At Frontier Software, we’re well aware of how important it is for law firms to protect their data. In 2017, 22% of law firms were hacked or had a data breach, according to that year’s American Bar Association (ABA) Legal Technology Survey. In 2019, China hacked a U.S. practice involved in intellectual property, evidencing the risk of state-sponsored cyberattacks from that country as well as Russia, and Iran. This is just a sampling of the evidence of the high risk for law firm cyber attacks. And they exemplify why the ABA found it necessary in 2016 to issue Rule 1.6, requiring lawyers to make every reasonable effort to keep client data confidential.
Shortly thereafter, in 2018, the ABA’s Standing Committee on Ethics and Professional Responsibility issued a document called Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, otherwise known as Formal Opinion 483, outlining the ethical obligations attorneys have when client confidentiality online is breached. It included detailed and specific guidance for responsibly managing “highly sensitive information.”
Law firm data security requires multiple lines of defense working seamlessly together to protect clients, the practice, and the public. That makes cybersecurity for law firms not just a complex task but also an ongoing one. All it takes is a single breach from an incident of email spoofing or an exposed website or application to give a hacker access to your entire IT system. And hackers are adapting to new innovations in cybersecurity all that time. That’s why we put together this comprehensive guide to cyber-security for law firms.
Identify Your Firm’s Cyber Assets
The first step to protecting your law firm’s security is to identify the assets you need to secure, or, in other words, the technologies hackers may try to access. You can only determine what needs explicit protection by taking a complete inventory of your practice’s IT assets. The easiest way to do this is by creating a document listing each of your company’s IT assets. Later, you will add your company’s practices for securing those assets to this list.
Does your firm have wired networks (LAN) and/or Wi-Fi networks to connect to the internet? If so, who can access your network? Who has the password, and who can obtain it? Do you also have a guest network? Do you use a virtual private network (VPN) to encrypt data when users access it remotely? The more people, both within and especially outside your practice, who can access your network, the more potential exposure you have to law firm cyber attacks.
Hardware and Systems
Next, take note of all the legal office supplies, equipment, and devices you have connected to these networks. Consider not just computers (PCs and laptops alike) but also:
• File servers
• Network-attached storage (NA)
Any IT linked to your network is another potential breach point.
Software and Data
Now, look at what applications you use while on the network and the data this software collects or dispenses. Which business software do you use in your practice? Common programs many practices use for law firm data security include:
• Document management tools
• Practice management suites
• Payment and billing solutions
What information does each of these manage for your firm, and where is that data stored, whether on-premises or in the cloud (or both?) Remember to account for any archives or backups your practice may also keep in other locations.
System and Network Users
As previously alluded to, who has an account on your systems, and what capabilities and privileges does each person have? Have your staff verify this information to help you ensure its accuracy. This list can help you hone in on the vulnerabilities in each area.
Improve Password Management
Beginning with the premise that your network is password-protected (as it should be), examine how your practice manages passwords. Remember that your systems are only as secure as the passwords of those with access to them.
Create Strong Passwords
First and foremost, make sure that each staff member with access to your networks uses a strong password. Guidelines for creating a strong password are:
• Avoid using the same password for more than one purpose; that might mean you even use different passwords for different applications on the network and the network itself.
• Use a minimum of eight characters.
• Use a combination of letters (uppercase and lowercase), numbers, and symbols.
• Avoid using familiar words and common phrases, including foreign words, slang, and jargon
• Avoid using personal information like birthdays and the names of pets.
• Change your passwords regularly.
Utilize a Password Manager
While we recommend using a different passphrase for every application you utilize in your practice, as well as for the network itself, you don’t need to memorize all those passwords. And you certainly shouldn’t write them down anywhere. Instead, use a password manager.
A password manager, like Keychain, Google Passwords, and 1Password, is a secure application that stores all your passwords in one place. The only password you need to remember, then, is the one master password to get into the password manager itself.
Most good password managers you can also use to generate strong passwords.
Use Multifactor Authentication
Simply put, multifactor authentication (MFA), also known as two-factor authentication, uses two or more means to access a secure network, system, device, or application. A password or passphrase is one of these means; the other is typically a code sent to a known email, text app, or account on some other secure application, like Google Authenticator, associated with the user attempting to gain access. While the password or phrase doesn’t change until the user changes it, the authentication code changes each time the user tries to gain access.
Strengthen Network Security Against Law Firm Cyber Attacks
Many law practices utilize Wi-Fi to easily grant staff members access to the network. Unfortunately, Wi-Fi is not incredibly secure. There are, however, some simple yet powerful ways you can fortify your network.
Tighten Access and Cyber-Security for Law Firms
Use the guidance above on improving password management to ensure your administrator password is as strong and secure as it can be. Never use the default password you received when first setting up your network as your administrator password; change it immediately.
Once you’ve secured administrator access, shore up network access. If your wireless router is like most, it has a primary Wi-Fi network along with wired, local area network (LAN) ports for direct connections and one or more guest networks. Never use the same network for staff and office devices as you use for guests. Consider setting up your Wi-Fi or LAN network as a private, in-office network and set up a second, separate network for visitors and clients.
Password-protect all access to your firm’s Wi-Fi networks. The current, prevailing standard for doing this has many names, though all refer to the same technology:
This standard, however, only utilizes a shared password to access the network. You can better secure your Wi-Fi networks using WPA-2-Enterprise authentication. This gives greater versatility of authentication options and is, therefore, ideal for larger firms with a lot of users. Be aware, though, that it does demand extra configuration, which you may need the services of an IT person to help you implement.
Restrict Guest Access
The guest network allows you to provide clients and visitors with internet access through a separate network, thereby preventing them from gaining access to your private network. That said, it’s still wise to curtail the use of your guest network and the number of users able to access it. That way, you can avoid accidentally granting them access to more secure locations.
When you set up your guest network, you may be prompted to select which networks your guests can access: LAN, local, or intranet. Make sure never to grant guests access to your LAN network to prevent them from gaining access to any of your systems directly wired to the router. When you do let a guest access your network, make sure you use your password manager to generate a strong password for guest access.
Ensure Physical Law Firm Security of Network Devices
Be mindful of the location of your router. Most routers have a button to press to reset the device to its original factory configurations. When that happens, you have only the default password protecting all your networks and systems. Therefore, make sure nobody who shouldn’t be able to press this button can get close enough to do so. Ideally, lock your router in a secure cabinet or other enclosure to prevent access to this reset mechanism.
Secure Internal Systems
Your networks are the only way hackers can enter your system. They can also access them through email spoofing and other malware attacks.
Keep All Internal Systems Updated
Systems receive updates for a number of reasons, one of the topmost being to improve cybersecurity protection. Hackers are constantly inventing and adapting malware to compensate for flaws and vulnerabilities in systems. If you fail to install the updates the makers of your various hardware and software systems issue, you expose those systems to attacks that utilize those very vulnerabilities the updates corrected.
Many systems support automatic updates, including operating systems like Mac OS and Windows and application packages like Adobe Acrobat and Microsoft Office Suite. If any systems you use offer automatic updates, make sure to enable them. That way, you don’t have to remember to keep your systems updated, as your systems will take care of it themselves.
Install Malware Protection Software
Install comprehensive antivirus or other anti-malware software on your systems, and make sure to configure it properly systemwide. After that, be certain to enable real-time checking, which will instantly perform a cybersecurity analysis every time someone performs an action on your systems or network. Schedule weekly scans of your entire system during a time when it doesn’t get in the way of work. If your systems run Windows 8 or later, you already have the Windows Defender antivirus preinstalled and just need to configure it.
Enable a Firewall
A firewall examines all communications to and from your computer systems and decides whether or not to permit or block receipt or delivery of those communications. In addition to preventing the spread of malware between devices, a firewall can also keep cyber attackers from accessing your systems. Both Windows and Mac OS already have firewalls installed; you just need to configure them.
Use the “Principle of Least Privilege”
This guideline advises you to parse data in such a way as to only grant access to specific pieces of it on a “need-to-know” basis. In other words, users of your systems should have access to the least amount of information required for them to perform their work.
While, with the proper cybersecurity in place, you can plan for the best in data protection, you should also prepare for the worst. Being set up to weather a cyberattack if it does happen is another crucial component of total law firm cybersecurity. At the very least, this planning should include backing up all data regularly and securely; at best, it should consist of a complete response plan, also known as a risk management plan, that:
• Details how to identify potential breaches
• Explains what to do when a breach occurs
• Defines each staff member’s role in dealing with a cyberattack
• Outlines how staff members should and shouldn’t communicate about the cyberthreat
With such a plan in place, your IT team can monitor your systems, track risk, identify suspicious activities, and take action to protect your firm’s data security.
Are you ready to protect your law firm from cybersecurity threats? Schedule a free consultation with a law firm security solution specialist at Frontier Business Products.