Home » Small Law » Law Firms: Soft Targets; Hard Truths

Law Firms: Soft Targets; Hard Truths

Law Firms Soft Targets Hard Truths

Note: This post was penned by Christopher Anderson and originally published in Attorney at Work in June 2014.

Are law firms really a “soft underbelly” for hackers? Yes, according numerous legal security experts recent news reports. Several corporations are demanding law firms to take increased security measures to protect their businesses.

So why are law firms on the hacker radar these days? Quite simply, because law firms, especially those smaller and mid-sized firms, tend to lack the same level of security as their corporate clients do. This essentially provides hackers with a proverbial “back door” into confidential and privileged data of more secure businesses through the law firm.

The Soft Target: Law Firms

Surprisingly, the biggest threat to law firms today comes from within the walls of the organization. Many law firms have some type of security measures and plan in place – however these measures need to be continuously tested to ensure protection against the latest threats. Utilizing a “check off-the-list” security methodology can make law firms a “soft target” for hackers. Adding insult to injury, many seemingly harmless day-to-day activities of law firm employees also puts them at risk.

Think about the last time you visited your firm’s reception desk. You likely noticed a sticky note taped to the desk with a myriad of passwords and confidential information on it. How do you know people visiting the firm aren’t trolling for this type of information?  Also think about every time the firm upgrades to new devices, what happens to that old hardware, including not just computers and laptops, but tablets, phones and even, copiers and thumb drives?  These are all questions law firms should be able to answer with confidence, and it goes well beyond passwords and discarded devices.

______________________________
Related:
Study tells a Story about Law Firm File Sharing
Infographic Friday:  File Sharing Information in Law Firms
______________________________

How Can Firms Protect Themselves?

What can law firms do to protect themselves? The good news is there are several ways law firms can mitigate security risks. The first step requires acknowledging that the firm is not immune from a security breach. For those of you who think your firm is not being targeted, I would argue that you’re just not looking.

Even so, this thinking also has to be balanced between bona fide threats and paranoia. Here are 12 practical steps law firms can take to protect their confidential information.

 ______________________________
Free White Paper (PDF):
When “secure enough” isn’t enough: 
A Law Firm Guide to Protecting the Confidentiality of Shared Client Files
______________________________

12 Ways to Protect Your Firm

  • Use Firewalls. Any firm that uses computers must use firewalls, it is that simple.  These should be applied both to the network and individual computers.  Firewalls provide a critical first line of defense when it comes to checking all web-based traffic coming in and going out of the firm and blocks traffic that is not desired, or looks like it is not legitimate.
  • Use Strong Passwords. Don’t use passwords that are too short and avoid using personal information such as a child’s name or birthdays that are easily hacked. A good website to gauge the strength or your password is: howsecureismypassword.net. This website will not only analyze the strength of your password, but will tell you how long it will take a hacker to crack it.
  • Use Good Hygiene. Going back to the sticky note example make sure you are using good hygiene by ridding the office of easy access points.
  • Remove Residual Data. Know how to browse the web securely and remember every website you visit has cookies. This residual data should be encrypted and wiped regularly. 
  • Use Caution on Social Media. Once you put information in the public domain such as posting it to Facebook, Twitter and YouTube, it can’t be taken away. Think carefully before posting sensitive information on social media sites, and have good policies around what others in the firm do. 
  • Wipe Discarded Devices. The legal industry is evolving rapidly and so are our devices. Make sure as you upgrade to the newest tablet or smart phone that you are wiping discarded devices with military grade software.  Sometimes physical destruction is a good ides.   Or, better yet, hire professionals to do it. 
  • Implement a Breach Plan. Assume hackers will get ahead of you and do everything you can to prevent a breach.  Unless you already have a plan in place, work with a consultant or data breach management company to protect the firm’s assets. Know in advance how you will:
    • Protect and access data
    • How you will notify clients in the event of a breach
    • How you will get back up and running
  •  Use Virtual Private Networks. VPNs are a great ways to access information remotely and securely. If you frequently use VPNs for business travel, I recommend investing in a screen protector, which will prevent those around you from viewing your screen. Also make sure to use HTTPS sites rather than HTTP sites. HTTPS ensures the information you are browsing is locked and secure on your device.
  • Document Security. Reviewing and sharing documents, is fundamental to the legal profession. When shopping for cloud-based file sharing products look for solutions that provide the following:
    • Secure file sharing
    • Secure file sync
    • Digital rights management
    • Secure web access
    • Mobile productivity
    • Terms and Conditions that reflect your duty to your clients around confidentiality, privilege and safekeeping
  •  Know The Difference between the Public and Private Cloud. Not all cloud solutions are created equally. Public cloud offerings are those available to the public community, and are often free, or close to it. If you are considering using a public cloud offering, read the terms and conditions carefully and asking the following questions:
    • How will my data be protected? Public cloud solutions should be superior to yours and should be validated by third parties such as: eTrust, U.S. Data Centers and SysTrust, to name a few.
    • Who will own the data? Understand what they will do with the data and read conditions so you know what they will do if the government calls or if you cancel your subscription.
    • How readily available will the data be to you?The private cloud by contrast, provides a privately hosted place to store and access data, whereby only those approved to use it are welcome. Typically there is a cost associated with private cloud offerings, however many provide an important internal layer of security.
  • Encryption. Make sure you know where your data is stored and ensure the data is encrypted both while it is in transit and while it is at rest.
  • Notification of Practices. Prepare language that clearly explains to clients how their data is stored and how it will be protected.

“Give me six hours to chop down a tree and I’ll spend four hours sharpening the axe.”  -Abraham Lincoln

Be Prepared

While no law firm is immune from a security breach, the most important step a firm can take to protect their firm’s data is to be prepared. This means developing a security breach plan and sticking to it. The system should be audited regularly and clients and employees should be educated about the process and engaged in the dialogue. Security, after all, should be a way of life for law firms today.

Photo Credit: Flickr, via Creative Commons; CC 2.0

If you enjoyed this post, you might also like:
SlideShare Friday:  IT Best Practices for Small Law 

Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About Frank Strong

Frank Strong
Frank Strong is the communications director with Business of Law Software Solutions (BLSS) a division of LexisNexis. In this capacity he directs communications strategy and execution in support of BLSS products including those for large law, small law and corporate counsel. With 15 years in experience in the marketing communications for the high-tech sector, Strong previously served as director of PR for Vocus, which develops marketing, PR and media monitoring software. He’s held multiple roles in PR both in-house with corporations, and has also endured the rigors of billable hours, having completed gigs at PR firms both large and small. A veteran with two deployments, Strong has concurrently served in uniform in reserve components of the military for 20 years, initially as an enlisted Marine and later as an Army officer. Strong holds a BA in Film and TV production from Worcester State University, an M.A. in Public Communication from American University, and an M.B.A. from Marymount University.
0 comments

Trackbacks

  1. […] true. We are the weakest link. Frank Strong offers some tips for being less soft and weak. [Business of Law […]