The State of Cybersecurity and the Law Firm
Legal Current caught up with Tim Murphy, president, Thomson Reuters Special Services, LLC and former deputy director, Federal Bureau of Investigations, following his panel session at the 7th Annual Law Firm CFO/CIO/COO Forum, held last week in New York. Tim’s panel, A Rumor of War: Regulation, Revelations & the State of Cybersecurity in 2017, focused on data security as a top priority for law firms.
According to Murphy, “cybersecurity is the most significant threat we have today. For law firms … for everybody – there is a significant risk and we have to stay on top of it.”
We hear and read about breaches in the news every day. For impacted businesses, firms or government organizations, they can expect bad press and a damaged reputation that can lead to a loss of clients. The impacted organization may also be subject to litigation and may even have to close.
“We have to remind ourselves that the entity that all of these bad things are happening to is a victim of the cyber attack,” said Murphy. “We know that for some organizations that have been breached, their first risk management decision is whether to even disclose that it happened. Think about the kinds of information that a law firm has in its data center. They huddle with general counsel and decide whether they are willing to turn their sensitive firm and client data over to the government.”
And compliance alone doesn’t make you secure. According to Murphy, there are some simple ways for organizations to have a high impact on its data security. “If a firm keeps up to date on its software patches (operating systems and applications), encrypts its most sensitive data, applies multifactor authentication for access, has strict controls around administrator rights, and trains its people, it will have managed 80-90 percent of its risk.”
Murphy said that the majority of successful attacks come through phishing. “You have to have various systems in place to mitigate cyber attacks, but training is the key. We get hundreds of emails a day and it’s easy to click on something at the end of a long day that looks like it’s from your boss or a client asking you to look at something. Simply scrolling over the name on the message to see where it’s coming from can prevent a lot of unnecessary trouble. If in doubt, calling your IT or cybersecurity staff is the right move.”
A lot of people are working hard – though Murphy would add that they aren’t working together – to address hacking and cybersecurity.
“I don’t see state or federal legislatures making great progress for managing this with policy,” said Murphy. “Cyber insurance is at an immature stage, and most insurance companies are unsure exactly how they are going to insure anyone. Are they insuring against brand reputation, destruction of data, litigation? I don’t think it’s as well defined today as it will be in five years. It’s starting to come together.
“This is the biggest threat in the world today,” Murphy added. “It used to be about stealing data, now it’s manipulating data or completely shutting down a firm’s technology.”
Murphy also believes that there should be much more public-private and private-private partnerships to address this growing issue. “If firms got together and shared what each are doing to defend itself or mitigate its threats, it would allow great strides in how we deal with cyber threats.”