Two-factor authentication is required for online security, but it’s not enough. You will need multi-layer security to keep your law firm’s valuables safe from cyber-bandits.
Raise your hand and keep it up if you use two-factor authentication to safeguard the confidential client information and work product stored on the computers in your law office.
Raise your other hand and keep it up if two-factor authentication is the only safeguard you’re using to protect sensitive data from cyberthreats.
Now take a look at yourself in the mirror with both hands raised and always remember that pose. If you’ve taken no security precautions beyond adding 2FA, you reaching for the sky is pretty much what’s going to happen when cyber-bandits come along to relieve you of your valuables.
Recap: What Is Two-Factor Authentication?
In case you aren’t familiar with two-factor authentication, it’s a way to prove that the person who has entered the correct password to access your computer or account is, in fact, you (as opposed to a cyberthief who managed to get hold of your password through illicit means, such as a phishing scam).
To confirm it was you who entered the password, your two-factor authentication service will provide a one-time verification code through various methods: an app, text message or call. You type in that code and — presto! — your account is unlocked.
Cybercriminals Keep Upping Their Game
Of course, if the cyberthieves happened to steal your phone, then they’d be the ones receiving the verification code, not you. If your phone is locked but text messages show the contents, they’d see the code. And if they have access to your email account, they may be able to initiate a password reset. You could reduce the risk of such catastrophe by using a two-factor authentication service that sends you the verification code only after you’ve successfully answered a challenge question.
Technically, that’s three-factor authentication (password, challenge, code), but that gets to my larger point:
Two-factor authentication is inadequate given the threats you’re up against.
Now I want to be clear – I believe it is absolutely crucial to enable 2FA on all your crucial accounts, at a minimum. It is by far one of the most important steps toward protecting your data.
Granted, you’re a smart, well-informed lawyer, trained to avoid looking at the world through rose-colored glasses. So it’s unlikely you’ll fall prey to a phishing scheme — provided you’re not operating on autopilot when an email arrives from someone convincingly purporting to be a client, colleague, vendor or creditor.
However, I’ve heard many personal accounts of tech-savvy lawyers falling prey to a phishing scheme.
Cybercriminals are constantly honing their heinous skill set. As a result, they fool a lot of people. And, unless you’re ever vigilant, they can fool you too. This is why you cannot rely solely on two-factor authentication.
You need “multi-layer security” so that if you slip up and accidentally open the door to a data breach, the thieves are less likely to succeed.
Extra Protection: How Multi-layer Security Pays Off
Multi-layer security is just what the term implies — it’s the addition of extra security measures, one atop another.
Just like a Volvo, the more layers of security you add, the better.
Volvos aren’t terribly popular with motorists who want to take tight curves at breakneck speeds and engage in risky maneuvers (like doing donuts on the meticulously manicured lawn in front of the local traffic court judge’s home). But the Volvo is beloved by people who value highway safety.
Indeed, the Volvo is near-universally acknowledged as the safest car on the road. In large part, that’s because the ultra-high-strength steel used in its body does one heck of a job protecting you during a collision by dissipating the energy of impact.
However, that structural benefit means little if you don’t add in some extra layers of safety — things like seat belts, airbags, antilock brakes, tires with adequate tread, car seats for the kids and so forth.
In a similar vein, you need to add multiple layers of security for your computers because, without them, the advantages of two-factor authentication mean little.
What Can You Do to Add Multiple Security Layers to Your Computer?
Phishing security. For starters, get an integrated anti-phishing platform. These typically involve filtering all your incoming email through an AI-powered service that looks for signs of fakery afoot. If an email you receive triggers machine suspicions, you’ll get a warning to run, not walk, to the nearest exit. These platforms can also analyze your email opening-and-answering habits to let you know whether scam artists are likely to consider you an easy mark.
A password manager. On top of that added layer, start using a password manager. It’ll spare you the need to create unique passwords for the dozens of online accounts, thereby eliminating the dangerous temptation to recycle the same password over and over. The password manager automatically generates random passwords for each online account — no two passwords are ever the same or even similar. Password managers also encrypt those passwords for greater security.
Automatic, frequent backups. Backing up your files also counts as an additional layer of security. You could do it manually, but I have found through 17 years of helping lawyers with their IT that this approach invariably fails. It is better to use a service that automatically and frequently backs up your data, ideally to a cloud-based, third-party service provider. (Don’t forget to vet the provider.)
Common sense. Then there are all the commonsense kinds of things you can do, like teach your staff to be more aware of cyberthreats, never share passwords, and never walk away from their desk even briefly without first locking their computer. The best way to educate your team is with cybersecurity software that takes over this role. If it’s up to someone on your team to run that, again, it often fails.
It’s a Law Firm’s Duty to Beef Up With Multi-layer Security
To recap, one layer of cybersecurity is good, but it’s no longer enough. You need additional layers of security to protect you from today’s data loss threats.
The good news is that beefing up your computer’s security is relatively simple, relatively painless, and a relative bargain considering what’s at stake.
As a lawyer, you must take all possible measures to protect the client-attorney privilege, and you have an ethical duty to fulfill that requirement. Fortifying your data with multi-layer security is a smart way to satisfy that duty.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.