Member of Meritas global alliance of law firms says stopping hackers entering 'front door' is key
When working with clients on cybersecurity issues, one of the biggest misconceptions is that the risks are always external, says Winnipeg-based lawyer Andrew Buck of Pitblado Law. In fact, securing data from hackers is often best done with internal policies to address cybersecurity threats.
“When you think cybersecurity, you think about the hacker sitting in a basement in sweatpants, and certainly those risks are out there, and you need to address that,” says Buck. “But I think that an important trend that many businesses are picking up on is that they may be behind the curve on dealing with internal threats,” says Buck.
Not that employees are doing anything malicious, he says. It’s more a case of hackers “not having to go through the back door if they’re being let in the front door” by staff who aren’t adequately trained or not following policies designed to prevent data breaches.
Buck, whose firm is part of the international legal network Meritas, a global alliance of independent law firms, says that, for the most part, people are familiar with terms like “phishing” and “spoofing” and will delete emails and texts they think may come from a hacker.
“But every once in a while, someone will click on a link they should not have clicked on,” especially if they think the email is coming from a colleague or manager.
“The awareness and training part of cybersecurity is the biggest piece,” says Buck. He is a member of the privacy and data security network with Meritas. This forum allows Meritas members to stay aware of changes in privacy laws and data security risks and share best practices across Canada and other global markets.
“Of course, firewalls and two-factor authentication on the IT end is important but making sure an organization has its internal privacy house in order is key.” He adds that this can be the “low-hanging fruit” in creating better cybersecurity.
Buck adds that COVID-19 and the trend for work-at-home arrangements can also be a cybersecurity threat – from both a technological and psychological standpoint. He notes that when people were locked down, they were likely not used to working remotely. They may not have had the best setup, and there can be distractions ranging from children to service and delivery people.
“You’re not as focused as you’d like to be, you’re thinking about these situational things, and that makes you more vulnerable,” he says, making someone more likely to fall for a phishing or spoofing scam.
“If you think about it, you can usually sniff them out and delete, but if you are psychologically compromised because you’re dealing with all these things you haven’t had to deal with before.”
And then, “in terms of the technical side of cybersecurity,” Buck says, “things as simple as network security” can lead to cybersecurity problems. “So, you have to ask Are we using VPN? Are we using two-factor authentication? Have you reset the manufacturer’s password on the router?”
Sona Pancholy, president and CEO of Meritas, says that law firms are increasingly at risk for cyber-attacks, a “threat that puts their own business and that of their clients in jeopardy.”
Pancholy says Meritas has established a set of 10 essential standards that law firms in the network are expected to meet. These standards were designed to educate our firms about the key areas they should focus on and the steps they should take.
Since 2018, Meritas has required its member firms to annually review the standards and assess their own firm’s programs against the standards. Adds Pancholy: “To successfully meet the standards, firms must have information security, risk assessments, technical and physical safeguards, employee training, third-party risk management, and business continuity plans in place, along with a breach response process.”
This program ensures that clients working with Meritas firms “do so with the confidence that the firms are well aware of cybersecurity risks and have taken industry best practices to protect the client and the firm.”
Buck says that by being part of Meritas, he has access to a “wealth of resources,” that can help him stay up to date on the latest in cybersecurity trends and find the appropriate help for clients when needed.
“So, if you have a situation where you’ve got a data security incident, and it’s across a number of different jurisdictions, it’s quite simple to use the Meritas network to find out who has the expertise in this area.” It also helps him keep abreast of the “highest possible denominator” in cybersecurity standards around the world.
Buck says, from a legal perspective, the most important thing he can do to assist clients is to raise awareness of cybersecurity issues. A sound security system doesn’t prevent a business from an attack as the technology evolves but having best practices in place is essential.
“A lawyer can advise on what sort of system is important and what to keep in mind, Buck says, but ultimately, “it’s incumbent on the organization to either use internal resources or obtain external resources to get these systems up running.”
Having best practices and systems in place – from proper training of staff and password change policy to data segregation and the technology used – can also help minimize the damage a cyberattack causes to an organization. Cybersecurity insurance is growing in popularity, Buck says, but policies can be very specific about what they will and will not cover and under what conditions.
“If you’re not doing certain things that your policy requires you to do, you may end up being disentitled to a premium rebate, or worst-case scenario, not getting the coverage that your policy would otherwise provide to you if you were a victim of an attack.”
Buck says that having an organization’s “privacy champion” is crucial to developing a solid cybersecurity plan. “This is a person at your organization that has some influence with the c-suite and proactively keeps up to speed on the issues, not just deal with problems after they arise.” As well, says Buck, such a champion can “take ownership for instituting that culture of privacy.”