Trellis White paper Ad 770 Spot #6
share TWEET PIN IT share share 0
Tech Tips

Multi-Layer Security: Two-Factor Authentication Alone Won’t Thwart Today’s Determined Cyberthieves

By Tom Lambotte

Two-factor authentication is required for online security, but it’s not enough. You will need multi-layer security to keep your law firm’s valuables safe from cyber-bandits. 

law firm multi-layer security

Raise your hand and keep it up if you use two-factor authentication to safeguard the confidential client information and work product stored on the computers in your law office.

Raise your other hand and keep it up if two-factor authentication is the only safeguard you’re using to protect sensitive data from cyberthreats.

Now take a look at yourself in the mirror with both hands raised and always remember that pose. If you’ve taken no security precautions beyond adding 2FA, you reaching for the sky is pretty much what’s going to happen when cyber-bandits come along to relieve you of your valuables.

Recap: What Is Two-Factor Authentication?

In case you aren’t familiar with two-factor authentication, it’s a way to prove that the person who has entered the correct password to access your computer or account is, in fact, you (as opposed to a cyberthief who managed to get hold of your password through illicit means, such as a phishing scam).

To confirm it was you who entered the password, your two-factor authentication service will provide a one-time verification code through various methods: an app, text message or call. You type in that code and — presto! — your account is unlocked.

Cybercriminals Keep Upping Their Game

Of course, if the cyberthieves happened to steal your phone, then they’d be the ones receiving the verification code, not you. If your phone is locked but text messages show the contents, they’d see the code. And if they have access to your email account, they may be able to initiate a password reset. You could reduce the risk of such catastrophe by using a two-factor authentication service that sends you the verification code only after you’ve successfully answered a challenge question.

Technically, that’s three-factor authentication (password, challenge, code), but that gets to my larger point:

Two-factor authentication is inadequate given the threats you’re up against.

Now I want to be clear – I believe it is absolutely crucial to enable 2FA on all your crucial accounts, at a minimum. It is by far one of the most important steps toward protecting your data.

Granted, you’re a smart, well-informed lawyer, trained to avoid looking at the world through rose-colored glasses. So it’s unlikely you’ll fall prey to a phishing scheme — provided you’re not operating on autopilot when an email arrives from someone convincingly purporting to be a client, colleague, vendor or creditor.

However, I’ve heard many personal accounts of tech-savvy lawyers falling prey to a phishing scheme.

Cybercriminals are constantly honing their heinous skill set. As a result, they fool a lot of people. And, unless you’re ever vigilant, they can fool you too. This is why you cannot rely solely on two-factor authentication.

You need “multi-layer security” so that if you slip up and accidentally open the door to a data breach, the thieves are less likely to succeed.

Extra Protection: How Multi-layer Security Pays Off

Multi-layer security is just what the term implies — it’s the addition of extra security measures, one atop another.

Just like a Volvo, the more layers of security you add, the better.

Volvos aren’t terribly popular with motorists who want to take tight curves at breakneck speeds and engage in risky maneuvers (like doing donuts on the meticulously manicured lawn in front of the local traffic court judge’s home). But the Volvo is beloved by people who value highway safety.

Indeed, the Volvo is near-universally acknowledged as the safest car on the road. In large part, that’s because the ultra-high-strength steel used in its body does one heck of a job protecting you during a collision by dissipating the energy of impact.

However, that structural benefit means little if you don’t add in some extra layers of safety — things like seat belts, airbags, antilock brakes, tires with adequate tread, car seats for the kids and so forth.

In a similar vein, you need to add multiple layers of security for your computers because, without them, the advantages of two-factor authentication mean little.

What Can You Do to Add Multiple Security Layers to Your Computer?

Phishing security. For starters, get an integrated anti-phishing platform. These typically involve filtering all your incoming email through an AI-powered service that looks for signs of fakery afoot. If an email you receive triggers machine suspicions, you’ll get a warning to run, not walk, to the nearest exit. These platforms can also analyze your email opening-and-answering habits to let you know whether scam artists are likely to consider you an easy mark.

A password manager. On top of that added layer, start using a password manager. It’ll spare you the need to create unique passwords for the dozens of online accounts, thereby eliminating the dangerous temptation to recycle the same password over and over. The password manager automatically generates random passwords for each online account — no two passwords are ever the same or even similar. Password managers also encrypt those passwords for greater security.

Automatic, frequent backups. Backing up your files also counts as an additional layer of security. You could do it manually, but I have found through 17 years of helping lawyers with their IT that this approach invariably fails. It is better to use a service that automatically and frequently backs up your data, ideally to a cloud-based, third-party service provider. (Don’t forget to vet the provider.)

Common sense. Then there are all the commonsense kinds of things you can do, like teach your staff to be more aware of cyberthreats, never share passwords, and never walk away from their desk even briefly without first locking their computer. The best way to educate your team is with cybersecurity software that takes over this role. If it’s up to someone on your team to run that, again, it often fails.

It’s a Law Firm’s Duty to Beef Up With Multi-layer Security

To recap, one layer of cybersecurity is good, but it’s no longer enough. You need additional layers of security to protect you from today’s data loss threats.

The good news is that beefing up your computer’s security is relatively simple, relatively painless, and a relative bargain considering what’s at stake.

As a lawyer, you must take all possible measures to protect the client-attorney privilege, and you have an ethical duty to fulfill that requirement. Fortifying your data with multi-layer security is a smart way to satisfy that duty.

Illustration ©

Subscribe to Attorney at Work

Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.

Categories: Lawyer Tech Tips, Legal Cybersecurity, Legal Technology, Tech Tools
Originally published July 1, 2022
Last updated January 2, 2024
share TWEET PIN IT share share
Tom Lambotte

Tom Lambotte is a cybersecurity expert who has been in the legal tech industry for close to two decades. He founded BobaGuard, an affordable suite of turnkey cybersecurity solutions to help protect small and midsize law firms from getting hacked. Tom’s passion is helping legal entrepreneurs grow by leveraging technology. He is also CEO and founder of GlobalMac IT, a managed service provider that specializes in serving lawyers nationwide who use Macs. Tom and his wife live in Chardon, Ohio, with their four kids, mother-in-law, two dogs and a bunny. Connect with Tom on LinkedIn here.

More Posts By This Author
MUST READ Articles for Law Firms Click to expand

Welcome to Attorney at Work!

Sign up for our free newsletter.


All fields are required. By signing up, you are opting in to Attorney at Work's free practice tips newsletter and occasional emails with news and offers. By using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.