This article was originally published in the LAW April Newsletter on 4/5/19
The sensitive data held by law firms makes them primary targets for cybercriminals. This is true for law firms of all sizes. Data breaches are not always the result of sophisticated hacking carried out by genius criminals on a law firms’ firewalls and servers. They are often the result of low-tech cybercriminals sending out phishing emails containing store-bought exploits or well-worded messages convincing the recipient to do something they shouldn’t. These messages are often sent out to hundreds of thousands of addresses, with the hope that a small percentage will take the bait.
So, what should we do to protect this data? Cybersecurity is something I equate to golf. It is a simple concept, but the execution is not always easy. While golf is simply putting a ball in a hole, anyone that plays knows that there is nothing easy about accomplishing this. The same is true for cybersecurity. Keeping private information private requires preparation and practice. The best law firm cybersecurity program is made up of 3 components: policies, training, and tools.
Here are three ways to keep client data safe by implementing a comprehensive cybersecurity program.
Outline a cohesive cyber strategy through documented policies
Law firms need formally documented policies that outline proper procedures for every aspect of their IT environment. A comprehensive cybersecurity policy includes an acceptable use policy, a business continuity policy, an incident response policy, a data loss prevention policy, a records management policy, a mobile device policy, and a password policy. Formal policies provide a blueprint for employees to prevent and recover from a breach.
Empower your workforce through ongoing cyber training programs
Comprehensive training programs ensure the firm’s documented cybersecurity polices are understood by all employees, detail and explain the tools the firm is providing to simplify adherence to these policies and explain the many ways employees can be exploited. This training should be part of employee onboarding to ensure new employees are aware of the importance of these policies to protect client data. The program should also include monthly refreshers in the form of newsletters or videos and quarterly follow-ups that detail the most recent methods used by cybercriminals to trick users into helping them.
Utilize security tools to further protect client data
LOGICFORCE’S Cybersecurity Scorecard, a periodic study designed to assess cybersecurity preparedness across the legal industry and educate law firms on the best practices for data protection, outlines the tools firms should be using to assist in following a robust cybersecurity plan.
For example, password managers are great tools to ensure users create complex and unique passwords for all professional and personal accounts, decreasing the likelihood of a password being compromised and limiting the impact if it happens. Multi-factor authentication (MFA) further protects users’ accounts, even if an employee is tricked into giving it away and is most likely the single best tool to prevent account compromise. MFA provides a second layer of login verification, typically using a mobile device. Once a password is entered, a call or text is sent to the user’s mobile phone, asking them to verify if it is actually them logging in.
These tools, including others outlined in LOGICFORCE’s Cybersecurity Scorecard, need to be managed and developed by a security executive that can ensure the program stays current in the constantly changing cybersecurity landscape.
Law firms will not continue to get business if they expose client data, and client audits are increasing in number and overall complexity to ensure the firm is doing what it takes to prevent that exposure. Small or large, a firm’s livelihood is directly tied to protecting its data. Comprehensive cybersecurity programs will not only limit the risk associated with keeping client data, but it will also open new business opportunities and act as a differentiator from firms that don’t make the investment.
Paul Telesco is the VP of technical services at LOGICFORCE, a Nashville-based leading legal IT consultancy.