be remembered for a couple of weeks,
but if no reminders are made, the knowledge will
gradually fade eventually, negating all your training
efforts. Gamification with token rewards for
the best performers is probably one of the
most productive approaches to both training
and awareness.
10. Address mobile and Internet of Things
(IoT) security risks. Consider using privacy
screens on laptops and mobile devices to avoid
accidental exposure of client emails and the like to
a neighboring passenger on a train or airplane. Ensure
that any mobile devices used to access law firm
data are encrypted, protected against password guessing
attacks, can be wiped remotely in case of loss or theft, and have
security hardening enabled, such as Lockdown Mode on iOS devices.
Large law firms may consider using mobile device management
systems to scale and automate secure device configuration and
management. Finally, remind all employees to pay attention to their
home IoT devices: Alexa or other smart objects may overhear a confidential
discussion with a client and automatically send it to the
cloud, raising serious questions of professional misconduct.
Although these 10 recommendations are not a silver bullet, when properly
implemented they can help to considerably minimize the number of
security incidents and data breaches, avoid bad publicity and unnecessary
litigation costs, and comply with data protection and privacy laws
and regulations.
Remember, as a lawyer you can proficiently manage your cybersecurity
without pursuing a PhD in computer science. It's all about applying
reasoning, logic, and common sense that you certainly learned in law
school.
Dr. Ilia Kolochenko is a cybersecurity and cybercrime investigation expert
with more than 15 years of practice focused on data protection, privacy, and
cybersecurity law. He is a member of the American Bar Association Information
Security Committee, an adjunct professor of cybersecurity and cyber law
at Capitol Technology University, and a CLE faculty member at the D.C. Bar.
Illustration: iStock
Washington Lawyer - November/December 2024

Table of Contents for the Digital Edition of Washington Lawyer - November/December 2024
