Why law firms need a Cyber Awareness Plan today

Sun, 28 Oct 2018

Written by the following Webster experts: Jordan Arovas, Senior Vice President & Brian Boyd, Senior Associate Counsel & Steven Dow, Senior Vice President

Consider the cutting-edge intellectual property and privileged client information in your firm’s data files. They’re a prime target for hackers. Nowadays, criminals are especially interested in obtaining personal and financial information that can be sold on the dark web. Even though law firms maintain the highest possible standards of confidentiality, their cyber security can be an entirely different story.

Sophisticated high-tech crime is ever evolving and cyber criminals keep developing devious workarounds to infiltrate your defenses. They don’t always need technology to break in; rather, they prey upon goodwill. They use social engineering—playing upon the honest trust of your staff. For example:

One of your paralegals gets an email from the Managing Partner: “I need the XYZ files immediately. Please forward.”

It looks legitimate. What your staff doesn’t know is this: Hackers have spoofed you. They penetrated the Managing Partner’s email account—possibly weeks or even months ago. They’ve been watching your transaction history, including dollar amounts exchanged—highly specific information which can make their request seem credible.

Now they’re counting on your staff’s cooperation.

High-tech attack, low-tech solution

The answer is due diligence (with a decidedly low-tech response): calling the Managing Partner to confirm the request—before you press “Send.” With any suspicious email from a colleague, client or vendor, double-checking can be the most important way to defend your firm’s security and reputation.

A lot depends on the culture of your firm as well. Traditional practices, conservative by nature, may believe their cyber security protocols are sufficient—but they need regular check-ups against cutting-edge cyber fraudsters. It’s dangerous to presume that your professional confidentiality and privilege are adequate safeguards.

The disheartening moral of this story: Don’t rely on trust. And don’t assume other people are taking precautions.

Mobilize your team. Because readiness is everything.

Bring together the key people who’ll have to respond to a cyber attack: not only your IT person, but key partners and staff. Include your CPA, banker and insurance agent … everyone who will be responsible for stopping the threat to your data and minimizing the damage to your firm’s reputation.

Create an action plan, then practice it—over and over—until you’re confident your team can respond like a well-oiled machine.

3 Ways your bank can help.

First, make sure you set up your banking for alerts—event notifications such as text or email alerts that may flag suspicious activity in your accounts.

Implement fraud services for your account with:

  1. Check Positive Pay - comparing the checks presented for payment to your data in your bank’s files—by serial number, amount, and payee name.

  2. ACH Positive Pay – identifying potentially fraudulent debits presented against your account. It matches incoming ACH debits against your authorization instructions and allows you to make pay/return decisions online.

Above all, be proactive. Don’t wait until the end of the month to review your banking transactions. And have a regular conversation with your banker about emerging new threats and the newest ways to thwart them.

Start with our comprehensive Fraud Awareness Checklist. It goes beyond the usual “Top 5 Steps” and helps you identify a full range of cyber vulnerabilities. Download it here.

The opinions and views in this blog are those of the authors, and are not intended to provide specific advice or recommendations for any individual. Please consult your tax advisor regarding your individual situation. All lines and loans are subject to credit approval. The Webster symbol is a registered trademark in the U.S. Webster Bank, N.A. Member FDIC. Equal Housing Lender © 2018 Webster Financial Corporation. All rights reserved.