Attorney: Cyber safety is vital for today's law firms


by Jeanine Matlow
Legal News

While attorneys are considered experts in the legal field, not all are well informed about information technology. Since law professionals are held to a higher ethical standard, cyber security is more important than ever before. In fact, hackers are lurking everywhere, even targeting small to medium-sized firms that may think they’re too small to be targeted.

Just ask Matt Loria, co-owner/CEO of Auxiom in Madison Heights that provides managed IT services to small and medium-sized companies. When helping others with technology concerns, Loria says security issues often come up and it’s obvious that many business owners are not aware of the high level of risk.

“Because IT issues are ongoing, there is no quick fix,” says Loria. “It can be a company dealing with credit card transactions or offering legal or other professional services. There is no business operating today that can function without technology.” 

It helps to understand the world of hackers. First, there are those who do targeted attacks, like trying to access someone’s bank account or other personal information. Others are always “pulsing the web” looking for a weak link out there, like a small business that thinks it can fly under the radar, but ends up vulnerable in the end. In that case, the hackers send their attack en masse looking for cracks.

“It might take a million e-mails before they find the weak link,” he says. “This is a very broad approach that might be ransomware or someone who tricks you into giving them your bank access or credit card information.”

Unfortunately, firewall protection isn’t always enough.

“It has to be up-to-date and the manufacturer must still support it,” says Loria. “As soon as it goes on the market, there’s a bad guy out there trying to poke holes in it. It’s a constant game of cat and mouse between the firewall manufacturer and the bad guys.” 

Since lawyers and other professionals, like those in the health care industry, take an oath to keep your information private, a breach could damage your business in more ways than one.

“Nobody wants this stuff to be stolen,” he says.

Outside forces are not the only concern, especially when you don’t have a sufficient backup system beyond the cloud.

“Someone could accidentally delete something that you need,” says Loria. “When it’s gone from here, it’s gone from there if you don’t back it up properly. If you have multiple employees and you fire someone, that person could delete a bunch of stuff that you need too.”

Most importantly, he says, “Don’t assume that you are covered. Have a qualified professional check it out to make sure you are protected and provide your company with a plan to become protected properly.”

Colin Battersby, a principal at the Detroit office of Miller Canfield in the firm’s Litigation and Dispute Resolution Group and co-leader of the firm’s Cyber Security and Data Privacy Team, offers some additional insight on the subject.

Having a repository of information makes you an automatic target for attacks that might be less frequent for small to medium-sized businesses, but they still happen, says Battersby.

“Many think cyber security is new or cutting edge. It’s seen as a futuristic type of concern, but it’s a present problem,” Battersby says. “It needs to be addressed and companies need to be proactive with a sound security program and employees that are well-trained about what to watch for, such as phishing emails, so they don’t click on a link that will download malware.” 

Law firms can take a hands-on approach for added protection.

“A lot of education and planning is necessary to be able to know what information they have and where they have it within their system. You also want to limit access to information to those individuals that actually need to have access to it to perform their jobs,” says Battersby.

“There’s a strong need to have an incident response plan to minimize the chaos that can come with an attack. Knowing ahead of time who at the company is going to be in charge and what external incident responders will be involved allows the focus to quickly zero in on stopping the breach and beginning remediation efforts, rather than wasting valuable time scrambling to assemble a team in the moment.” 

First you need to know what issues exist and where.

“There are always going to be hiccups,” he says. “You can do absolutely everything right and still get hacked. You can try to be Fort Knox, but then you make it too cumbersome to conduct your business.”

Battersby cites human error as the leading cause of hacks.

“Someone is going to click on something they shouldn’t. It’s the nature of the business, so you’re constantly looking at protections that will allow you to contain and limit the damage when it happens,” he says.

In addition, companies leave themselves vulnerable to attacks by failing to update their programs and devices when software patches are released, a surprisingly common oversight.  

Although nothing is a guarantee, law firms can help reduce the amount of damage that’s done and stop the bleeding quickly, says Battersby.

“A breach is going to happen; it’s just a matter of time. It’s not just an issue for some of the bigger firms. It’s an ‘everybody’ issue. Everyone has to have a plan in place to secure their information.”