share TWEET PIN IT share share 0

Cybersecurity Best Practices for Your Law Firm’s Remote Workers

By Tom Lambotte

Is your firm’s remote cybersecurity on par with your office? Consider incorporating these cybersecurity best practices for remote workers.

cybersecurity best practices for remote workers

The American Bar Association polled nearly 2,000 members last year and found that 87% could work remotely if desired. In the same survey, close to 70% of the respondents said they worked remotely, part-time or all of the time. This means there’s a lot of decentralized production and use of confidential client data taking place these days. Unfortunately, this trend represents a significant cybersecurity risk.

Why? Because people who work outside the confines of a conventional business office tend to be not quite so guarded when they go online. The home, for example, is a relaxed environment, so there’s less vigilance when it comes to dangers like social engineering scams (i.e., phishing attempts, malware and ransomware attacks, all of which are increasing in frequency and diabolicalness).

Moreover, a significant portion of remote work is performed in unsecured out-of-home environments (unsecured from the IT perspective, that is). These environments include coffee shops, hotel lobbies, airport waiting areas, and other public places where the wrong people potentially can put their eyes on your screen and take note of things they shouldn’t (like login credentials and opened case files).

How to Follow Cybersecurity Best Practices for Remote Workers

The remedy is to make cybersecurity at home and elsewhere as good as it is at the office (assuming, of course, that what you’ve got in place at the office is top-notch to begin with).

To ensure remote cybersecurity is on par with office cybersecurity, you need to incorporate a number of best practices into your work routine. Let’s consider them one by one.

Start by Spelling Out the Rules

Set forth the policies that make clear to you and everyone in your firm what is and isn’t acceptable when using information technology in remote work environments.

Your law firm’s cybersecurity policies should address these matters:

  • Bringing personal devices into the network.
  • Physical workspace security.
  • Responding to data breaches.
  • Handling emails.
  • Working at home and in other remote locations.
  • Password construction and protection.
  • Website and apps security.

Provide Comprehensive Ongoing Cybersecurity Training

Everyone in your firm should receive remote work cybersecurity instruction — mandatory instruction, without exception. This training should teach how to:

  • Recognize phishing scams.
  • Dodge getting suckered into downloading virus-infected documents.
  • Avoid dodgy websites.
  • Hold passwords and login credentials exceedingly close to the vest.
  • Keep cybersecurity top-of-mind while working remotely.
  • Get immediate help when in doubt about anything cybersecurity related.

The thing about training is it can’t be a one-time deal or crammed into a single daylong session. People quickly forget important stuff when they’re deluged by it. The best practice is to train in small, bite-size units delivered incrementally over weeks or months.

Another training-related best practice is to heavily illustrate the lessons with relatable scenarios — real-life examples of the wrong and right ways to handle cybersecurity issues. It helps, too, if the examples are presented in story form (as opposed to bullet-laden PowerPoint slides) and sprinkled with humor. People tend to remember better if they learn while laughing.

Additionally, it’s considered a best practice to weave in simulations while training. For phishing scams, testing the firm’s users, including you, by planting fake emails in your inboxes is beneficial. The tester will note if you or your team take the bait, and you will get an assessment that reveals who among you might require more training.

Keep Systems and Apps Up to Date

Laziness is perhaps the most common reason people who work remotely don’t bother to update their devices — whether new drivers, software or apps — when updates become available. Sadly, failure to update creates serious vulnerabilities that hackers can exploit. Accordingly, it’s a best practice to leverage tools that can automate and enforce updates. When left to the end user, these updates don’t happen promptly, and your firm is at risk. 

Use Unique, Tough-to-Crack Passwords

This best practice applies to the creation, management and use of passwords. The opposite of a tough-to-crack password is one that requires only scant effort for cybercriminals to figure out — ones such as “password” or “123456” or any lazy variation based on personal information that is available online. The strongest passwords are made up of long strings of random alphanumeric characters unique to each place where a password is required. To create such passwords, you need a password generator app.

Set Up Multifactor Authentication

This particular tactic is a gold standard among cybersecurity best practices. Multifactor authentication prevents login if the person trying to gain access has only a username and password. Something more than those is required, or it’s a no-go. Most commonly, this will be a code that is texted to your cell phone, sent to your email or provided by an authenticator app. This could also be a challenge question that only the authorized user would know how to answer (for example, the name of your first pet). Or it could mean having to stare into a retina scanner or lay a hand atop a reader that checks fingerprints.

Monitor the Dark Web Often

The dark web is where cybercriminals go to buy or sell stolen login credentials and confidential client data. The best practice response to the dark web is to keep continuous tabs on that hive of villainy for signs that your sensitive information has found its way there. For this, you’ll need to sign up with a service that scans the dark web continually on your behalf and provides timely warnings when it discovers data belonging to you so that you can check if these passwords are in use. Then you can immediately go and change the affected passwords.

Stay Plugged Into Evolving Cybersecurity Best Practices for Remote Workers

An important point to remember about cybersecurity best practices for remote workers is that today’s best practices will likely not be the best tomorrow. For that, you can thank cybercriminals. They have their own best practices (nefarious though they may be) and are constantly improving on them to increase their chances of successfully knocking over your data bank.

So don’t rest on your laurels once you implement those best practices. Stay abreast of their evolution, and the danger of losing confidential data to online thieves will hew to the lower end of the risk scale.

Image ©

Don’t miss out on our daily practice management tips. Subscribe to Attorney at Work’s free newsletter here >

share TWEET PIN IT share share
Tom Lambotte

Tom Lambotte is a cybersecurity expert who has been in the legal tech industry for close to two decades. He founded BobaGuard, an affordable suite of turnkey cybersecurity solutions to help protect small and midsize law firms from getting hacked. Tom’s passion is helping legal entrepreneurs grow by leveraging technology. He is also CEO and founder of GlobalMac IT, a managed service provider that specializes in serving lawyers nationwide who use Macs. Tom and his wife live in Chardon, Ohio, with their four kids, mother-in-law, two dogs and a bunny. Connect with Tom on LinkedIn here.

More Posts By This Author
MUST READ Articles for Law Firms Click to expand

Welcome to Attorney at Work!

Sign up for our free newsletter.


All fields are required. By signing up, you are opting in to Attorney at Work's free practice tips newsletter and occasional emails with news and offers. By using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.