For most professionals in the legal field, success is measured by getting the most for your clients, bringing in new business, and staying up to date on the latest changes to the law.
But as the digital age expands and grows more complex, even the most adept attorneys can miss the mark when it comes to cybersecurity and data protection.
While the size of the business and the sensitivity of the information being stored will often dictate the full extent of a firm’s security needs, this article aims to discuss the basics.
For many non-IT professionals, the mere mention of software and operating systems can conjure images of tiny blinking lights, whirring machines, and a jumble of intimidating wires. In this article, we will help legal professionals take some easy first steps into building a more technologically secure business.
This process begins with understanding what the possible threats are, then taking simple precautions to prevent them.
Are data breaches really a problem?
According to the Breach Level Index (a database that tracks data breach statistics by date, location, and industry), nearly five million data records are lost or stolen worldwide every single day. That equates to about 60 records every second.
It should come as no surprise that high-profile breaches are becoming front page news like never before and with increasing frequency. In addition, with smaller breaches going unreported in the mass media, the numbers are likely much higher.
Of course, these breaches affect more than stakeholders’ blood pressures and company reputations; the monetary losses add up quickly. A 2017 study found the global average cost for a data breach to be $3.6 million dollars, or $141 per data record. In the U.S. it was even higher at $7.3 million.
Almost any business or organization can face security threats. For law firms, however, the stakes can be much higher due to the plethora of personal and transactional client data law firms are required to store for years.
Furthermore, a single breach can erode the foundation of a client’s trust in their counsel and harm a firm’s reputation beyond repair.
In short, data breaches in law firms can end up costing an attorney much more than just money.
With that in mind, attorneys and firms alike should regularly evaluate and improve their information security standards.
Passwords are the first line of defense against hackers who are looking to steal valuable data and emails. We all know that “12345” and “password” are surefire ways to get your confidential information stolen. So what makes a good password?
That’s Not Even a Word
When it comes to passwords, different combinations of capital and lowercase letters is helpful. Numbers are helpful too. Using symbols is even better. Make your “S” a “$”, turn your “I” into an “!”, and transform your “E” into a “3”. The possibilities are endless!
Perhaps your old password was the easy to crack “password”. Using the tips just described, you could change it to “p@$$w0rD”. This uses upper and lowercase letters, symbols and the number “0” for the “o”. This is just an example, so find a word or phrase that is memorable to you and see what you can switch around.
But don’t make it too easy. The National Institute of Standards and Technology (NIST) recommends that passwords be at least 8 characters in length, and that passwords should not include dictionary words, repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’), or “context-specific words, such as the name of the service, the username, and derivatives thereof”.
In fact, studies show that once a password gets past 12 or more characters, it becomes very difficult to crack.
Change It Up
This has to be said: Don’t share passwords, and don’t use the same password across multiple websites and apps. If one password gets stolen, then they’re all going to be compromised.
This is where a password manager comes into play. Password managers are secure tools to store usernames and password information, all while making it simple to keep track of everything. The key here is to minimize the damage if you get hacked. Apps such as LastPass, Dashlane and 1Password are just a few of the many options that will get you up and running in no time.
Beyond Just Passwords
Lawyers should also consider multi-factor authentication. You’ve probably used it before, but just didn’t know it.
According to the NIST, “[t]he classic paradigm for authentication systems identifies three factors as the cornerstones of authentication: (1) something you know (e.g., a password); (2) something you have (e.g., an ID badge or a cryptographic key); (3) something you are (e.g., a fingerprint or other biometric data).”
Combining more than one of these three paradigmatic authenticators is called “multi-factor authentication”. If you’ve ever logged into an account and are then asked a security question (mother’s maiden name, school mascot, etc.), you’ve used multi-factor authentication. Think of it as using a combination to open your safe and then using a key to open a box inside.
Multi-factor authentication is a two-step process that takes your password (something you know) and another contact device like your phone (probably in your pocket or hand right now) and creates a hacker-resistant combination. With multi-factor authentication you enter the password and a code that’s sent to your phone or email to complete the log-in process.
Requiring both a “proof of knowledge” (password) and “proof of a physical key” (phone) is very helpful, and you’ll significantly increase the protection your offer for your clients by using it.
Now that you know the basics of how to improve your law firm’s security, keep in mind this is only part of the modern lawyer’s toolkit. Even with a strong password, hackers will attempt to break into your firm’s personal data.
You may have heard the term “phishing”. You get an email from what looks like a legitimate company, which encourages you to reveal information like passwords and other personal information.
While phishing is geared toward a broader audience, spear fishing is more targeted. Spear fishing attacks will focus on specific employees or individuals inside a company. When those who have been targeted open the infected email link or attachment, the hackers can move forward with their targeted attack.
Because spear fishing is more a result of human error than technical error, it’s crucial that employees are trained in the myriad of phishing techniques. Being vigilant to spot emails with misspellings, odd vocabulary or unusual file formats can save a mountain of headaches for your firm down the road.
In June 2017, a large law firm was paralyzed by Petya malware. Upon turning on their computers, they were greeted with a message that company files had been encrypted and the only way to get them back was to purchase a decryption key from the hackers. The digital lockdown included a full day without phones, six days without email and nearly two weeks of limited access to important company documents. The firm was able to contain the attack and restore some files, but the extent of the losses is not fully known.
Whether it’s securing severs, backing up files, or identifying holes in your security just to name a few, make sure your firm has a strategy in place in case a ransomware attack happens.
Part of a full data protection strategy might involve purchasing cyber insurance. This is an industry estimated to reach almost $30 billion by 2025.
A 2015 survey from the American Bar Association found that almost a fourth of law firms with 500 or more employees have experienced a cybersecurity breach.
Consider looking for coverage independent of a professional liability policy, and take into account pre-existing cyber security problems that may be present and not yet identified. It’s important to remember, however, that cyber insurance should be used in conjunction with, and not a replacement for your firm’s cybersecurity.
Understanding cyber security standards
With the principle objective being to reduce and eliminate cyber attacks, an array of published materials is available to keep the public informed on the latest changes to cyber security standards.
For example, a 2016 U.S. security study reported that 70% of the surveyed organizations see the NIST Cybersecurity Framework as the leader in the field. NIST utilizes test labs focused on math, computer science and engineering to promote innovation and development within the tech industry.
Recently, NIST made some changes for what they feel will improve password management. One of the recommendations includes NOT periodically changing your password. The practice has been followed for years, but NIST has found it to be counter-productive to good password management.
Staying on Top of It
Lawyers are only as good as the security and confidentiality they can offer their clients. Hackers are becoming smarter and bolder. By taking the proper precautions, you can remain a step ahead.
This article first appeared in Law Technology Today on 8/21/18.