Law firms are not usually on the leading edge of adopting new technology, but when it comes to securing your clients’ data, you cannot afford to be lax. If large corporations with expensive security systems can be hacked, it’s safe to say that no firm is immune.
Securing your data is not a one-time thing – it’s an ongoing process because threats are constantly changing.
There is a lot to know about the topic, so here are a few solid tips.
1. Cultivate a Security-Conscious Firm Culture
Data security should be a concern for everyone in the firm. Partners need to show leadership regarding its importance, rather than just relegating it to IT. Part of this is ongoing training for everyone with access to client information. Such training should include awareness of transmitting unauthorized information on social media.
2. What’s Inspected Is Respected
Training employees is the first step, but it isn’t always enough because most people do not retain all the information from a single session.
There is a saying that “what is inspected is respected.” For example, you can train your attorneys and staff to recognize phishing emails and how to (and how not to) respond. But if you don’t test everyone periodically by sending phishing emails to try to trip up your employees, they are likely to become complacent.
After you send such test emails, you can follow up with educational emails, videos or meetings.
There are subscription-based services that enable you to continually train in this manner. All possible ways your firm’s employees could breach security should be periodically tested.
3. Know When to Outsource
Are you wondering whether or not you should outsource your cybersecurity functions? The answer, for all but the biggest firms, is that you probably should. To do it yourself, your IT department needs to set up a Security Operations Center that can:
- Inspect all traffic on your system.
- Categorize it (malicious, suspect or benign).
- Stop malicious traffic in its tracks.
- Quickly repair any damage caused.
It is difficult for all but the largest firms to have the resources to accomplish this because threats are ever-changing. Along with their ability to protect your data, make sure your outsourced firm has a good crisis management plan in case you are hacked despite all efforts.
Related article: Read our 5 methods for improving your law firm’s security, including better passwords and multi-factor authentication.
4. Be Careful with Mobility
The equipment that users employ is small these days: laptops can be easily stolen and USBs can get lost.
VDIs: Consider using a Virtual Desktop Infrastructure (VDI) if you don’t have one already. This way nothing is actually stored on laptops – they are only used to access information that is on a VDI server. If a computer is stolen, the VDI may not be accessed without the proper password and the laptop itself can be cut off from access.
File Transfer: Files should never be emailed to outside parties or downloaded onto a disk or flash drive. Disable USB ports on PCs for everyone except those who have approved authorization and need to download information. When you need to transfer client files, use an encrypted and password-protected FTP site. Similarly, be sure online storage sites, such as Dropbox, are disabled.
Limited Access: Not everyone in your firm needs access to all your data, particularly confidential information. The more people that have access to secure information, the bigger the target for hackers. You need a system of privileged account management that only gives people access to the information they need to do their work.
5. Be Sure Your Email Is Really Secure
All correspondence should be encrypted, which can be done with a properly secured firm email account. The moment an attorney sends out a communication on their free account (such as Gmail), your security is compromised. You must demand strict compliance with your email policy.
In addition to using secure email, you should not keep emails around forever. Your firm needs to set up an email retention policy that controls when emails are deleted. The less information that is lying around, the less risk there is of it falling into the wrong hands.
6. Control Faxes
Many law firms have fax machines sitting right out in the open where anyone, even temps, can walk by and see incoming faxes. Access to incoming faxes should only be granted to a few attorneys or staff. You may want to consider getting a lock to secure your fax machine also.
Protecting your client’s data today requires sophisticated technology and processes. It requires experts and full-firm backing; it’s not something that can be done hastily, and most law firms do not take cyber-security seriously enough.
In fact, in a recent survey of 200 law firms, 95% did not follow their own security policies and not one met their client’s security standards. Law firms handle some of the most sensitive information in the world, and it’s imperative that they protect it.