Information is the new currency, which makes it worth stealing.
Each day, hackers invade organizations for useful data such as personally identifiable information, passwords, market-moving news and corporate intelligence. From a law firm perspective, this used to be a problem for clients. But after years of focusing on individuals and corporations, hackers are branching out for new targets and law firms are squarely on their radar.
With a bevy of confidential information and generally weak security measures, law firms make ideal targets for hacking. Highly public examples of law firm breaches are everywhere. For example, the ABA Journal has covered recent law firm breaches, including those at Cravath and Weil in New York and Wiley Rein in Washington, D.C. Even the largest law firms aren’t immune, as DLA Piper discovered after it fell prey to an attack that brought down phone systems, email, and portals and cost millions.
The idea of a data breach is intimidating, but you can fight back. Even if you don’t have a worldwide IT team at your disposal, there are steps you can take immediately to protect your firm. By shoring up your risk management and compliance procedures, you can significantly strengthen your defenses.
In today’s connected world, clients and attorneys need constant access to information. You and firm management should focus on ways to manage risks associated with this. There are four steps you can begin immediately.
Institute multi-factor authentication
Have you ever forgotten a password to a website and been prompted to enter a number that has been texted or emailed to you? Of course you have. That process is multifactor authentication. It’s designed to prevent someone from accessing your account and locking you out and it makes it much harder for hackers to access your online accounts.
You need to find out if your firm is using multi-factor authentication. If not, you should take steps to deploy it. At a minimum, it should be mandatory for key systems such as email, practice and/or document management, and time and billing. Typically, it is quick and easy for your in-house IT staff to activate multi-factor authentication or your solution providers already have the option embedded in the product.
When you work with important data without encrypting it first, you are asking to be hacked. All the firm’s data, whether it is in transit or storage, should be encrypted. Any minor inconvenience involved with encrypting data is well worth the resulting security and protection.
Installing and using encryption may be even easier than you think. As pros know, any current systems that are HIPPA-compliant may already have encryption features built in. (See below for more on HIPPA compliance.)
Stay on top of administration
Simple mistakes and oversights can make the firm extremely vulnerable to hacking. With strong IT controls in place, unauthorized intruders will have a much harder time targeting illicit activities towards your firm.
Start by standardizing a few basic practices, if you haven’t already. Institute and utilize a policy that deactivates users as soon as they leave the firm. Make sure you install the latest software updates, since the churn of malicious attacks means more changes to code that extend protections. Review permissions that each user has for solutions to ensure they have the appropriate levels of access based on their role in the firm.
You should also examine older software or systems that exist on local servers. These overlooked, underprotected areas can offer easy ingresses for hackers.
Yes, you may have just groaned out loud. No one at your firm wants to sit through more training while there are cases to manage and clients to help. However, if you want to keep your firm as hacker-proof as possible, training is non-negotiable. Statistics show that negligent employees are the leading causes of data breaches at small and medium-sized businesses in North America and the UK, according to a recent study by Keeper Security and the Ponemon Institute.
Hackers know unlimited numbers of scams, and scams keep evolving. Data breaches happen when someone clicks a link that gives a hacker control of their laptop. Or someone wires thousands of dollars to a third party because an email demanded payment. Or someone else insists on using “PASSWORD123” as a password.
That is why your firm needs to hold regular security training that educates attorneys and staff about the importance of following procedures and maintaining a healthy skepticism around suspicious requests. Training should encompass the proper way to use law firm systems, the importance of protocols like multi-factor authentication and complex passwords, the latest threats, common hallmarks of phishing, and more.
Remember: The most successful security and training initiatives come from firms where the efforts are led from the top down. The executive team of your firm needs to live and breathe security, compliance, and new technology. Many studies show that organizations with compliance and security cultures led from the top are less vulnerable to malicious data breaches.
Along with risk management, thorough compliance is one of the most effective ways to ward off hacks. Firms can–and have–lost business because of their lack of compliance and security. Firms that interact with protected health information (PHI) must be HIPAA compliant or risk breaches, fines, or both. Along with federal regulations, many corporate and government clients have their own set of requirements around handling data, which often contain standards that work against unauthorized entries.
If your firm currently follows HIPAA requirements, you will have processes and technology in place that will strongly improve and strengthen compliance. If not, explore solutions that adhere to HIPAA protections. These standards will offer optimal security features to protect your firm and clients.
The firm should also make the move to the cloud, if it hasn’t already. Cloud-based administration will automatically update software, streamline processes, and offer virtually everything you need to protect against attacks. In addition, the cloud will make options such as remote and mobile access easier and more secure. You need to ensure that your cloud provider specializes in the legal field. If your provider doesn’t understand how law firms operate and isn’t familiar with legal-specific solutions, it won’t be able to offer much in the way of protection and support.
You can immediately start protecting your firm by taking steps to fortify via people, processes, and technology. Once you understand how to manage risk and improve compliance, your chance of ending up a victim of a cybersecurity breaches and hacks will decrease dramatically.