The Friday Five
Five Steps to Protect Law Firm Data
Computer security is a cat-and-mouse game, and we’re the mouse. Even with virus prevention and detection, says Don Wright, it’s only a matter of time before unauthorized programs and predators get past the gates. Still, there are steps to take to keep your client and law firm data reasonably safe. For this Friday Five, we asked Don, who’s head of information systems at the Association of Legal Administrators, for some advice.
A Little Healthy Paranoia
When you add to outside threats the healthy paranoia that your greatest threat is from within, it makes sense to focus on ways to make your law firm data itself secure. To protect yourself and your clients, in simple terms, you want to grant access to those you trust, and ensure their identities remain valid. Here are a few things to keep in mind.
1. Deploy encryption. Data can be encrypted so that it can’t be read unless the proper decryption protocols are also known. Entire hard drives can be encrypted and data transfers performed only under an encryption scheme. Here’s more information from Symantec and Pretty Good Privacy (PGP). The most frequently encountered encryption on the Internet is on secure web pages where financial or personal information is submitted. The website will have an address starting off with “httpS://” and will usually have some other security notification such as a padlock or key icon.
2. Install good gatekeepers. This applies mainly to virtual private networks, or VPNs, but I like to think of firewalls as the gatekeepers. VPNs allow a secure communication with them and through them. Firewall systems can limit “surface area exposure,” funneling traffic to certain allowed services—plus, they can point to areas that need further security and help detect when an attack is under way. Firewall vendors (Cisco, Checkpoint, Juniper, Barracuda, SonicWALL) offer VPN software that works with their products. VPN connections and security certificates or tokens can help secure communications between endpoints, allowing prying eyes to view only scrambled information. There are many choices available for VPN software—some proprietary and some open-source (here are LifeHacker’s five)—for every budget and device.
3. Strengthen your permissions and passwords. Typically, we grant individuals access to particular information, done with network permissions secured by handshake in some fashion, often using just a password. But this can be a very weak link. A password works best when it keeps an intruder guessing. But the time it takes to guess a password is shrinking as computers get faster at “brute forcing” a guess. So passwords not only need to be fairly complex, but also changed fairly frequently. The Internet offers many examples for creating strong passwords. You can learn more about password strength from Microsoft and test the strength of passwords with its Secure Password Checker tool.
Two-factor authentication—a form of access best described as providing something we know and providing something we’re expected to have—is becoming more common. Using this method, users can only complete access to a system by using a combination of passwords and passcodes sent via text messaging, physical hardware keys or dongles, biometric confirmations or additional prompts to which answers have been pre-set. Trustwave is one of several vendors offering these services, and many of the big-name Internet services are now rolling out two-factor authentication.
4. Inoculate against viruses. There are many well-known vendors in the antivirus area. To name a few, tools from Symantec-Norton, Kaspersky, Sophos, Vipre, Trend-Micro, Avast and McAfee serve to protect your assets from rogue computer virus infections. An entire class of malevolent infections (malware) emanate primarily through infected and compromised web pages. One product that earns high praise for prevention and remediation here is Malwarebytes.
5. Monitor diligently. Finally, the only way to verify that your law firm data is secure is to monitor the systems. Use logging tactics and scrutinize those logs for things that may seem suspicious. Intrusion detection systems can check files and data against what things are expected to be. When things change unexpectedly, an alert can be triggered, requiring immediate closer examination. There are many tools (such as GFI LANguard Events Log Monitor) and consulting services that can help keep an eye on your systems.
Don Wright is Information Systems Manager for the Association of Legal Administrators (ALA), with 30 years of experience in systems architecture and IT security.
»Top cloud-based practice management software: Free 30-day trial!
»Manage my legal practice from anywhere on any device—HoudiniEsq.
»Quality attorney leads. Reach prospects online. 10 free leads.
»Learn more about the easiest way to get paid.
»Get connected with law firm managers! Association for Legal Administrators (ALA).
»Simplify your practice with legal practice management in the cloud.