5 Ways to Prevent Law Firm Data Breaches

Success in the legal field is often determined by the results you can get for your clients, how much new business you can bring in, and how up to date you are on the ever-changing legal landscape. 

However, with respect to technologies affecting the legal landscape, the expansion of the digital age has made keeping up with every new advancement a Sisyphean task, especially when it comes to protecting your client data from hackers and data breaches.

The threat of cyberattacks is ever-present and constantly evolving. Law firms are at particular risk because of all the sensitive information they must maintain to best serve their clients.

Articles on cybersecurity can often be daunting for the uninitiated. Between cloud-based applications, software installed on local computers and mobile devices, computer and server hardware, and operational issues, it can be difficult to know where to start.

As such, this article will endeavor to boil things down to five basic tech essentials from which every law firm can benefit, in order to help you take the first steps towards securing your business's technology.

To know how to protect yourself you must first know what you’re protecting yourself from.

Hackers Target Small Businesses, Including Law Firm Data

Worldwide,  nearly 6 million data records are lost or stolen every single day (68 records every second) , according to a breach tracking database called the Breach Level Index. If you do the math, you discover that it adds up to around 60 records stolen every second.

In reality, this information shouldn’t come as too much of a surprise. Every few weeks another major corporation or institution is in the news reluctantly reporting a data breach. But these are only the breaches and hacks that we hear about.

The notion that smaller businesses are not being targeted would be mistaken.  Quite the contrary, according to the recent Verizon Data Breach Investigations Report, roughly 43% of all cyber-attacks are directed against organizations with fewer than 250 employees.

In particular, law firms are seen as a rich target for hackers, with many high profile attacks reported in the national news.  The American Bar Association recently found that more than 20% of law firms reported that they were the victim of a cyber-attack.  In law firms with 10-49 attorneys, this figure was 35% — meaning over a third of small law firms had been hacked.

These data breaches are not just embarrassing for the victims, or scary from an identity theft perspective. They cost real people real money. 

According to a recent study the average cost of a data breach worldwide outside the United States is about $3.6 million – that’s $141 per record.  Not to be outdone, the number is even higher in the United States ($7.3 million).

Additionally, the damage of a data breach extends beyond the lost records in and of themselves. One breach can shatter trust in the compromised institution – a fate from which many practices are incapable of recovering.  

In fact, according to a recent Forbes article, “around 60% of [small businesses] forced to suspend operations after a cyber attack never reopen for business.”

Data protection must be one of a law firm’s highest priorities, not just from an ethical standpoint, but also from a business and financial one.

Tip #1:  Improved Passwords

Password protection is unquestionably the most ubiquitous form of cybersecurity. As such, password protection is a defense that hackers have become the most adept at circumventing.

Unfortunately, despite our best intentions, we often make it easier for hackers than we should. By now, everyone should be aware that passwords like “password” won’t cut it. 

What’s harder to pin down is: What makes a strong password?

When it comes to password strength, the best you can do is a random and unpredictable alphanumeric sequence. 

If you can add some symbols into the mix, all the better. Change as many of the variables as possible. Use both lowercase and capitalized letters. The more like nonsense the password looks, the stronger it probably is.

According to the National Institute of Standards and Technology (NIST), passwords should be a least eight characters long, should not contain any actual words, and should not include any repetitive or sequential characters. That means no “AAAAAA” or “12345.”  Furthermore, studies show that passwords 12 characters are more are especially difficult to penetrate.

As important as it is to maintain strong passwords, it is equally as important to diversify them. Using the same (or even similar) password for multiple services or applications can be very dangerous. It means that if your information is compromised in one location, that hacker now access to every account for which you use that password.

Password managers can be a helpful tool to solve this problem. They securely keep track of passwords and their accompanying usernames so you don’t have to try to keep everything straight in your head.

Often, information like passwords is compromised through no fault of your own – so much so that you may not even realize your information has been stolen from a company that failed to protect it. Using a password manager to diversify your passwords helps mitigate the damage in such an event.  Apps like 1PasswordLastPass, and Dashlane are some of the more popular options.

Of note, conventional password management wisdom dictated periodically changing passwords. 

However, the NIST recently began advising against this practice as it was deemed counter-productive when a suitably secure password can be more easily maintained.

Tip #2:  Use Multi-Factor Authentication

Frankly, passwords are not enough when it comes to the level of security necessary for law firm management. To add an extra level of security, law firms should implement “multi-factor authentication” wherever possible. This may sound like a foreign term, but it is actually something you likely already use with a degree of regularity.

NIST explains, “[t]he classic paradigm for authentication systems identifies three factors as the cornerstones of authentication: (1) something you know (e.g., a password); (2) something you have (e.g., an ID badge or a cryptographic key); (3) something you are (e.g., a fingerprint or other biometric data).”

The combination of these factors is referred to as “multi-factor authentication.” It offers a layered security approach. For example:

Many applications send a code to a phone number that you previously said was yours. When you enter the code, this proves you are in possession of the phone belonging to you.

Some highly secure businesses require employees to use both a password, and a regular key or keycard, in order to access their office or computer. 

This means that, if a hacker only knows the password, but does not have the key, the hacker can’t get in.  But, if the key gets stolen, the hacker also needs the password to gain access.

The idea is that if a bad actor manages to get past one level of security, there are additional ones to prevent them from reaching their ultimate prize.

Strong passwords combined with multi-factor authentication is a great starting point to protect information from a technological standpoint.

You should make sure that you turn on and use multi-factor authentication in all your email, billing, and other applications.  If an app does not offer multi-factor authentication, you should strongly consider not using the app.

However, there is a human component that hackers have become more and more adept at exploiting.

Tip #3:  Recognizing Spear Phishing

In recent years, the general public has become more aware of the dangers of “phishing.”

Phishing occurs when a hacker “casts a wide net,” by sending emails – fraudulently designed to appear to be from a trusted source – to get as many people as possible to click on a malicious link or enter secure information.

On the other hand, “spear phishing” is designed to attack a specific target. Because of this, the sophistication of the attack is greatly enhanced.

These attacks can take the form of full-on email campaigns and phone calls. Hackers may pretend to be dissatisfied customers or clients who will exploit the “customer is always right” culture of American commerce and the sensitivity to client relationships in law firms.

You can’t rely on “spam” and “junk” email filters to thwart these attacks.  Instead, you should train your employees to recognize these forms of attacks and rebuff them. Encourage scrutiny and verification, especially in terms of emails.

Tip #4:  Preparing for Ransomware Attacks

For a now-infamous example, Petya malware crippled a large firm in the spring of 2017. All of the firm’s data was locked behind an encryption that would only be lifted if the firm paid a substantial amount of money to the hackers. This incident cost the firm days of work and damage to an extent that will likely never be fully known.

Prevention of a ransomware attack should be the number one priority, and it is a good idea to have a plan in place in case of the worst.

Backing up files on a separate server – especially one that is not accessible via your office internet network — is a good idea. Even if hackers get access to your records (which in and of itself is catastrophic), at least the firm will still be able to use the uncompromised backup.

Tip #5:  Assess Your Firm’s Vulnerabilities

There are many resources available to help you prevent, prepare for, and recover from cyberattacks.  Stay vigilant in maintaining these standards. What constitutes best practices today, may not tomorrow.

In addition, you should make sure your firm has proper insurance coverage in the unfortunate event of a successful hacking attack.  Applying for cybersecurity coverage will often require documentation of the law firm’s cybersecurity practices and procedures, along with a certification of compliance with those procedures.  According to a recent article in the National Law Review, cyber liability coverage is “becoming an essential aspect of running a successful law firm in the twenty-first century.”

If you are not technically inclined, and if your firm does not have its own in-house IT staff, consider hiring a contractor to take a look at your systems.  These contractors are usually not expensive, and often follow standardized testing methodologies.