CRAIG PETRONELLA | Cybersecurity
Discovering and Planning to Plug Your Cybersecurity Gaps
Inprior columns, I’ve written about cyber attacks that can be very costly or even fatal to a law  rm. Now let’s look at the steps your  rm can take for discovering and planning to plug the cybersecu- rity gaps that are leaving your  rm’s data and your client’s data vulnerable
to attack or the .
 is analysis is not something you
will want to attempt yourself. You’ll need an outside consultant that spe- cializes in cybersecurity and is cur- rent on the almost daily new forms of cyber attacks.
REALFIRM, LLC
While every law  rm is a potential target, real estate  rms are sometimes the biggest targets for hackers because of the size of wire transfers which are vulnerable to interception.
I’ve created a cybersecurity plan for a mythical residential real estate law  rm called, RealFirm, LLC.
RealFirm provides real estate ser- vices and consulting to consumers. It has  ve employees who work re- motely, o en from their homes or hotels.  e  rm leverages Microso  O ce 365 for email and o ce col- laboration. RealFirm wants to achieve compliance with its cybersecurity sys- tem that meets minimum acceptable implementation of cybersafety poli- cies, protocols, and controls and level up as required by clients or market conditions.
HERE ARE THE FIVE STEPS.
1. Discovery Review
2. Initial Report
3. Situation Review
4. Remediation Plan
5. Achieved Compliance
Let’s start with the  rst three steps, Discovery, Initial Report, and Situa- tion review.  ey would be analogous
to going to the doctor with an ache or pain, the doctor running tests then reading the results. During Discovery, we’d be looking for these gaps:
• Failure to identify and block cyber- crime such as phishing attacks.
• Breached regulations for privacy and con dentiality.
• Inadequate training of RealFirm’s sta  in basic cybersafety.
• Insu cient protection of Real- Firm’s physical o ces and workers. • Unauthorized access to RealFirm’s
other high value areas such as net- work operating rooms.
class router). Providers like Norton can do this for around $8/month.
DISCOVERY
3  e Situation Review would look at the broad landscape of areas where the  rm’s cybersecurity needs to be beefed up. We’d establish priorities, a timeline,
and begin to discuss a budget.
4  e remediation plan for RealFirm would be based on the Situation Review and the level of security the  rm wants to im- plement.  e cost to create or update the cybersecurity plan revised and in place would be about 5% of revenue
for that  rst year.
 e annual cost for on-going sup-
port and maintenance would be around 1% of annual revenue. Con- trast that with the potential damages from a cyber attack that could cost RealFirm as much as $300,000.
Cybersecurity has become a cost of practicing law, just like the various kinds of business insurance your  rm buys. You hate writing that check ... but with the protection and peace of mind it provides you don’t dare run your  rm without it.
In my next column, I’ll tell you about the gaps we
found in RealFirm’s
information sys-
tem and the plan, cost and timeline to achieve the  rm’s compliance goals.
2
INITIAL REPORT OF FINDINGS
From our Discovery, RealFirm would have a comprehen- sive, easy to understand summary of its current vulnerabilities.  is would include scoring risks and potential in- fractions (that could lead to penalties/
 nes).
SITUATION REVIEW
1
and vendors.
We would start with a self-reported
inventory (input worksheets) of end- points, network equipment, connect- ed wearables, installed so ware, cloud accounts, and information security controls.
We would remotely scan and in- spect what RealFirm has in place such as its information technology: hard- ware, so ware, and services to deter- mine threat landscape and potential vulnerabilities. We may also use a Wi-Fi app that detects and pro les all connected/hackable devices.
Many of RealFirm’s employees work at home and access the Inter- net via their consumer Internet Ser- vice Provider (ISP) to which all fam- ily members attach an average of 19 endpoint devices, such as computers, tablets, phones, home security, ebook readers, and thermostats, etc.
 is is an easy  x right now with a Virtual Private Network (VPN) for all business-related work segment busi- ness-related endpoints from home/ consumer endpoint (on a business
AttorneyAtLawMagazine.com
Discovery involves a set of interviews with Real- Firm’s partners, attorneys, key sta ,
REMEDIATION PLAN
Craig A. Petronella is the CEO of Petronella Technology Group, Inc. (PTG), an internationally trusted IT cybersecurity group that specializes in helping law  rms with training, security, and Compliance. Get your FREE phishing email test at FreePhishTest.com. Craig has 30 years of experience, authored multiple books, including “How Hackers Can Crush Your Law Firm,” and “Peace of Mind Computer Support.” For more information about a cybercrime risk assessment call 1-877-468-2721.
23