You're working from home and a client urgently needs a document, but your computer at the office has shut down and you can't remote into your files.
They're waiting on you, so you retrieve the document from an email on your phone and send it to your personal Gmail account, where you're able to edit it and convert it to a PDF for your client. There, problem solved!
Does this scenario sound familiar? Working remotely with uncooperative technology can be very frustrating and inefficient, leading us to adopt workarounds that bypass the limitations of the system. Unfortunately, these workarounds can also introduce significant risk to your firm.
Now more than ever, stable remote access is a necessity for maintaining productivity and client service. But it also requires a secure IT infrastructure and employee adherence to best practices in order to avoid incidents that can cause serious disruption and even irreparable damage to your firm.
Law firms are prime targets for cyber criminals, and with so many employees now operating remotely, we anticipate an increase in the quantity and the level of sophistication of cyber attacks. In recent weeks, we've observed a higher number of phishing emails being sent to law firms and we expect this to ramp up.
In the scenario we presented above, saving sensitive files to a local drive or in a public folder in your Google Drive could open the door to a data breach. If your employees are using workarounds like this to access their files, they could be inadvertently be putting your firm and clients at risk.
We've compiled the following best practices to help you keep your law firm's systems and data safe:
1. Reduce points of vulnerability
We love our mobile devices, and so do hackers. Avoid saving sensitive information on your laptop or tablet for any period of time. Even 'deleted' files can be retrieved from your hard drive and accessed, and if your laptop becomes infected by malware or if the files become corrupted, you could lose them forever. It also creates an easy path for hackers who are seeking entry into your system. The same goes for your home computer, where your IT technicians are unable to monitor and maintain anti-threat measures.
Keep all of your data in one secure, online location. Using one central platform, such as a Private Cloud, enables you to access and save files from any device while keeping your data safe from hackers. And, because systems are housed in a professional data centre, your data is protected from physical threats such as flood, fire or power surges. Ensure your data is hosted within Canada to avoid jurisdictional complications.
Often distributed by vendors at conferences, USB keys or 'memory sticks' are handy little things. But as our mothers always warned us, don't use it if you don't know where it's been. USB keys are common carriers of malware, spreading it from one device to another. They're also easily lost or stolen, and unless you're encrypting your files, the data they contain are easy pickings for hackers.
There's a wide variety of relatively secure, open-source applications available for data storage and transferring. Many, such as Dropbox, encrypt the data they host. But even the most secure file hosting sites are risky if they aren't managed properly. With Dropbox, the link to a shared document can be accessed by anyone who gets a hold of it, and Google Drive folders need to have their privacy settings configured. If you save your client documents in the same folder you use to share notes with your book club, they're accessible to everyone in the group - and anyone who accesses their computer.
- Store files on your laptop, tablet or home computer
- Store or transfer files on a USB stick
- Transfer confidential files via a third-party application without understanding the risks
- Store files on your computer in the office - every time
- Use a secure, Private Cloud platform with servers located in Canada
2. Ensure your connections are secure
Cellular data can be expensive or unreliable, so many lawyers opt to use public WiFi in locations such as coffee shops, airports and on public transportation. Unfortunately public WiFi is not secure, and it's especially risky if your firm doesn't require a password to get into its network - it's practically an open door for hackers.
Some WiFi networks are actually fake, designed to trick you into signing on to their access point where they will capture your information.
- Connect to public WiFi when working with sensitive files (including your email)
- Connect to public WiFi on a device that contains sensitive files
- Use Two-Factor authentication to protect your login credentials
- Confirm the WiFi account name and password with the venue
- Purchase an adequate data plan for remote use
3. Separate your personal and professional technology
Because they're familiar, employees are more likely to use their personal apps and devices when working offsite. However, the last thing you want is to have to explain to a client how their sensitive documents ended up in the inboxes of every parent of your employee's child's grade 4 class.
Allowing your employees to use their professional email for personal tasks invites all sorts of complications and risks; ensure your employees understand the importance of using their firm email for professional purposes only.
Ideally, professional devices should never be shared with family members. If you have employees using a single device for personal and professional purposes, such as their phone or their home computer, files and applications should be carefully separated. Home computers can be set up with different user accounts with their own folders and applications.
That said, no matter how you divide it, accessing and storing files on a local device increases firm vulnerability, as we pointed out above.
- Enable your employees to store sensitive firm files on personal devices
- Develop a policy around firm email use
- Educate employees about the risks of sharing devices
- Develop a BYOD policy for your firm
- Consider a Private Cloud platform to keep your firm files completely separate and secure
4. Password best practices
There are many 'rules' for strong passwords, such as using multiple characters and numerical values, avoiding easy-to-guess words and dates, assigning unique passwords to each device or account, and changing those passwords regularly.
Good passwords are helpful for keeping a stolen device secure, however even the strongest password won't protect you if a hacker gets a hold of it. All it takes is a stealthy malware installation on your system - usually achieved by getting you to click a link - and the hacker can log your key strokes, capturing your passwords and gaining full access to your system.
To combat this, many law firms use two-factor authentication, in which employees verify their identity by pressing a button on another device, usually their phone. This extra layer of protection is easy to implement and is a very effective safeguard against hackers.
- Use easy-to-guess passwords
- Share your passwords with anyone, even colleagues
- Consider implementing Two-Factor Authentication for remote users
- Set all firm passwords to regularly update
- Educate your employees about sharing their passwords among one another or to outside parties.
For a successful, modern law practice, security should never be a barrier to productivity. Keep track of any obstacles and inefficiencies your employees experience with remote access, and maintain an open dialogue with IT management.
If remote working is affecting your firm's productivity or your employees' stress level, it may be time to review your firm's IT infrastructure.
Onsite IT: Risky Business
Can your onsite IT keep up with the threats remote law firms are facing?