The following article appears in the August issue of Raising the Bar, Volume 14 Issue 7, courtesy of DRI
By Natalie Baker, MRC National Accounts Development Specialist
Law firm data breaches are on the rise. Yet, it’s really no surprise why since firms contain highly sensitive financial data, confidential client business information and personally identifiable information (PII), medical records, corporate strategies, trade secrets and business transaction information—making them a lucrative target for hackers.
Although these breaches have forced the legal industry to be cognizant of the significant risks they face, many firms still fall short of “effectively protecting their clients’ data,” according to LogicForce’s fourth quarter 2017 law firm cybersecurity scorecard. Of those surveyed, only 31 percent reported formal cybersecurity training programs for their workers and just 41 percent reported that they have documented cybersecurity policies and emergency response plans to deal with a data breach.
Therefore, it’s imperative that law firms—of any size—take the necessary steps to minimize the threat of a cyber-attack. Below are pointers that can help protect against cyber intrusions:
Use Two Factor Authentication
Two Factor Authentication, or 2FA, adds an extra layer of security, putting additional deterrence in the path of someone who wants to maliciously access email, data storage, or other systems storing confidential data. With 2FA, a password is not sufficient to gain access. Instead, a password and username is required, along with a secondary token that only the authorized user can receive—typically sent to a smartphone via SMS message. Using a username and password together with a piece of information that only the user knows makes it more difficult for potential intruders to gain access and steal data or commit identity theft.
Risk Assess Vendors
Law firms can overlook the security systems of the thirdparty vendors they contract with, which is unfortunate since these companies can be a gateway that hackers enter through. So, before contracting with a vendor, ask the vendor to participate in a cyber security survey. Knowing if these companies have sufficient cybersecurity programs to protect their files from intrusion will prevent your firm from being subject to undue risk and data compromise.
Install Anti-Virus software
Anti-virus software scans your computer system and identifies risks discovered on your computer. “Patches” can be downloaded monthly to remediate discovered vulnerabilities on your systems and prevent system intrusions and compromise.
Regularly Update Operating System(s) Sure, update notifications that pop up can be annoying, but they do serve a purpose. Strongly recommended for security reasons, these updates will fix known bugs in the operating system that create security vulnerabilities.
Regularly Educate Employees about Security
Hackers rely on human error, and often, cyber-attacks occur because of uninformed employees clicking on a link or opening an unsuspecting attachment in an email. Therefore, it’s crucial to ensure that all members of the law firm—both attorneys and legal staff—are educated about cybersecurity. Not only will they learn how to identify red flags, such as phishing attacks, but they will become more cautious of their own actions, as even a simple mistake could lead to a full cyber breach.
Have a Disaster Recovery Plan in Place
As breaches become more prevalent, it’s wise to know how your firm will recover should a cyberattack such as ransomware occur. How does the firm plan on recovering? Where are backups kept? Are the backups current? How are the backups secured? When was the last time the backups were successfully tested?
Be Prepared to Respond
Resilient firms have a well-documented and tested Incident Response Plan to serve as a roadmap at the moment of crisis. Developing cyber security playbooks and participating in table-top exercises are all vital response strategies. Consider the following during an incident: Do all key employees understand what role they play? Are there documented breach response procedures in place? Is there a retainer with a reputable cyber response firm?
Conduct Regular Security Risk Assessments
While it’s great if a firm seems to be on top of security, its plans are only valuable if the firm stays current with the most up-to-date system patches. Hackers get better and better every day, and your firm needs to know whether its systems are open to new vulnerabilities. Consider conducting annual risk assessments and regular vulnerability assessments to understand where improvements are required to protect the integrity and availability of your business-critical systems.
Keep up with Technology
Just because you’re a small law firm doesn’t mean you aren’t vulnerable to cyber intrusions. After all, firms with one or two lawyers still possess a great deal of PII, medical, and confidential data that is attractive to cyber criminals. Therefore, it’s crucial to acquire the appropriate technology and develop processes to remain resilient and keep from becoming a liability to your customers, as a breach could signal lawsuits from clients whose data is compromised, as well as irreparable damage to your firm’s reputation.
Finally, for stronger security, implement the following practices when possible:
• Disable or encrypt USB drives to prevent sensitive data lost.
• Require at least an 8-character complex password for computer access. Do not share passwords, and change passwords every 90 days.
• Use role-based access control, so that sensitive files can only be accessed by persons in certain need-to-know elevated roles.
• Place a 15-minute idle timeout requirement on all computer systems and applications to avoid unauthorized access.
• Use firewalls to prevent unauthorized access to your network.
• Perform monthly vulnerability scanning and patching of computer OS and software.
• Perform regular backup of data and test recovery.
• Perform table top exercises using realistic cyber-attack scenarios.
• Encrypt sensitive data on mobile devices and smart-phones.
• Harden configuration on wireless access points.
• Train your employees to recognize social engineering attacks.
MRC’s Director of Information Security Muni Chatarpal contributed to this article.