Whether it is identifying ransomware, phishing schemes and data breach threats, or rolling out robust cybersecurity measures, comprehensive risk management strategies, tabletop exercises and heightened internal awareness campaigns, the goal of cybersecurity is the protection of your reputation and data and — most important — that of your clients.

This commentary provides six proactive measures to prevent cyber incidents.

The astronomical toll

Cybercrime is a full-time job for cybercriminals. According to Cybercrime Magazine, the landscape will continue to evolve rapidly, with businesses facing increasingly sophisticated threats. The global cost of cybercrime is projected at a staggering $9.5 trillion this year.

As criminals continuously develop new tactics, a proactive approach helps keep your defenses strong, resilient and relevant. Implementing and regularly updating security protocols and robust cybersecurity policies are essential for safeguarding against such threats.

Audits, assessments and vulnerability testing

Regular cybersecurity audits and assessments, including vulnerability scans and penetration testing, can identify and mitigate potential security risks within a firm’s network. These measures help uncover weaknesses in systems, applications and processes before malicious actors can exploit them.

Vulnerability scans systematically search for weaknesses, while penetration testing simulates real-world attacks to evaluate existing defenses. These assessments can help firms stay ahead of emerging threats, ensure compliance with industry standards, and continuously improve cybersecurity.

Cyber policies and protocols

Firms should create understandable and meaningful protocols. Overbroad cybersecurity policies are a common mistake. Employees need to know which parts are relevant to their work and how to comply with the overall policy. Every member of the firm’s team has a part to play in the defense system. Robust password protocols should be in place to protect sensitive client information and maintain cybersecurity standards.

Employee training and awareness

Cybersecurity training must be part of risk management strategy, and leadership training should include C-level preparation, such as tabletop exercises. Leaders also must reconsider current employee training practices.

According to the World Economic Forum, 95% of cyberattacks are due to some form of human error, and 43% of data breaches are caused by insider threats. Research from KnowBe4 found that when employees received a once-a-month phishing simulation, employees clicking on the training email went from about a third to 17.6%. Some of the more recent and infamous cybersecurity breaches, such as the MGM Grand hack in September 2023, were the result of employees falling for vishing scams, indicating the need for continuous social engineering training to keep up with the most advanced cyber threats. Not all employees understand that answering the phone could potentially be as damaging as clicking on a link in an email or text message.

Cyber insurance

Firms should carry cyber insurance to mitigate the significant financial and reputational risks caused by cyberattacks. Such insurance covers costs arising from a cyber incident, including legal fees, forensic investigations, notification of affected clients, business interruption and reputation management. In addition, many cyber insurers will provide access to training modules, testing platforms and tabletop exercises.

Tabletop exercises

These exercises, which simulate real-world scenarios in a controlled environment, enhance a firm’s ability to respond effectively should an actual event occur. The benefits include:

Test response plans: Verify that the firm’s incident response plan is comprehensive and actionable. Identify weaknesses or oversights in the plan to ensure that all aspects of a potential breach are covered.
Enhance coordination: Foster better communication and coordination among different departments, which is crucial during a real incident when swift, coordinated action is required.
Increase preparedness: Increase the preparedness of all involved to ensure quick and efficient responsiveness in the event of a breach. This can significantly reduce the impact of a cyber incident.
Identify training needs: Reveal areas where staff may need additional training or resources.

Technology defenses

One solution to human error comes from an increasingly sophisticated technology — artificial intelligence. While AI use is quickly becoming a “shadow IT department nightmare,” some companies such as LinkedIn have embraced AI by implementing live cybersecurity training bots.

Examples of this include:

Chatbots: LinkedIn’s cybersecurity chatbot answers employees’ real-time questions to thwart social engineering attempts. The chatbot answers questions 24/7 and provides consistent, clear security guidance.
Data encryption: Data encryption is crucial to safeguard firm and client information. Encrypting sensitive data both in transit and at rest can protect it from unauthorized access, even if a breach occurs.
Multifactor authentication (known as MFA and also called two-factor authentication): MFA requires users to provide two or more verification factors to gain access to a system, application or account.
Zero trust architecture: Consider adopting a zero trust security model, which operates on the principle of “never trust, always verify.” This approach requires continuous verification of user identity and access rights, regardless of whether the user is inside or outside the network.
Regular updates and patch management: Ensuring that all software and systems are regularly updated and patched is a critical defense against known vulnerabilities.

Whether your law firm has the budget to invest in a cybersecurity chatbot or hire an IT professional who understands cybersecurity threats, investing in cybersecurity technology and utilizing advanced security tools and services is essential for crisis planning and incident response.

Gina F. Rubel, a graduate of Widener University Commonwealth Law School, is the CEO and general counsel of Furia Rubel Communications.