Daily Dispatch

12 Smart Security Steps

Law Firms: Soft Underbelly for Hackers?

By | Jun.03.14 | Cloud Computing, Daily Dispatch, Law Firm Management, Legal Technology

Hacker © iStock - Agustinc

Are law firms really a “soft underbelly” for hackers? Yes, according to numerous legal security experts and recent news reports. Understandably, more corporate clients are demanding their law firms take increased security measures. So why are law firms on the hacker radar? Quite simply, because law firms — especially smaller and midsize firms — tend to lack the level of security of their corporate clients. This can provide hackers with a proverbial “back door” into confidential and privileged data of more secure businesses, via their law firms.

12 Practical Ways to Protect Your Confidential Information

Surprisingly, the biggest threat to law firms comes from within their own walls. Many law firms have some type of security plan in place, but these measures need to be tested continuously to protect against the latest threats. Using a “check-off-the-list” security methodology can make law firms a soft target for hackers. Adding insult to injury, many seemingly harmless activities of law firm employees also put the firms at risk.

Think about the last time you visited your firm’s reception desk. Notice a sticky note taped to the desk with passwords and confidential information on it? How do you know visitors aren’t trolling for this type of information? Also, when your firm upgrades to new devices, what happens to all that old hardware — not just computers and laptops, but tablets, phones, thumb drives and even copiers? These are all questions law firms should be able to answer with confidence, and it goes well beyond passwords and discarded devices.

The good news is there are multiple ways you can mitigate your security risks. The first step, though, is acknowledging you are not immune to a breach. (For those of you who don’t believe your firm is being targeted, I say you’re just not looking.)

That said, your security plan should strike a balance between protecting against bona fide threats and outright paranoia. Here are 12 commonsense steps to protect your firm.

1. Use firewalls. Any firm that uses computers must use firewalls — it’s that simple. Firewalls provide a critical first line of defense when it comes to checking all web-based traffic coming into and going out of the firm and blocking traffic that is not desired, or looks like it is not legitimate. Firewalls should be applied both to the network and individual computers.

2. Use strong passwords. Don’t use passwords that are too short, and avoid using personal information such as a child’s name or birthdays that are easily hacked. A good website to gauge the strength of your password is howsecureismypassword.net.

3. Use good hygiene. Going back to the sticky note example, make sure you are using good “hygiene” by ridding the office of easy-access points.

4. Remove residual data. Know how to browse the web securely — and remember, every website you visit can leave cookies. This residual data should be encrypted and wiped regularly.

5. Use caution on social media. Once you put information in the public domain, such as by posting it to Facebook, Twitter or YouTube, it can’t be taken away. Think carefully before posting sensitive information on social media sites, and have good policies around what others in the firm do, too.

6. Wipe discarded devices. The legal industry is evolving rapidly and so are our devices. Make sure, as you upgrade to the newest tablet or smartphone, that you are wiping discarded devices with military-grade software. Sometimes physical destruction is a good idea. Or, better yet, hire professionals to do it.

7. Implement a breach plan. Assume hackers will get ahead of you and do everything you can to prevent a breach. If you don’t already have a plan in place, work with a consultant or data breach management company to protect your firm’s assets. Know in advance how you will:

  • Protect and access data
  • Notify clients in the event of a breach
  • Get back up and running

8. Use virtual private networks. VPNs are a great way to access information remotely and securely. If you frequently use VPNs for business travel, I recommend investing in a screen protector, which will prevent those around you from viewing your screen. Also make sure to use HTTPS sites rather than HTTP sites. HTTPS should ensure the information you are browsing is locked and secure on your device.

9. Maintain document security. Reviewing and sharing documents is fundamental to lawyers. When shopping for cloud-based file-sharing products, look for software that provides:

  • Secure file sharing
  • Secure file sync
  • Digital rights management
  • Secure web access
  • Mobile productivity
  • Terms and conditions that reflect your duty to your clients around confidentiality, privilege and safekeeping

10. Know the difference between the public and private cloud. Not all cloud solutions are created equal. Public cloud offerings — those available to the public — are often free, or close to it. Read the terms and conditions carefully and ask the following questions before you consider using a service:

  • How will my data be protected? Public cloud solutions’ security should be validated by third parties such as eTrust, U.S. Data Centers and SysTrust, to name a few.
  • Who will own the data? Understand what they will do with the data and read the conditions so you know what they will do if the government calls or if you cancel your subscription.
  • How readily available will the data be to you?

The private cloud provides a privately hosted place to store and access data, and only those approved to use it are welcome. While typically you’ll have to pay to use private cloud services, many provide an important internal layer of security.

11. Be savvy about encryption. Make sure you know where your data is stored and ensure the data is encrypted both while it is in transit and while it is at rest.

12. Prepare a notification of practices. Craft language that clearly explains to clients how their data is stored and how it will be protected.

Be Prepared

While no law firm is immune from a security breach, the most important step firms can take to protect their data is to be prepared. This means developing a security breach plan and sticking to it. The system should be audited regularly, and clients and employees should be educated about the process and engaged in the dialogue. Security, after all, should be a way of life for law firms today.

Christopher T. Anderson is an attorney and a Sr. Product Manager for LexisNexis. Follow him on Twitter @FirmManager_CTA.

You Might Also Be Interested …

Results from the Law Firm File Sharing Security Survey 2014. Are you putting your firm at more risk?

Sponsored Links
»Coming June 5: The 4th Annual Super Marketing Conference.
»Start Saving Time: Top cloud-based practice management software.
»Manage my legal practice from anywhere on any device—HoudiniEsq.
»Learn more about the easiest way to get paid.
»Work from anywhere. Intuitive legal practice management software. Free trial.

Illustration © iStock – Agustinc

 

4 Responses to “Law Firms: Soft Underbelly for Hackers?”

  1. glen
    3 June 2014 at 10:00 am #

    Good article. Public versus Private Cloud terms have gotten confusing lately. The difference between a public cloud and a private cloud is that a private cloud is something your firm builds itself and a public cloud is something you pay another company to provide. There are also hybrids, such as a fully private cloud that you pay an external company to build and host, but that is typically cost prohibitive unless you are part of a very large firm.

    In many cases, a so-called public cloud is actually far more secure because due to economies of scale, large cloud service providers can afford to (and are motivated to) invest heavily in security features that are typically out of reach of in house law firm IT due to cost. They are also accustomed to signing agreements detailing their level of data protection responsibility. This is particularly important if your firm deals with any health data or PHI. You can find and do business with service providers exclusively who are specifically HIPAA certified, for example.

    Now, when it comes to so called “free” cloud or web based sharing and storage mechanisms I would agree. They are usually not secure, there are typically no agreements in place (and if there are, they don’t protect you), there are no backups, etc. In fact I would say use of these “free” services is irresponsible.

  2. Chris Hargreaves
    3 June 2014 at 11:11 pm #

    Great advice on some security measures that every firm should take here. In particular the deletion of old data sticks, hard drives etc – it makes me shiver to think just how much confidential information is probably out there from this not being done.


Comment