Website Security Basics for Lawyers
Most lawyers are wary of sending confidential client information via email. They understand that email isn’t 100 percent secure, and many go to great lengths to set up cloud exchange systems where they can more securely transmit client documents. When it comes to their own websites, however, many lawyers are rather lax—after all, client information isn’t stored online so what is there to worry about?
Recently, a national attorney membership group’s website was hacked. Luckily, the issue was quickly noted and only one page was affected. The old page was restored and the damage was seemingly minimal. But imagine if the same happened to your law firm’s site and the hacker added derogatory comments about one of your principals, or replaced all of your content with information selling some new product. The threat is very real and can have seriously damaging effects, especially if the breach is not immediately noted.
Here are some basic but critical steps you can take to protect your site—and make sure that the only one gaining access to your online home is you.
- Know what accounts are linked to your website and make all of the passwords different. It’s amazing how many lawyers are not intimately familiar with their online setup. In most cases, a firm has its domain names with one registrar, its website hosted on another server and its email hosted on yet another server. Get a solid understanding of the setup (even if you outsource this to a local IT group) and make sure that each control panel has a separate username and password. It won’t matter if your website server is secure if someone can easily log into your registrar’s control panel and point your domain to another server with the bogus site that they’ve created. Account passwords should never be limited to a simple dictionary word. At minimum, make sure that all online account passwords are at least seven characters and contain one upper- and one lower-case letter with at least one number in the mix.
- Ensure that your website server is protected against brute force attacks. Many online security breaches occur through brute force attacks. Generally speaking, a brute force attack occurs when a software program goes to a login screen and enters in hundreds of thousands of username and password combinations in hopes of gaining access. This can be done in a matter of minutes and may give hackers ftp access to your site should they stumble across the correct login credentials. To ensure that your firm’s website does not fall prey to this, it’s essential to have safeguards in place to prevent brute force attacks. You can easily test to see if your content management system or server utilizes this technology. Simply try logging in with the incorrect login credentials several times in a row. After a few failed attempts, does it tell you that the account has been locked or to enter a CAPTCHA? If so, your site should be protected against these malicious attempts.
- Make sure that all login pages are encrypted. As a general rule of thumb, you should make certain that whenever you enter online login credentials it is done through a secure connection. The simplest way to confirm that is to take a look at the full URL. If it is just “http://www.mywebsite.com” it’s not an encrypted page. To be safe, it should have an “s” just behind the “http” so that it reads “https://www.mywebsite.com.” To be extra cautious, try removing the “s” and see if you are still able to log in. If you are, the site is not really secure. For complete site security, check encryption for your domain registrar, website content management system and any login portals that may appear on your site (for client access or remote staff access).
Nothing online can be completely secure, but by taking a few extra steps you can make sure that your practice’s website is not an easy target for silly pranks or dangerous attacks.
Victoria Stovall is Vice President of Amicus Creative Media, a law firm website design and marketing company. An avid writer and self-proclaimed “marketing geek,” Victoria has written extensively on branding, search engine optimization, website development, blogging and social media.