Cybersecurity Best Practices: Cyberattacks Against Law Firms
Cyberattacks against law firms have increased over the last few years and it’s going to get more intense. While more law firms than ever are aware of the dangers of attacks and are engaged in securing their law firms, attackers are constantly using more sophisticated techniques to gain access to a firm’s data. Protecting against cyberattacks is not a battle that will end anytime soon, if ever. In discussing the likelihood of a law firm data breach, consultants and experts now speak of “when, not if.”
Cyberattacks Against Law Firms are Real
Why are hackers focusing more on law firms? First, law firms obtain and store extremely sensitive and valuable client data, yet as a whole, the legal industry tends not to use the most sophisticated cybersecurity protocols. Second, a hacker can more easily steal information from a client’s law firm because it is less voluminous than what the client stores.
What can law firms do to thwart a law firm cyberattack? There are at least 10 best practices that a law firm can exercise.
1. Inventory and Risk Assessment
To begin, you must know where the law firm stands as far as hardware, software, and data. The first step, therefore, is to develop an inventory of all the firm’s hardware, such as computers, servers, printers, and smart devices. List all serial numbers and location of the devices or who has possession of the devices.
Next, catalog all software along with their keys, passwords, licenses, and versions. List all online services that the firm uses.
Finally, identify your data and where it is stored, who created it and with whom it is shared. Note if it is subject to legal or regulatory restrictions such as HIPAA.
2. Evaluate Your Firm’s Cybersecurity Systems
Stephenie W. Yeung asks five questions in “Cybersecurity for Midsize and Smaller Law Firms: 10 Tips to Take Action Now.”
- Is access to your systems controlled on a need-to-know basis?
- Is access to your computers or smart devices encrypted with passwords?
- Is a record of these passwords kept in a secure file?
- Have you employed two-factor authentication for access to your enterprise network?
- Do you have the most current anti-virus software and firewalls in place?
3. Use Basic Security Tools to Prevent a Law Firm Cyberattack
Spam filters are the most common type of security tool. To prevent a law firm cyberattack, ensure that your firm also uses anti-spyware, software-based firewalls, antivirus for desktops/laptops, email, and networks. Also, install intrusion detection and prevention systems. This is on the advice of the American Bar Association’s 2017 Survey.
4. Evaluate Your Vendors’ Security
Ask to see your vendor’s security certificate. Review the vendor’s security system as you would your own, making sure they exercise the same or stronger security systems than your own law firm. The primary takeaway is to be vigilant of law firm data and most especially client data. This includes defending your own systems as well as making sure that anyone or any organization who has access to the data is just as defended with policies and protocols.
5. Consider Security Standards
Many law firms are moving towards using security standards such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). Some firms use all or part of the guidelines.
6. Develop Policies and Staff Training
The American Bar Association’s 2017 Survey indicates that 25 percent of respondents reported that their law firm did not have a cybersecurity policy while 7 percent of respondents reported that they didn’t know whether they had a policy. Not only does your law firm need a policy, but attorneys and staff must be trained on the policies. Employees need to be trained to recognize red flags. More often than not, a law firm data breach occurs due to an unintentional mistake of a staff member mishandling email.
In “Three Cybersecurity Practices Your Firm Needs to Protect Your Clients’ Data,” Jackson Burke lists four items that a cybersecurity policy should address.
- The information you care about and why it needs to be protected;
- How the information will be protected;
- Who is charged with enforcing your policies and procedures; and
- To whom do the policies and procedures apply.
7. Use Secure Methods to Handle Your Data
Files should be protected while in storage as well as while in transportation. Burke suggests that you use encrypted email service or encrypted file sharing service to exchange information. If you do not have an encrypted email or file sharing service, then zip your files and add a password to the zipped files.
8. Use a Reliable Backup System
In the event of a catastrophic incident such as fire, weather or a ransomware cyberattack, having a good backup system will be invaluable. Decide how often the system should back up the law firm’s systems, whether daily (preferred), weekly or monthly.
9. Care with Wireless Networks
Be aware that wireless networks pose all sorts of security risks. It is simply best not to use them because they are easily breached. Instead, try using a virtual private network (VPN), which acts as an encrypted tunnel over the Internet.
10. Consider Purchasing Cyber Insurance
Again, concerning the safety of law firms, it’s not “if, but when” that a cyberattack will be successful against a law firm. Having a solid cyber insurance plan in place could save you the costs of consultants, new equipment, marketing, and other associated expenses.
It is critical that you have a plan in place before your firm suffers from a law firm cyberattack. You don’t want to be caught flailing after you face a law firm data breach. In your plan, pay particular attention to communications. It is imperative that the law firm be the one to share the unhappy news rather than having a client stumble on the information.