What’s that phrase from “The Godfather, Part III”? Oh yeah. “Just when I thought I was out, they pull me back in.” I left legal tech behind six months ago for Silicon Valley, and while things do move fast out there, legal tech moves at a slower, measured pace.
Truth be told, when I agreed to report on ABA TECHSHOW for Attorney at Work, I had no agenda for what I would cover. So I followed my curiosity. Naturally it sent me to the cybersecurity and privacy track. My biggest takeaway:
Basically, #cybersecurity is everyone's business because we're all targets. #ABATECHSHOW
— Gwynne Monahan (@econwriter5) March 17, 2016
Here are five others.
1. Two immediate steps for everyone. Three words: two-factor authentication. Turn it on everywhere you can. Now. One word: encrypt!
I was shocked by a statistic in the latest ABA TECHREPORT that 42 percent of law firms are using file encryption. Only 42 percent! Seriously. That number should be above 50 percent. Even operating systems, including for Macs, come with encryption options! Apple makes it really simple: turn on FileVault.
There is no shortage of encryption tools today, from the super technical to the “hey, my grandmother can use it.” Go ahead. Google the phrase “encryption tools” and you get 49 million results. Google “encryption tools for law firms” and you get a little over a million. So, really, there is absolutely no technical reason for not encrypting your data right now. In fact, stop reading and start encrypting.
2. Know what you have and how they’re connected. Take a minute and think about the number of times you log in to something with your Facebook or Twitter or Google account. Better yet, take a minute and look at all the apps connected to your social profiles. Now, consider the technology you use in your law practice, and what is connected to what. Practice management systems. Dropbox. Box. Email. Billing software. Surprised? Thought so. It made me wonder if there’s a “Magic of Tidying Up” for law firms and their data.
Is there a "Magic of Tidying Up" for law firms and their data? #security #ABATECHSHOW
— Gwynne Monahan (@econwriter5) March 17, 2016
Not that you have to consider the feelings of data in your law firm, but do consider what gadgets, data and services you’re using. Make an inventory of all the gadgets and applications you use in your law practice. This way, you know what data is where, and how or if it’s connected to other data or applications and who has access. Creating such an inventory can help you identify weak spots, and also what you can disconnect and discard.
3. Educate yourself and your people. Remember that we’re all targets, and that hackers are making themselves experts in both technology and human behavior. They’re using tools like social media and the telephone, in addition to increasingly sophisticated scripts and malware.
So, now that you know all the gadgets used by your law firm, the apps that are on them, who has access to what, and what data is where, it’s time to educate yourselves on best practices, and do’s and dont’s, when something seems suspicious.
Some of it is common sense, like not clicking on links from an email sent by an unknown person or company. Because hackers continually get more sophisticated, what looks like a typical email, or even an inquiry, can also be malicious. I heard one example related to a worker who was job hunting: The job hunter received a link to an opening of interest from a legal recruiter, except the recruiter wasn’t real and the link was malicious, letting the hacker access the laptop.
An often-cited resource is Krebs on Security, run by Brian Krebs. Bookmark it. The Federal Communications Commission’s page on cybersecurity for small businesses is also useful.
4. Consider hiring an IT company. A panelist pointed out that if you have one IT person, you have one set of skills. Now, that one IT person may be great at that one skill set, and it’s probably why you hired the person. Given the speed at which hackers learn, however, the panelist suggested hiring an IT company.
I could hear the grunts and balks in the room, until he explained that hiring an IT company expands the skill set for your firm. You don’t have to hire a large IT company with hundreds of employees. A small IT shop will do because, even if it is only 20 people, that is now 20 different sets of skills the solo or small firm lawyer can tap — and a depth of knowledge no solo or small firm lawyer can obtain on their own. An IT company can also help you educate, and stay informed. One panelist explained how IBM sends out a phishing email each month to test and train its employees.
Since it’s predicted that hacking will cost the world economy $445 billion (yes, with a “b“) this year, hiring an IT firm of even 20 people could save you money.
5. Ask your vendors about people security practices. You know that phrase about how you’re only as strong as your weakest link? Of course you do, because you ask vendors about data encryption, access and security.
So, do you ask about their people security practices? Whether they train their employees on things like social engineering practices? If not, consider adding such questions. Granted, you may not get an answer because they may not have thought about it, or they may decline to disclose their practices. We are all targets, however, and hackers will find whatever way they can to access information. If they can’t get it from you or your staff, they’ll try the products and services you use, so it’s better to ask than guess or, worse, find out the hard way.
Okay. If you didn’t stop reading earlier to start encrypting, this post is done — so go encrypt your data!