Most law firms are just starting to think seriously about conducting cybersecurity assessments, and getting their policies and procedures into shape. For solo practitioners and small practices, cybersecurity can seem especially daunting. How do you build an effective cybersecurity program, no matter what your size? Here are nine building blocks of an effective cybersecurity program.
1. Choose and Use a Cybersecurity Controls Framework
The foundation of your cybersecurity program is your controls framework. A controls framework is just a “to-do” list for your organization’s cybersecurity program. It can include things like “Encrypt all smartphones and tablets containing confidential information,” or, “Apply security updates to desktops within 48 hours of release.”
The most important thing to remember is to pick a widely accepted cybersecurity controls framework to use as the basis for your cybersecurity program.
Many popular frameworks are available, such as the NIST Cybersecurity Framework (great for US-based organizations) or ISO 27001/2 (an international standard). By choosing a popular controls framework, you avoid reinventing the wheel, and benefit from all the hard work that hundreds of people put into development and revision.
You may be tempted to base your cybersecurity program on a list sent by one specific client. Resist this temptation. Other clients will follow with additional requests, or your first client will update their framework. You will save yourself time and headache in the long run if you do it right the first time and pick a widely accepted framework. Clients like to see this, too, because their regulators encourage the use of common frameworks.
Once you’ve picked a framework, use it! Conduct controls assessments regularly and track your progress over time.
As an example, here is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (also available in Excel). The NIST CSF Reference Tool also is useful.
2. Keep Track of Your Data
To secure your data, you first need to know where it is. Identify sensitive information and track where it is stored, processed and transmitted. Make sure to include mobile devices and USB drives. Decide whether staff may access and store data using personal devices.
The biggest hole in many firms’ security practices is remote access to email and files. Do your employees check email, view attachments, or download files on home computers and other personal devices? If so, your sensitive client information may also be on your employees’ home computers or phones. If employees leave or are terminated, or if their home computers are infected with malware or is stolen, then your client data can be compromised. Make sure that you carefully think through the “flow” of all your information, and plan for these situations.
3. Maintain Policies and Procedures
Cybersecurity “audits” often draw heavily from your written policies and procedures. Before you conduct your first audit, make sure that you document all of your cybersecurity policies and procedures. Often, many organizations do the “right” thing in practice, but don’t get credit for it on a cybersecurity assessment because there’s no written documentation.
Important policies include an Acceptable Use Policy (AUP), which all staff members sign before using your firm’s IT resources, and a Data Classification Policy. The Data Classification Policy is fundamental for your cybersecurity program, because it clearly defines the types of information that you have, and the levels of confidentiality for each type. Only after you define your sensitive information can you develop proper handling procedures.
To speed policy development, you can purchase cybersecurity policy templates, or have a third party customize them for you. You can also develop your own, of course. Policy development is never a solo affair: you must get input from key stakeholders for policies to actually be useful. At LMG, we use a “workshop” process for development, in which a full document planner is produced at the start of the project, and then workshops are held with key stakeholders to get input on each policy as it is developed. This is an effective strategy, and the result is a set of policies that is actually useful, reflects reality, and is suitable for a cybersecurity audit.
4. Test Your Security
Does reality match what’s on paper? Conduct technical security testing. This can include penetration tests, vulnerability assessments, web application assessments, social engineering testing, and more.
Make sure to choose a third party that did not set up your network to conduct your technical security testing. That way, you have a separation between the party that created your IT setup, and the auditor. It can be tempting to just call your IT provider and ask it to conduct a vulnerability scan, but often a third party will catch details—such as weak passwords—that your everyday IT provider might not check or report.
Not sure where to start? Here’s some more detail about common types of testing:
- An external penetration test or vulnerability scan is a security assessment of your Internet-facing computers. If you’re a small firm, this might only include your firewall or VPN. It’s very important to get these high-risk systems checked regularly, because attackers on the Internet are constantly scanning for vulnerable computers.
- An internal penetration test or vulnerability scan is a security assessment of your company’s internal network—your desktops, servers, printers, even VoIP phones. You might think that these systems are lower risk because they’re not directly connected to the Internet, but many organizations are breached because a staff member clicks on a link in a phishing email, and their workstation gets infected. Today, your internal computers—such as your desktops—are often the weak link.
- A web application assessment is a security check of your web site. If you don’t have any sensitive information on your web page, then you might only care about this to protect your reputation. If you have a client login page, bill pay option or other sensitive information on your web site, then it’s very important to conduct a security assessment to ensure that you’re properly protecting your clients’ information.
- Social engineering testing is an assessment of your “human firewall”—in other words, do your staff click on links in phishing emails, or respond to phone scams? You can have a third party create fake phishing emails and track the number of clicks, or make phone calls to assess your staff’s susceptibility to phone scams. It’s always a good idea to announce well in advance that you’ll be conducting testing (without giving away the exact date), and make sure to provide everyone with clear training. Social engineering testing can be used to meet both training and testing requirements.
5. Assess Your Risk (Often)
Conduct an information security risk assessment at least annually, to identify your risks and develop a mitigation plan. Use a widely accepted risk assessment and management framework, such as NIST SP 800-30. Evaluate the potential impact of an incident, and the likelihood of occurrence. From that, give your risks ratings (you can use a quantitative scale, such as 1 through 5, or a qualitative scale, such as “High,” “Medium,” and “Low.”
A risk assessment is critical for prioritizing your cybersecurity “game plan.” When you conduct your cybersecurity audit, chances are you’re going to find a LOT of gaps. Don’t despair. The risk assessment gives you the opportunity to assess the risk associated with each security control, prioritize, and develop a long-term risk management plan. It’s normal for a risk management plan to address implementation of security controls over a three-to-five-year period, or more.
6. Get Insurance
You can’t solve information security issues overnight. Transfer risk to a third party by purchasing cybersecurity insurance. Make sure the policy you select covers your highest-risk scenarios.
Not all “cyber” insurance policies are created equal (and unfortunately, not all insurance agents understand what they’re selling). Make sure you have the coverage that your firm actually needs. For example, some policies (such as the Beazley Data Breach Response policy) are designed to cover HIPAA and PCI violations, as well as other regulatory non-compliance. Other policies are geared for direct financial losses due to wire transfer fraud.
If you manage trust accounts on behalf of clients, make sure you’re covered for direct cash losses in the event that a computer on your network is hacked and used to transfer funds.
Insurance policies often will cover indirect costs of a breach, such as public relations firm costs, attorneys’ fees, and credit monitoring/notification fees. Check that the limits of your policy are in line with the number of confidential records that you keep.
Whichever policy you choose, go through it carefully before you sign and:
- Develop a list of items that you will want to clearly agree upon in advance with your insurer, such as the names of approved providers for legal/breach response services, and any other items where advance approval would be appropriate. It is typically easier to get approval before signing any contract.
- Put together a list for your IT management of any technical requirements (for example, mobile device encryption) which you will need to have in place and documented for the insurance to be maximally effective.
- Plan to formally integrate your insurer’s breach response processes and documentation requirements into your firm’s incident response practices (that way you can take full advantage of the coverage and services, and don’t miss any notification deadlines).
- Note any contractual obligations required, such as documentation that you need to maintain with third party providers, that you may need to provide to your insurer in the event of a breach.
This is just a very high-level overview of cybersecurity insurance selection. Above all, consult with a qualified cybersecurity professional and have them review your cyber insurance quote before you sign.
7. Monitor Your IT
How do you know if you have a cybersecurity problem? Monitor your IT infrastructure. This includes network monitoring as well as security software installed on desktop, mobile devices and servers.
Monitoring and security software won’t do you any good if your systems are constantly generating alerts, but no one has the time to read or respond to them. Make sure that you budget enough resources for staff and a third party to detect and respond to alerts. Two tactics that work:
Leverage automation as much as possible. The less human involvement in your security systems, the better.
Outsource. Your internal IT staff like to sleep and eat lunch. It takes a team of dozens of people working around the clock to properly monitor the network for even a small organization. Cybersecurity monitoring is one area where scale matters. Make sure to outsource to a security monitoring company that’s large enough to have multiple people watching at all hours. You can even hire third-party security professionals to test your monitoring service and make sure they catch attacks!
8. Prepare for a Breach
Every day, another company gets hacked and makes the news. Reduce your risk by planning ahead. The first step in planning for a breach is to formally designate responsibility for managing your firm’s incident response practice. Typically, this responsibility falls to a chief information security officer or information security manager. Make sure to assign responsibility in writing in a policy.
Next, assign members to your incident response team. Depending on your firm’s size, it’s often a good idea to create a “core” team, which includes your front-line responders (IT staff, help desk, etc), and an “extended” team, which includes your firm’s general counsel, human resources, facilities, etc. Your core team should meet regularly (typically once every week or two). Your “extended” team members should be prepared to be involved in specific types of incidents, depending on their role.
Create formal policies and procedures for cybersecurity incident response. NIST has published a Computer Security Incident Response Guide that can help you develop appropriate policies and procedures.
Finally, practice! Make sure to run through “tabletop exercises” with your incident response team at least once a year, to ensure that your processes are working as expected. Regularly follow up after critical incidents to conduct “post-mortem” meetings so your team can learn and improve.
9. Train Your Staff and Your Customers
Humans are the most critical component of your security infrastructure. Conduct cybersecurity awareness training regularly for all of your employees, IT staff, and (yes) even your customers.
If your organization is small enough, you can conduct employee training all at once on a quarterly or annual basis, either live or via webinars. These can be approved as CLEs, so that attorneys can get cybersecurity training and credit at the same time. The latest trend in cybersecurity training is to offer a series of short, online videos with corresponding quizzes, available on-demand. Managers receive access to a portal where they can view staff progress and quiz results. This style of training is convenient and effective, as staff can digest information in bite-sized chunks, and managers can provide reports to auditors that demonstrate progress.
Training for your clients is both useful and an excellent way to provide additional value. Depending on your client base, your clients may appreciate training on topics ranging from how to use encrypted email to HIPAA Security Rule compliance. Consider providing lunch and education at the same time, to engage your client and reduce your collective cybersecurity risk.
About the Author
Sherri Davidoff is the CEO of LMG Security, which provides cybersecurity testing and audit services, digital forensics, and training. She will be presenting with Sharon Nelson at the ABA TECHSHOW on “Passing Your Cybersecurity Audit.” Contact Sherri at 855.LMG.8855.