Why Small Legal Firms are Talking About 2023's National Cyber Strategy

Sometimes it can feel like you're a little fish in a big pond. You hear good advice but you're not sure if it relates to a business of your size. You have to consider things in a different lens, right? So when The White House publishes their Cybersecurity Strategy, a thought hangs in the back of your mind: what does the 2023 National Cybersecurity Strategy mean for a small-medium sized law firm? Read on to find out what this directive means for you. 

Biden-HArris Strategy To Combat Cyber threats 

On March 1, 2023, the Biden-Harris administration released their recurring initiative to combat cyber threats and increase cybersecurity awareness across the country. This strategy aims to partner with businesses on how to best protect themselves currently and in the future from cyber attacks.

Before I go on, you should be aware that this published strategy remains in partnership with you, not as an additional governance over you. The White House reminds us of their cybersecurity diligence and then informs you of any support, trends, and threats on the horizon. *They do, however, include rules and regulations to maintain a standard level of security health across our nation.* 

Their strategy focuses on the following four aspects spread across 6 pillars for success:

• Outline emerging trends so businesses can learn for the future and prepare for potential cybersecurity risks
• Identify the evolvement of malicious actors
• Rebalance the responsibility to defend cyberspace, and
• Realign incentives for the future to then build out an up-to-date policy 

While these are important aspects to consider across all industries, what exactly do they mean for the legal industry? Furthermore, how does it impact small-medium sized firms? Allow me to connect the dots. 

4 Critical Points to Guide Small to Midsized Law Firms

1. Meet (possibly additional) regulatory standards.
   If you're not meeting the requirements of both your practice and the government, chances are you're not staying in business very long. Furthermore, don't forget one of your primary duties is to protect privileged/customer data from any outside threat whether it be human or cyber. To help you succeed, 2023's strategy may require many legal entities to meet additional data privacy compliance and the penalties for not doing so will see a significant punishment. 
   
   If you're not living up the mandated basic level standards, the federal government will ask you to up your ante. The White house says their "[regulations are] performance-based, leverage existing cybersecurity frameworks, and guidance--including the Cybersecurity and Infrastructure Security Agency (CISA)'s Cybersecurity Performance Goals and National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure -- and [are] agile enough to adapt as adversaries increase their capabilities and change their tactics" (12).  They want to partner with you and streamline an alignment between new and existing regulations. Check out the standards already in place from the National Institute of Standards and Technology (NIST). If you're still stressed about meeting those goals, we can augment your IT staff to better accomplish what you need so you can feel confident about the future. 
   
   
2. Follow good (past and future) cyber hygiene.
   You can't prepare for the future without a clean bill of IT health. While you should absolutely build on what you've done successfully in the past, running scans, testing your Incident Response Plan, and remaining up-to-date with cyber trends (like in this initiative!) are foundational to any proactive defense against cyber attacks in the future. The White House maintains that "this strategy, while laying out a new approach to our cybersecurity, builds on significant achievements already shaping our strategies environment and digital ecosystem" (5). The goal would be that you take into consideration their recommendations in addition to your prior successes like your Incident Response Plan or your cybersecurity partnerships. 
   
   Furthermore, knowingly failing to have a healthy infrastructure could put an Attorney's future at risk. Smith, Chichester, and Peck remind us that "Texas’ breach/notification law affords...painful fines for law firms that lose sensitive personal information. Failure to take adequate action can result in loss of your law license, with aggrieved clients exacting their own revenge" ("Keeping Client Data and Your Law License Secure," Texas Bar Journal, Technology). Let's not be on the receiving end of that wrath. If you're concerned on either your cyber hygiene or your security posture, Centre can help you get that started, just ask! 
   
   
3. (Ongoing) IT education for legal staff.
   One of the greatest aspects of this initiative is its analysis of common malicious actors on the horizon. Pillar 3 (pgs. 23-26)  of The White House's issue is all about shaping market forces to drive security and resilience. In layman's terms, it's basically reminding and advising businesses to protect sensitive data in a proactive way and then shifting liability to those responsible for it. Your business as a whole should understand that while there are consequences after a breach, you can avoid the hassle of reaction by proactively identifying threats on the horizon.
   
   The strategy cites future threats like AI systems and countries with revisionist intent including "the People's Republic of China (PRC) [which] presents the broadest, most active, and most persistent threat to both government and private sector networks" (7). While some of these may not "relevant" to your firm, you must educate your staff to prepare for whatever is coming next. We can help. Our Employee Awareness Trainings keep you ahead of any new curveballs not mention in the initiative. 
   
   
4. Build a solid Disaster Recovery and Incident Response Plan.  
   Knowing what's coming is just as useless if you don't have a plan to defend against it. The final stage of The White House's strategy was their implementation stage where they are assessing effectiveness, incorporating lessons learned in the past, and making the investment for the future. They point out that in order "for Federal agencies to support their private sector partners and increase their capacity to carry out essential Federal missions, targeted investments will be required" (38). So take their challenge and invest in something like a Disaster Recovery (DR) or Incident Response Plan (IRP). This will also keep you aligned with their regulations mentioned above. 
   
   Not sure if you have a plan? Maybe your plan isn't as effective as you thought? Let us help you prepare for success. 

Moving Forward, What's Your Plan?

As you assess the trajectory of your IT security posture, make sure you partner with a Managed Service Provider (MSP) that can handle the everyday care and feeding of IT and IT security. We can help you if you're confused, need help, or simply want to chat about the future of your firm. Centre is here to help local businesses.

Until then, check out our Legal Industries page for more information!