Law firms serve as stewards to valuable, sensitive financial and client information and must remain as trusted business partners.
With the scope and severity of cybercrimes rising, don’t wait to optimize your firm’s approach to cybersecurity. Join Edward Keck Jr., Partner and Practice Leader of Withum’s Cyber and Information Security practice, and Bill Sansone, Partner and Practice Leader of Withum’s Law Firm Advisory team, to learn:
• How to manage the cybersecurity risks affecting law firms, including data breaches
• The value of going beyond what’s required to operate effectively in today’s digital landscape
• How to apply data security best practices and maintain good cyber hygiene at your firm
2. withum.com 2
withum.com
Meet the Presenters
2
Edward Keck, Jr.
MBA, CISSP, Partner
Market Leader, Cyber
and Information
Security Services
William E. Sansone
CPA, Partner
Practice Leader, Law Firm
Advisory and Team
Leader, Law Firms
3. withum.com
withum.com
Agenda
• Cybercrime continues to grow
• How to manage cybersecurity risks
• Handling data breaches
• The value of going beyond what’s required to operate effectively in today’s
digital landscape
• Regulatory compliance vs. effective business objectives
• How to apply data security best practices and maintain good cyber hygiene
at your firm
• Questions
3
4. withum.com
Cybercrime Continues to Grow
Arctic Wolf reviewed the top 11 cyber attacks on law firms:
Ransomware was involved in 4 out of the 11
Targeted hacking attacks in 2 of the 11 (these firms were specifically targeted based
on the clients they served)
Phishing was identified in 4 of the 11 attacks (and most likely also involved in the 4
ransomware attacks)
4
5. withum.com
Cybercrime Continues
to Grow
In a January 2023 article from Law.com,
law firm data breaches have grown
significantly since the onset of COVID in
2020.
In 2020, law firm breaches
impacted 46,000 Americans (from
the data reviewed from 4
representative states).
In 2021, that number escalated to
over 720,000 Americans.
5
6. withum.com
2023 Verizon
Data Breach
Investigation
Report
83% of breaches involve external threat
actors
74% of breaches involved a human
element (think phishing, accidental insider
misuse or intentional insider threats)
49% involve stolen credentials
95% of breaches are motivated by financial
gain
7. withum.com
Managing Cybersecurity Risks
Know your risks
• Perform an annual (at least annual) risk assessment
• Be aware of threats related to your firm and your clients
Have a plan
• This involves having a formal information security program with policies to cover your
firm
• Examples of policies: Acceptable use, vulnerability and change management, risk management,
audit and logging, business continuity and incident response are just some examples of policies
that should be included.
Educated and trained on your plan
• Your plan loses effectiveness if it just sits on a hard drive, in the cloud or printed out
collecting dust. Responsible parties should be trained on their roles and responsibilities
and your team should practice together….regularly.
7
8. withum.com
Going Beyond What is Required
Regulations are often minimum-security standards organizations are required to
meet. These minimum-security standards don’t consider your organization’s
actual threat landscape or risk assessment.
What is your risk appetite?
How effective are the required controls for your firm?
• Think about HIPAA? Has this regulation prevented breaches of ePHI?
8
9. withum.com
Security Best
Practices
and Good
Cyber
Hygiene
9
In a Dark Reading article by Robert Lemos, he noted that nearly 80%
of breaches could have been prevented by two things: multifactor
authentication and comprehensive patching programs.
• Use multifactor authentication everywhere you can (and
investigate implementing on areas you think you cannot)
• Over 721 million passwords were leaked in 2022
• Each account should have a unique password
• Don’t reuse passwords
• Don’t think that changing the last character or
adding a number to a password is secure
• Patch your systems (as soon as possible – think week not
month)
• Provide security awareness training for all your
employees (think monthly not yearly here)
• Encrypt your devices
• Train employees on where they can and cannot store
data
• Encrypt data in transit