A client data breach is a nightmare scenario for legal professionals, and yet recent statistics show that the majority of security breaches are actually facilitated by employees themselves.
Firms require high-quality IT with comprehensive security measures in place to ward off malicious cyber criminals, however technology cannot provide adequate protection if a firm's employees aren’t following secure best practices. In fact, many law firm IT specialists consider employees to be their biggest security threat.
Small and mid-sized law firms often make the mistake of becoming complacent, with the incorrect assumption that they aren’t an ideal target for hackers. However, practices of all sizes are proving to be attractive, and every lawyer and staff member must be vigilant.
In the American Bar Association’s 2017 Legal Technology Survey Report, it was reported that 1 in 5 American law firms were compromised, and more than 1 in 3 firms with 10-49 lawyers experienced a security breach. We don’t yet have these statistics for law firms in Canada, however the Federal Government’s 2016 Consultation on Cyber Security tells us that 70% of Canadian businesses have been a victim of a cyber attack.
Data security isn’t just for IT management – law firm professionals share in the responsibility of safeguarding against breaches. Here are a few tips to help you prevent that worst nightmare from becoming reality:
Secure your mobile devices
If you use your personal phone, tablet or laptop to access firm files, apps or networks, you could be exposing your firm to risk. If your firm doesn’t already have a mobile device management policy in place, there are measures you can take yourself to improve security:
- Always lock your device, and set it to auto-lock when you aren’t using it.
- Use secure password practices – don’t use the same password for multiple accounts and devices, don’t use obvious passwords such as names of pets, children, your spouse, alma mater or home town. Change your passwords regularly and don’t set password auto-fill in your browsers. Password bestpractices are important, but nothing is bulletproof, which is why we recommend law firms implement two-factor authentication as a second lawyer of protection for mobile devices.
- Encrypt your files. Any files that are stored or transferred via your device should be encrypted. It’s a relatively easy task that just about anyone can do within Windows or by using an encryption tool such as VeraCrypt or BitLocker. Mac devices are even easier, with a built-in feature called FileVault (access it under System Preferences).
- Protect yourself from malware by installing anti-virus software on your devices. It takes just a few minutes to set up but goes a long way in protecting your device from infection. Software companies such as McAfee and AVG offer free, basic protection for Apple and Android devices, and more advanced protection is widely available from a variety of companies for a reasonable price.
Be aware of online fraud and phishing schemes
The sensitive information that law firms safeguard can bring a high price on the black market; hackers will go after law firms directly by stealing and selling data or by blocking the firm’s access and holding it ransom in exchange for untraceable cryptocurrency payments. More sophisticated cyber criminals will target firms with weak security systems in order to hook much bigger fish – their clients.
For this reason, law firm staff must be very careful when interacting with unknown persons via phone or email. Even the most innocuous interaction can lead to breaches. One common tactic that hackers use is to capture a small amount of information, enough to make them appear familiar or trustworthy to law firm staff, and then trick them into wiring funds to a fake account, giving away credentials by having them log in to a fake site or clicking a corrupt link that installs malware on the firm’s system.
Check out our blog post How to Spot a Phishing Email to learn how you can better protect your firm and clients. Subscribe to newsletters such as LAWPRO’s fraud alerts to stay informed about the latest scheme and scams targeting Canadian law practices.
Keep your personal affairs separate from firm technology
- Don’t use your work email to sign up for mailing lists or to create personal accounts, as this increases the amount of spam and phishing emails you will receive in your inbox. The login information these services capture can also be breached at the other end, exposing any sensitive information that you disclosed for that account.
- It should go without saying, and yet many employees are guilty of this one - avoid navigating to illegal or high-risk websites such as Torrent downloads, streaming, gaming sites, gambling, or other unmentionable endeavors. These sites are common sources of malware that can be embedded in the code, which means you don’t even have to click on anything to be infected.
- cWhen syncing your mobile device to a Cloud backup (eg., Google Cloud) ensure it isn’t set to simultaneously pull files down, as you can inadvertently bring infected personal files from your home computer onto your mobile device. If you share your home computer with other people, this can be especially risky.
- Lock down your social media or at least be very careful about what you put out into the world. Hackers will use social media clues to gain a foothold in their phishing scams: for example, using a co-worker’s nickname or mentioning a recent event you attended can go a long way for a hacker who's trying to appear familiar to your firm.
Read your firm’s policies
They may seem cumbersome at times, yet as we’ve illustrated above, law firms have good reason for implementing and enforcing security protocols and policies; protect yourself and your firm by taking the time to review them. Know the repercussions for employees who fail to adhere - ensure you aren’t inadvertently committing violations that can you get you into trouble - or worse, bring trouble to your firm and clients.
Don’t hesitate to ask questions about the policy and to raise concerns. Workplace policies are only effective when employees follow them, so your employer should know if something isn’t practical.
In this age of unlimited connectivity, an employee can no longer assume that data security is the responsibility of solely the IT manager. In order to maintain safety for ourselves, our clients and our colleagues, we all have an obligation to take responsibility for our technology practices.
Onsite IT is risky business, and it could be putting your clients and practice at risk.