Small law firms tend to think that they’re safe from becoming the target of hackers.
Unfortunately, that assumption is wrong.
In fact, hackers are attacking small- and mid-sized businesses precisely because such entities usually don’t defend themselves as well as large enterprises. Whether it’s the lack of IT resources or budget constraints, SMBs, including law firms, need to confront today’s threats head on.
Breaches at law firms are not uncommon. An American Bar Association survey last year found that one in four law firms with at least 100 attorneys had experienced a data breach due to a hacker, website attack, break-in, or lost or stolen computer or smartphone. Meanwhile, the consequences of weak security could impact a firm’s business, as more corporate clients insist that their outside firms do more to safeguard sensitive information.
Law firms are taking note.
In the 2015 ILTA/InsideLegal Technology Purchasing Survey, 59 percent of respondents said security management was their top IT challenge. The issue topped the list, knocking email management out of the number one spot for the first time in eight years.
To build a better defense, firms should review their data retention and security policies, ensure that both firm-owned and personally-owned hardware and software is well protected, and educate their attorneys on IT security best practices.
Step one
Make sure your firm has and adheres to an appropriate data retention policy.
In its code of conduct, the ABA has published general guidelines on how long attorneys should hold documents (see Model Rule 1.15, 1.16 (d) and DR 2-110 (A)(2)). Unlike most businesses, which typically retain documents for seven to 10 years, law firm have complex retention policies B because of their fiduciary duty to store, manage and maintain certain types of documents, such as wills and living trusts, for specific periods of time.
The duties can also vary according to the type of law practiced and the jurisdiction where the firm operates. Above and beyond the ABA rules, for example, each state has model rules on records to retain and for how long.
Careful monitoring of when documents and email may be deleted is an important part of data security because hackers can’t steal data that your firm no longer has. Another benefit is that it limits the information that may be subject to a discovery motion. If your firm retains information beyond what’s required, it can create additional risk for the firm.
Your retention policy should also follow best practices about the storage of data. Sensitive data should never be transferred onto thumb drives, which someone can easily drop in their pocket and walk out the door. Nor should it be kept on the hard drives of attorneys’ individual PCs. Rather, sensitive data should be stored only on secure servers at the firm or its vendor.
Step two
Ensure end-point security.
In an ideal world, all sensitive data would be kept only on secure servers and never on individual devices, or end points. In practice, however, attorneys carry important documents on and access potentially sensitive email using desktops, laptops, tablets and phones. Each device should have anti-virus and intrusion-detection software. The IT department should make sure that all application software, operating systems and browsers are kept up to date and incorporate the latest patches issued by their vendors. Each device should include encryption capabilities both for storing data and transmitting it.
Step three
Make sure to address the weakest link in data security – human beings.
Teach them when and how to encrypt data. According to the ILTA survey, nearly 35 percent of firms had no standard policy or requirement to encrypt data when it was transferred out of their litigation/practice support group. Educate everyone in the firm, including staff, attorneys and senior partners, on end-point security best practices. All should understand, for example, why they should never click on links or attachments unless they know who is sending them. Even senior business executives or law partners are susceptible to social engineering hacks such as phishing, as the horror story described in step four illustrates.
Step four
Design, implement and enforce a BYOD policy that lays out what type of devices are allowed and how IT will secure these devices.
Increasing use of personal mobile devices for work has opened up a new threat to security. Especially when using tablets or phones, attorneys may not realize they are exposing sensitive data. If their phone is lost or stolen, a bad actor could potentially use the attorney’s log-in credentials to access the firm’s network and install a Trojan horse undetected. Once in, the thief can steal information immediately or just lurk in the background and cherry-pick specific data.
In the ILTA study, some 28 percent of firms said they had no BYOD policy. Of those that did have a policy, 71 percent covered smartphones, 59 percent covered tablets and only 28 percent covered laptops.
Without a rigorously enforced BYOD policy, bad things happen. For example, a C-level executive recently shared this personal horror story: He and a fellow executive both received the same email saying that there was a problem with the firm’s payroll. Each logged into the system using their own personal, unsecured mobile devices. The e-mail turned out to be a cleverly constructed phishing adventure that redirected the executives to a site that captured their logins and passwords. The hackers then used those credentials to redirect the executives’ paychecks to an account in Grand Cayman. The company had no idea its payroll had been hacked until two weeks later, when the executives’ paychecks never showed up.
What’s next?
By bringing a fresh eyes, an outside technology consultant can be helpful in reviewing your retention policy and evaluating your security stance. Through vulnerability testing and gap analysis, a consultant often identifies areas that have been overlooked or need updating to the latest technology. It can re-mediate problems, recommend improvements and help you deploy a sound security strategy, using the proper tools, to protect digital data from increasingly inventive hackers.
Learn more about how legal support services can help your firm. If you’d like a security assessment, check out the services at mindSHIFT.
Tags: Blog