CRAIG PETRONELLA | Cybersecurity
Your Best Defense: Cybersecurity Training, Prevention and Cyber Insurance
Insurance companies are among the growing chorus of those who say it’s not a matter of if your law  rm
will get hacked, it’s a matter of when. And that has given rise to more car- riers o ering cybersecurity insurance.
 ink of cyber protection as a house with four doors: cybersecurity, training, prevention and cyber in- surance. Locking just three of doors won’t work when (not if) a burglar wants to get in.
“If I could convince people of one thing, it’s that security by anonymity is a myth. It’s not your typical hacker in a basement wearing a hoodie that’s trying to get into small law  rm’s sys- tems,” Patrick Brown, Lawyer’s Mu- tual director of information security told me in a recent interview. “It’s re- ally bots circulating out there. It’s any home appliance, computer, tablet or smartphone connected to the Internet that gets infected with malware that goes around looking for unlocked doors.”
CYBER INSURANCE
One of the common things we see is a  rm will want cyber coverage, but what they’re really asking for is pro- tection from the wire fraud scams that have become so prevalent in the last  ve or six years. A standard cyber in- surance policy is a breach policy that covers  rst- and third-party calls as- sociated with the a ermath of a data breach,” said Brown. “If coverage for funds transfer fraud is desired, some carriers require dual authorization for all wires over $25,000.”
TRAINING & PREVENTION
If a criminal tricks an attorney or one of the  rm’s employees into vol- untarily giving away your money, your client’s money or sensitive infor-
mation, such as via a spoofed phish- ing e-mail from a colleague, it’s called ‘social engineering fraud.’  is is not covered by most cybersecurity insur- ance policies. It really comes down to a matter of training.
I tell law  rm clients to train their employees not to click on everything that looks interesting. I recommend this training be done with your sta  at least weekly in small bite-sized chunks; just a few minutes per week, and then performing simulation tests to track which sta  members are ab- sorbing the material properly and which sta  members are presenting a risk to your  rm.
CYBERSECURITY
I recommend vulnerability tests and penetration tests to score your practice’s cybersecurity and  ll the gaps. Penetration tests can typically be done in the $5,000 to $15,000 range depending on the size of the  rm and the time spent on each IP address/system.
Most insurance carriers will require a law  rm to have basic cybersecu- rity, which law  rms should already have in place such as using complex passwords. A  rm should be chang- ing their passwords every couple of months, not using the same passwords anywhere else. Enable multi-factor authentication. Encrypt everything; websites, storage, backups, email and keystrokes. Use commercial antivirus so ware and email. Avoid free so - ware or free services such as Gmail, Yahoo, AOL, etc. Perform backups as o en as possible and test them.
Some law  rms may be depending on the vendors of practice manage- ment so ware to keep things secure. Hopefully, the  rm implemented en-
AttorneyAtLawMagazine.com
cryption on, at the very least, their mobile devices. But it’s not the ven- dor’s responsibility; it’s the law  rm’s.
DO BALANCING ANALYSIS
“While the sky is the limit in terms of what you can spend on cybersecu- rity, it o en comes down to dollars and cents. How sensitive is the infor- mation you are protecting and what is the damage caused by a breach versus the cost and inconvenience of taking the necessary security measures? You have to do that balancing analysis for your client’s data,” said Brown.
“Most small companies like law  rms who have had a cyber attack go out of business within six months be- cause they’ve had a loss of trust and a loss of reputation with their clients. In the event of a breach, the cost per record is $200 for the forensics, the recerti cation and everything else. Firms may have records going back 30 or 40 years. High volume  rms such as real estate, personal injury and criminal defense  rms could have tens of thousands of clients and mil- lions of dollars in costs just respond- ing to the breach,” Brown told me.
Even if they have insurance, the policies for small  rms cap out at $1-2 million. It’s so important to spend a little money up front to reduce the number of breaches,” said Brown. “It seems that some small  rms are still reluctant to purchase cyber insurance policies that cost somewhere in the $2,000 range.  at’s a lot of money for some small  rms.
 e average cost for a breach is half a million dollars; so, it’s $2,000 now or half a million dollars later.”
Craig A. Petronella is the CEO of Petronella Technology Group, Inc., an internationally trusted IT cybersecurity group that specializes in helping law  rms with training, security, and compliance. Get your FREE phishing email test at FreePhishTest.com. Craig has 30 years of experience, authored multiple books, including “How Hackers Can Crush Your Law Firm” and “Peace of Mind Computer Support.” For more information about a cybercrime risk assessment call 1-877-468-2721.
9