Cybersecurity Credit: Khakimullin Aleksandr/Shutterstock.com

 

Holidays may be a popular time for bad cyber actors looking to capitalize on empty offices and vulnerable infrastructures, but while a law firm's breach response team may see a little extra traffic, the IT department seems unlikely to break a sweat.

The good news is that aside from the way that software updates or new system rollouts are scheduled, the holidays don't seem to present any significant new curveballs to law firm cybersecurity personnel. However, that level of confidence doesn't come without strings: Many law offices have learned to operate under the assumption that an attack can happen at any time, 365 days a year.

Neeraj Rajpal, chief information officer at Stroock & Stroock & Lavan, indicated that the level of cybersecurity preparation may not have been nearly as high across the industry 10 years ago. But times—and threats—change.

"We are targets all of the time, so I don't think that anything changes over the holidays. To be candid, we are constantly on edge. As I said, the bad guys have to be successful just once. We have to be successful all of the time," Rajpal said.

That includes Christmas and New Year's Day. For example, even when the office is empty, Stroock has automated security tools in place that can detect any unusual activity on its network. As for the human factor, personnel are also on call 24 hours a day, seven days a week.

"We've done table-top exercises. We know what it's going to be like if something does happen. I don't want to seem overconfident because that's not the right thing to say, but we are ready. We are as ready as ready can be," Rajpal said.

Beau Mersereau, director of legal technology solutions at Fish & Richardson, echoed that confidence, citing a year-round supply of caution and preparation. While there aren't any significant changes made to the firm's cybersecurity posture, there is an effort made not to deploy any new software or tech around the holidays since Christmas vacation is generally a bad time to accidentally break something.

"We don't want to take anything down and mess up someone's holiday," Mersereau said.

Which is not to say that law firm cybersecurity personnel won't still have to be on their toes. James McKenna, chief information officer at Fenwick & West, pointed out that remote access activity typically increases over the holidays since people are either traveling or working from home.

He indicated this can often lead to people calling in for help more often, which requires a certain mindfulness from the people manning the response line given that this time of the year tends to see a lot phishing attacks.

"It becomes that much more critical to verify that a caller is whom they report to be," McKenna said.

Speaking of traveling lawyers, it may also be helpful for attorneys to give their IT department a heads-up if they'll be logging into the network from an exotic vacation destination at some point over the holiday. According to Frank Gillman, a principal at Vertex Advisors Group and a former chief information security officer at Lewis Brisbois Bisgaard & Smith, that simple tip can prevent false alarms going off in the IT department.

"You let your IT department know that you might be connecting from Uzbekistan. because on a normal day I would look at that and go, 'Hey, what the hell is going on? Why are we seeing traffic coming from here or there?'" Gillman said.

When he was at Lewis Brisbois, Gillman said the IT department would send out cybersecurity reminders to employees in advance of the holidays. Chief on that list was the suggestion not to blend personal and professional identities, which can happen as busy attorneys attempt to round out their gift shopping online.

Per Gilman, there's an element of risk at play every time a lawyer unnecessarily extends their professional profile on the internet.

"I think it's good to discourage delivery of gifts to the office because there's just so much potential for misuse," Gillman said.