5 Ways to Keep Your Firm’s Data Safe

Law Firm Data Security Policy and NIST Password Standards | Insights

According to CSO Online, almost five million data records are lost or stolen every day.

Cybersecurity has become a major issue as society moves more and more of its dealings to digital spaces.

Lawyers, in particular, have a duty to their clients to protect their information. Failure to do so could cost them their clients and even their licenses.

This articles addresses five of the most common cyber-threats law firms could face, and simple ways to address them.

1) Password Strength

Weak passwords are one of the easiest ways malicious actors have of reaching otherwise secure information. Because people tend to use passwords multiple times a day, they have a tendency to make them easy to remember.

Unfortunately, this is a common first mistake when it comes to password strength. Easy to remember often translates to simple, or worse, familiar. Hackers will research their targets and look for any pertinent information on their social media profiles or any other information they can get their hands on.

For example, the password “TolstoyFan1” may seem like a secure password until you realize you have ‘War and Peace’ quotes all over your Facebook page.

The most secure passwords are often not words at all, but random collections of letters numbers and symbols. Similarly, according to the reputable technology publisher Wired, longer passwords are better. Longer passwords are harder to remember, but nearly impossible to guess. 

Moreover, if you write the password down, make sure the paper copy is stored in a secure location.  A stored password is only as secure as the place and manner in which it is stored.

Another undesirable password practice is using the same one across multiple platforms. Even if individually personally does not get hacked, a platform that the individual uses may.  If it does, the hacker will have access to the individual’s password. If you use the same password for everything, that hacker has access to everything.

2) Multi-Factor Authentication

Even with a strong password, digital information may not be adequately secured. Adding an additional level (or levels) of security can make a big difference. This multi-layered approach to security is called Multi-Factor Authentication (MFA) and it is already fairly common.

If you’ve ever been texted a confirmation code in addition to entering a password to access an account, you’ve used MFA. Security questions, biometrics, even physical ‘keys’ can all be used as factors of authentication.

The idea is to make sure the user is who they say they are by asking for something only the user would know or have. A user knows a password, would have a credit card or mobile device, or would be distinguishable by a fingerprint or facial recognition scan. MFA cross-references two or more of these factors.

Individually, these factors are difficult to fabricate.  This alone is helpful. But acting together, they can be nearly impossible to mimic.

3) Phishing

Always beware of unknown senders. This has been common advice since the proliferation of e-mail.  But cyber-threats have become more sophisticated in the intervening years, and this advice is not enough to properly protect from bad actors. 

Malicious e-mails can be disguised to appear as if they come from trusted sources. They hackers lulls the victim into a false sense of security, often trying to get the victim to open websites that inject a virus that will compromise the victim’s computer, phone, or network.  Such attacks are called phishing.

Protecting against phishing is simultaneously easy and difficult. The easy solution is simply not to trust any e-mail with links or attachments. It will seem like a major inconvenience, but the alternative is much worse.  However, links and attachments are often what makes email useful or preferable to other means of communication, making this simple solution seem difficult to implement.

But a few examples demonstrate a middle ground.  

First, you may receive an e-mail that purports to be from your bank, telling you that something disastrous has happened and you have to check your account right away. 

If so, you should probably not following the link provided in the e-mail and certainly do not input your log-in information.  Instead, it would be better to manually go to the official website of the purported sender and sign-in there like you always do. If the problem is real, it should show up there. 

Second, you may receive an e-mail that purports to be from a friend of yours, and contains a PDF attachment.

The text of the e-mail may suggest that the sender is in fact not your friend. Even if no warning signs are present, online email systems are among the most frequent targets for hackers.  

Therefore, it would be safer to use a “sandbox” to open email attachments, especially when suspicious signs are present.  The Windows Defender application included with Windows 10 and later releases provides a free sandbox, and other free services are also available.

4) Backup Your Files

Ransomware is a legitimate threat to any entity that operates online. DLA Piper discovered this first hand when they were the victims of a Petya malware attack. 

Ransomware attacks consist of hacking a network and encrypting files in order that the owner of the files has to pay the hacker to release them. Even in the event of an ultimately successful outcome, ransomware attacks can cripple a business, costing them full days or weeks of work.

No network is 100 percent secure. Even if you follow all cybersecurity best practices, the potential of getting hacked still remains. That is why it is so important to backup all of your important files. In the event of a breach, all of your eggs will not be in the same compromised basket.

5) Cybersecurity Standards – NIST

You might be surprised how many official cybersecurity standards are really just common sense. You might be even more surprised to learn that most people still do not follow them.

The National Institute of Standards and Technology (NIST) standards are largely considered to be the authority on the issue, at least in the United States. 

The tricky part about NIST compliance is that the standards among other things require constant maintenance and updating. Cybersecurity is not a one-time exercise completed when the computers are set up. As cyber-threats evolve, the tools, processes, and procedures to combat them must evolve as well.

The standards themselves are also often updated. 

For example, the working standard was to regularly change passwords to decrease the likelihood of a breach. However, NIST recently discovered that this practice was unnecessary and maintaining a suitably strong password was more conducive to effective password management.

Maintaining proper standards and related upkeep could provide a shield to liability.  But falling behind the latest standards could open you up to vulnerably in areas you believed were safe and fortified. 

Conclusion

Attorneys have a special duty to protect the information of their clients. They also have a duty to remain competent in terms of the tools of their trade, including as to their computers, network systems, and software applications. Knowing how to effectively use technology is part of the job. Implementing the proper cybersecurity protections must be a lawyer’s priority.

This article was first published in Evolve The Law on 8/15/2019.