At Integris, law firms were our first clients. Today, we’re incredibly proud to say we’re providing managed IT services to more than 150 law firms across the US, and the legal industry is one of our largest client categories.
Most law firms come to us needing a lot of IT help. Hands down, the biggest area where they’re lacking is in cybersecurity. For most firms, that usually means taking on a completely unnecessary and breathtaking amount of risk.
Fortunately, cybersecurity solutions are affordable, scalable, and customized to the needs of law firms. The key is finding and mitigating those risks, of course. That’s why we’ve developed this handy law firm cybersecurity self-assessment tool. Please give it a spin and read on. We’ll break down each of the questions, discuss why they’re essential, and sprinkle in a few statistics on law firm cybersecurity courtesy of the 2023 Bar Association Cybersecurity Tech Report.
Let’s get into it.
CTA: DIY Cybersecurity Assessment
#1—Do you have antivirus and Endpoint Protection Software installed on all your company devices?
According to the ABA, law firms are doing decently well on spam/virus detection. Their survey revealed that 80% of firms have a spam filter, 76% have a firewall, and 71% have some kind of anti-spyware tool monitoring their systems.
However, I’d like to take this opportunity to point out Endpoint Detection and Response (EDR)—the gold standard for modern-day security filters. EDR uses machine learning to determine what normal patterns of work look like on your company-issued laptops, phones, and tablets. Because it understands the rhythms of that machine, it can quickly notice patterns of unusual activity like malware and ransomware. When it detects it, the anomaly is flagged, isolated, and remediated before it can do any more damage to your system.
This tool has the power to weed out the lion’s share of threats entering your systems. It’s one of the most important cybersecurity investments you can make, no matter your firm’s size and scope.
#2—Does your firm provide cybersecurity awareness training for all staff and lawyers in your firm?
While we weren’t successful in finding reliable statistics around cyber security training at law firms, Statista recently released numbers saying approximately 32% of all companies have used online cybersecurity training programs for their staff. In our experience, that number is a lot lower for law firms, who generally assume their firm is too small or poorly resourced for such a large-scale effort.
I’m happy to tell you this isn’t at all the case. Monthly cyber security training for your lawyers and staffers can be purchased at a very reasonable per-seat cost. Contact your IT department or MSP to set up these easy-to-use programs. Best of all, most of these programs come with built-in user testing and tracking. The documentation from these tests will show you how well everyone understands the lessons and serve as great third-party proof of your cyber security best practices.
#3—Is everyone on your staff required to use a password vault or password manager?
The importance and privacy of the documents you handle at law firms goes without saying. This is especially true when you handle client documents with data protected by regulations like HIPAA, GDPR, or others.
That’s why it’s particularly depressing to see only 33% of firms require their lawyers and staffers to use a password vault to manage their passwords. Tools such as Last Pass or 1Password are cheap and easy to implement—potentially saving your team the agony of late-night panics from password logouts, man-in-the-middle attacks, and more. Suffice it to say, if anyone on your staff has a written password book or sticky notes with their passwords stuck to their desk, it’s time to get vigilant about password vault use.
#4—Does your firm enforce multi-factor authentication (MFA) or Single Sign-on (SSO) for logins?
Multi-factor Authentication or Single sign-on programs are among the best resources in your cybersecurity toolkit. This simple program requires employees to sign on with their username and password and verify their identity through a secondary device—usually their phone. MFA eliminates issues that come from having credentials stolen or spoofed, reducing the chances of bad actors hacking into your system almost completely.
Only 53 percent of law firms surveyed reported having this tool. It should be 100 percent. It is truly critical to the health of your system. We usually recommend pairing this with a Zero Trust system, which continuously authenticates users as they work.
#5—In the event of a natural disaster, outage, or ransomware hack, do you have a written business continuity plan with written IT procedures?
Cybersecurity professionals say written policies are the core of your security effort. Why? Written cybersecurity plans, policies, and procedures ensure that everyone on your team agrees on how to prevent and respond to cybersecurity incidents. These documents save your firm time and money and provide proof of your good cybersecurity practices.
The policies also have an important training function, educating everyone on your systems and how to work safely and effectively. The ABA reports the following policy usage rates: 55% for email use policy, 51% for internet use policy, 50% for computer acceptable use, 50% for remote access, and 44% for social media acceptable use. With AI tools now widely being adopted, we also recommend an AI Acceptable Use Policy.
CTA: AI Acceptable Use Policy
There was a big downturn in the number of firms having an incident response plan, with only 34% of respondents reporting in the affirmative, down from 42% last year.
#6—Do you have an offsite backup for both the data held on your onsite servers and the data stored in your cloud programs like Windows M365?
The growth of the cloud has given rise to a whole new slate of affordable options for backing up your data offsite, even for smaller firms. Yet, it appears most law firms haven’t gotten this memo.
The Bar Association reports that only 43 percent of firms use online backups such as Mozy, Carbonite, etc. About 32% use an external hard drive, 15% use Network Attached Storage, and 25% have random offsite storage at their homes, bank, or other offices. They also noted some firms are still clinging to legacy backup solutions such as—seriously—tape, optical disk, and CD.
At a law firm, time is money, and data safety is everything. We recommend offsite cloud storage and, often, a redundant cloud backup to that. Losing your data should never be a concern.
#7—During an outage, do you know how long it would take to retrieve your data and keep running (Recovery Time Objective-RTO) and how much data you would lose before your system can recover it (Recovery Point Obective-RPO)? Is your RTO and RPO calibrated to the needs of your firm?
It’s not enough just to have a Cloud backup. You need the kind of backup that can be retrieved on your time frame in the event of an emergency. You also need to be sure that the space between your backups isn’t so long that critical data is lost in the process. How you set your RTO and RPO will determine the price of your backup effort. Your IT department or IT MSP can help you fine-tune your backup and get the right solution in place for you.
#8—Do you have an offboarding process for locking and wiping devices and ensuring offboarded employees cannot access applications and firm data?
This process will go far more easily if you have other processes in place, such as password-protected files, well-organized document vaults, and strict policies that ensure your firm’s work is stored in all the right workspaces. Add written onboarding and offboarding procedures to the mix, and you’ll save your firm a lot of headaches.
#9— Does your firm have the ability to push software updates to all devices on your system and ensure security compliance?
With more law firms moving their operations to the cloud than ever before, automatic updates are now common, especially for foundational platforms like Microsoft 365. But what about the other software your firm is using? Is it being automatically updated as well? Are those auto-updates playing well together?
Answer those questions if you want a safe tech foundation for your firm. Then, make sure you have the right IT governance to manage these issues.
#10— Have you purchased cyber risk insurance to protect your firm from hacks and data breaches?
Here at Integris, we recommend that every firm purchase cyber risk insurance, regardless of size. For law firms, there’s simply too much on the line.
Yet, I’m continually surprised by the stats that show how few firms have this protection. According to the latest ABA report, only 40% of overall respondents reported their firms had cyber risk insurance. Larger law firms, not surprisingly, were somewhat more likely to make the investment, with 59% of firms between 50 and 99 lawyers and 57% of firms with 100 to 499 employees saying they’ve purchased these policies.
Perhaps the most mystifying statistics concerned the largest and smallest firms, who somehow managed to have the lowest insured rates. Only 37% of surveyed firms with over 500 lawyers had cyber risk insurance, down from 42% in 2022. Only 31% of solo attorneys had coverage, down from 38% in 2022.
This is a critical oversight. Consider this question from the same report: “Has your firm ever experienced a security breach (such as a lost or stolen computer, a serious hack, break-in, or website exploit)?” A full 29 percent of all firms surveyed said they had—in the last calendar year. Another 19% said they could not know if a breach happened. Would you want to take a gamble with that kind of math?
Cyber risk insurance can cover the expensive IT remediations needed when a breach/outage occurs, as well as lost business, damages, and more. Best of all, it can be custom-tailored to your firm’s size, risk, and budget.
Want to Harden Your Firm’s Cybersecurity Defenses? Integris Can Help.
At Integris, we help law firms nationwide with cybersecurity, cloud productivity, IT ticketing/on-call service, and vCISO consulting. Our cyber risk insurance partners can also fast-track your coverage. We’d love to help you get the right mix of cybersecurity protections for your firm. Contact us today for a free consultation.
