10 Security Practices Every Law Firm Should Follow

Originally published December 1, 2020, by Steve Sobka, Director of Technology and Infrastructure, and Bill Sorenson, VP of Product, at www.elite.com.

Cybersecurity has long been an area of concern for law firms; New York has even proposed cybersecurity CLE requirements. The changes of 2020 require every firm to reevaluate their current security posture and determine if changes are needed.

Certainly, the focus on cybersecurity pre-dates COVID-19, especially as law firms continue to be actively targeted by cyber threat actors in well-publicized breaches. However, the issue becomes even more urgent today. Leaders need to consider how the drastic changes in working environment brought on by the pandemic have impacted their security controls.

In this article, we’ll outline 10 best practices that every law firm should consider adopting or reviewing and why.

1. Re-evaluate Your Security

As firms this year have grappled with the challenges of supporting remote work and adapting in-office processes, technology, and client interaction to accommodate, security may have taken a back seat to productivity and “keeping the lights on.” It’s time to take a look at how those necessary changes have impacted security.

For example, where before you may have concerned yourself primarily with the security of your physical offices, you need to now also consider home security and how to adjust your policies and technical controls to accommodate.

And all this isn’t just limited to the current remote work situation. For many firms, big and small, 2020 has shown that remote workers can remain highly productive. Regardless of how long remote work is necessary, for some firms, some level of remote work will remain an option post-pandemic.

From reviewing your Bring Your Own Device and remote work policies to a full-scale review of your technical controls, taking a step back and considering how recent changes impact security will help ensure your client data remains secure no matter how it’s being accessed.

2. Least Access Approach

One of the most common techniques cybercriminals use is to target junior staff members as a means into an organization. Once they secure such credentials, they can then either a) access everything that employee has access to, or b) use that account as a “Patient Zero” account to infect others, even up to managing partners.

With a least access approach, firms can control their exposure by being vigilant about what any given person can access. Instead of determining what data and which systems should be blocked from a given user, think critically about what they need to access. Doing so helps ensure that even if a cybercriminal gains credentials or if ransomware is deployed at the firm, that your exposure is limited.

3. Security-first Mindset

A defensive mindset is critical to maintaining a secure environment—not just digitally, but physically as well. In an office setting, that might mean validating the copy repairman or the person who waters the plants. Online, it could include confirming that an email requesting data is actually real.

The crux of the security-first mindset is that it’s not limited to IT. Every person at your firm needs to take a “Question everything” mindset. You can’t afford for it to be “just IT’s problem.”

4. Ongoing (Not Annual) Training

This one seems obvious, but it’s critical that firms consider training as an ongoing activity rather than an annual one. Required annual cybersecurity training typically isn’t sufficient to keeping staff vigilant. Instead, consider lighter, more frequent training, and use responsive training tools to help educate your team on phishing attacks. Ultimately, your employees are your last line of defense. Make sure they’re prepared.

5. Email Security Is Not Just About Tools

While email security tools are an important component of catching phishing emails, they are far from infallible. The rising sophistication of phishing attacks means that no email security tool alone can defeat phishing attacks.

In addition to the training highlighted above, law firms should ensure they have policies and procedures in place to mitigate risk. This includes proactive measures such as a policy that requires financial transactions to be confirmed in person / by voice, not just email or reactive, outlining a clear incident response plan so everyone knows what to do if they’ve been phished.

6. Multi-factor Authentication and Password Managers

It’s time to get serious about these two. Any firms that haven’t yet implemented these (and it could be as many as 50%) need to make this a priority.

Cybercriminals exploit the very human desire to keep things simple and convenient. The result? Gaining access to one account can often be easily translated to several of that person’s accounts. With multi-factor authentication, criminals would need access to multiple components to access a target’s data. One nuance here; text-based two-factor authentication is better than nothing. But given the choice, firms should require authenticator apps which are far harder to hack.

Meanwhile, password managers make it easier to maintain different, long, and complex passwords for every account. With a corporate account, firms have the added benefit of quickly shutting down access to all those passwords in the event of a termination.

7. Encryption Everywhere

The simple message here: encrypt everything, everywhere. Ensure your data is encrypted at rest (if you’re operating in a cloud environment, this will be automatically built-in), as well as in transit.

8. Remote Workspace Adoption

Virtual desktops provide a significant security upgrade. While the experience for the user is nearly identical to keeping everything on the local machine, the desktops are actually hosted in a public cloud environment where everything—from the data sitting on the desktop to the connection to critical applications such as Firm Central and ProLaw®—are running in cloud-based servers and are both encrypted and backed up. Cloud desktop represents a much more secure environment than a typical virtual private network and can also eliminate the performance impact that VPNs introduce.

With a virtual desktop, you can isolate your damage, particularly in an era where employees are accessing their applications and data from insecure home WiFi networks. If a computer is stolen or a laptop is damaged, no data is exposed or lost. You can just procure a new computer and get access to your cloud desktop as if nothing ever happened.

9. Physical Security

With many offices only lightly staffed, if at all, there are often minimal controls to ensure that only authorized personnel can access the office. If your infrastructure is still on-premises, you may not have insight into who can access your hardware.

The simple solution? Stop owning physical infrastructure. The truth is that there’s nothing you can do that will be more secure than Amazon® or Microsoft®. By upgrading your infrastructure to the cloud, you transfer your risk to the cloud providers and save yourself the expense and headache of keeping that physical infrastructure secure.

10. Cloud Security

The move to the cloud can be a huge security upgrade for law firms. But how do you ensure that your cloud security is secure as well? The first is to confirm what you mean by “the cloud.” Public cloud providers such as Amazon and Microsoft spend hundreds of millions—even over a billion—dollars on security, far more than you or even a private cloud provider can spend.

You’ll also want to consider how your cloud provider is treating your environment. In many private cloud environments, for example, you can consider the infrastructure to be similar to an apartment building. While your locked door helps to keep your environment secure, you’re still subject to communal impact. If another tenant has a fire, that fire could easily spread to you.

In contrast, a single-tenant environment is like owning your own house, with lots of land around. The actions of your neighbors won’t impact you as heavily, if at all.


Security is a hefty responsibility. Undoubtedly, you’ve already implemented at least some of these 10 best practices. But there are likely at least a few that bear further consideration or upgrading from your current set up.

It can be daunting to consider implementing all of them. But the good news is, that by turning to the cloud, and a trusted cloud services partner to help you, 8 out of 10 of these best practices can be either offloaded or significantly supported by a partner. (If you guessed 2 and 3 as the outliers, you’re right).

Security practices should be reviewed regularly and at any time a major change happens to the business. So as 2020 comes to a close, take the time to review, re-evaluate, and emerge with a stronger security posture and confidence that you’ve done everything you can to keep your client and firm data secure.

10 Best Security Practices for Securing Client Data

Keeping client data secure is always a minimum requirement for law firms. The combination of recent events, maturing technology, and evolving best practices make now a good time to reevaluate your security procedures and whether you’re doing enough to keep your practice and clients safe.

Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.

Why address security now?

As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.

To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.

1. Re-evaluate your security policies and posture

The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.

2. Remote Workspaces / Virtual Desktops

One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.

Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.

3. Physical Security

So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.

4. Cloud Security

While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.

5. Security-First Mindset

It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.

6. Training

Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.

7. Email Security

Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.

8. Multifactor Authentication and Password Managers

While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.

Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.

We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.

9. Encryption

While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.

10. Least-Access Approach

One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.

The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.

Getting started

To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.

Key Safety Tips for Telecommuting Law Firm Staff


Save for appearances in court, life as a lawyer is one that’s ideal for telecommuting. And amid the coronavirus outbreak, many attorneys are spending the brunt of their typical 9-to-5 schedules from the comfort of home rather than going to their workplace.

Given the kind of personal information that attorneys deal with on a day-to-day basis, the spike in remote work raises the risk of this same sensitive data falling into the wrong hands, an issue that has cybersecurity experts sounding the alarm.

During a recent webinar hosted by the American Bar Association, ABA Cybersecurity Legal Task Force Co-Chair Ruth Hill Bro warned of the potential perils law firms face should they not take the appropriate precautions.

“Cybersecurity is a moving target,” Bro explained. “Law firms are attractive targets and the risk of cyber breaches multiplies as more employees work remotely.”

Bro also noted the surge in malware viruses and websites that have been created over the past few months, each aimed at bilking people out of their money through misinformation campaigns.

Even though coronavirus restrictions are easing, remote work is here to stay, and may grow in frequency given that the shift in work arrangements for many law firms went smoothly. Here are a few suggestions to ensure the data that you and your remote staff handle is fully protected.

Take advantage of multifactor authentication
Multifactor authentication, or MFA, requires users to input several pieces of information before they can obtain access to a database. For instance, instead of only entering a username and password, MFA may also require answers to personal security questions (e.g. What is your mother’s maiden name?), fingerprint scanning or a code sent to an email address. These additional elements provide several layers of security, entailing more guesswork for would-be hackers.

As noted by Bro during the webinar, MFA enhances the protection of shared use servers.

Install antivirus software updates ASAP
Because cyberattacks are such an ongoing and pervasive threat, antivirus software developers are constantly releasing patches that address certain vulnerabilities. It’s easy to put these off, given they often take time to download. Try to avoid this if you can and get in the habit of downloading the patches as soon as they become available.

Time to change passwordPasswords serve as one component to multifactor authentication.

Check your Wi-Fi connection
When you click on the Wi-Fi symbol at the top of the page, you’ll likely see several networks that are in your immediate vicinity. If yours has a padlock next to it, that’s a good sign. If not, it means your network is free for anyone to log on. Even if you know your network is protected, get into the habit of checking it out on occasion; there may be instances in which the lock symbol doesn’t appear. If that’s the case, consider contacting your network provider to see what might be the problem. The issue may be confined to you or it could be widespread.

Be more discerning about access
Just because technology allows your staff to access information remotely doesn’t necessarily give them license to do so. In other words, if employees only need access to certain portions of a network to do their job, there is no point in granting more far-reaching access. As the U.S. Chamber of Commerce points out, setting access privileges can serve as a fail-safe mechanism by isolating network penetration so it doesn’t affect all users.

Back up your data frequently
Ransomware is quickly becoming among the most common ways cyberattackers obtain sensitive data. These can be devastating if you don’t have a carbon copy that can replace whatever is stolen. Here as well, make this process part of your daily or weekly routine, especially for information that may be compromising to your clients’ reputation should it be exposed.

At Afinety, we specialize in cloud-based solutions so your staff can continue their work in all environments. Leveraging the world’s largest cloud provider, Amazon Web Services, Afinety has the network protections that you, your clients and your staff can depend on. Contact us to learn more.

Stepping Up Your Cyber Security Game – Protecting Your Assets

Originally published June 26, 2020, by Bill Sorenson, VP of Product, at www.elite.com.

Learning from the COVID-19 Impact

We’ve seen a dramatic change over the last four months in relation to the coronavirus pandemic. One of the significant places that have impacted most firms is the work-at-home requirements placed across the country. Some firms were able to respond quickly, and others struggled for a significant time to enable their employees to work. One of the large impacts has been the increased risk exposure associated with cybersecurity. How you handle this impacts your firm’s value, both overall as well as in the marketplace.

Risk Management at the Heart: Protecting Your Assets

It all gets back to risk. In our industry, most of what we do and the decisions we make are related to risk and risk mitigation. When we look at cybersecurity, there’s no difference. Expanding your risk footprint with work-at-home employees dramatically increased your risk. The question is, is it short-term or not?

  • Running Your Technical Environment: First let’s look at your technical environment and, as an example, how you run 3E® or ProLaw® and your other applications. You may run it internally with your own equipment, in a computer center somewhere else, or in the public cloud. Each implementation has different risks and productivity considerations for your employees and the firm. For the firms that have run it and the rest of their applications in the cloud, the move to work-at-home was simple. They were already used to the idea that their employees could work from anywhere. For the other firms, the move to work-at-home created a hectic environment with a struggle to get everyone working at the same time, the performance was horrible, and security became an immediate concern.
  • Cybersecurity as a Base: When we look at cybersecurity and the extension of a firm’s environment to each employees’ home, many things raise red flags. First, simply locking down employees’ technology to restrict confidential information exposure has been key. Additionally, in many situations, the computers people use at home are shared. This dramatically increases the exposure to the firm. By implementing key controls around the devices that employees use, firms have been able to reduce this risk exposure quickly. Make sure you’ve reviewed the risks specific to your firm and have implemented controls to keep your firm’s data secure.
  • Coming to Grips with Reality: Going forward, there will now be an increased focus on disaster recovery, business continuity, and cybersecurity. Focusing on those protections related to your employees and the remote workforce will significantly level-up your overall security. In a time when there is a dramatic focus on hacking each of your employees, there is no time to waste to secure your environment.

Protections Needed Now

  • Work-at-Home: You need to implement technical controls on each user’s device and put in place additional policies and procedures around work-at-home, bring your own device, and possibly, confidential information exposure.
  • Disaster Recovery / Business Continuity: You need to review your disaster recovery and business continuity plans and look at how they were implemented with COVID-19 and adjust.
  • The Human Element: Training, training, training. It is time to step up and help your employees protect you. If you haven’t already rolled out cybersecurity training, it’s time to do that now. And this includes partners. Partners are really the focus of phishing attempts and, many times, are greenfield for hackers. By training employees, you increase the sentries that are protecting the firm.
  • Direction to the Cloud: One thing COVID-19 has shown us is that firms that had already adopted the cloud were well prepared. They made those decisions based on cybersecurity, costs, and productivity gains for the firm. It is time for you to look at that as an adoption rather than a review.  By choosing Amazon® AWS, or Microsoft® Azure®, you’re able to leverage the best in the world at costs you can afford. The key piece is finding a partner who’s focused on your industry.

The Transition Back

As the pandemic progresses and different states begin to transition industries back to a more normal work life, it’ll be time for you to look at transitioning your firm back. As you’re making that decision, take into account the lessons you’ve learned during the pandemic. Key takeaways from this article for you and your core partners to review include:

  • Staffing Lessons: How did our staff respond, and how did we help them?
  • Client Lessons: Were we able to provide what our clients needed and expand our services in response to the pandemic? If not, could we have?
  • Technical Lessons: Were we prepared for this emergency? Did we use our disaster recovery plan, or did we take it for granted? Do we need more focus on moving to the cloud now to protect us from this type of situation going forward?
  • Firm Lessons: Was our mindset one of quick response and focus on where we could help, or was it reactive and overwhelming? Would we be better served by spending time walking through realistic examples and responses? Can we be better prepared?

Set up some time with the firm leaders and take the time needed to go through your new normal.  As you are reviewing the past months, be open to input, criticism, new methods, and ideas from all levels. Many people have been impacted in several different manners. Understand how you can step forward and help your partners, staff, and your clients now and in the future.

Why Multifactor Authentication is Essential


If there’s one thing that law firms have in massive quantities, it’s information. From email inboxes containing clients’ addresses and signatures to file folders that detail highly sensitive particulars about financials, attorneys possess reams of data that can damage reputations and ruin lives should it happen to fall into the wrong hands.

While numerous methods of protection exist to keep eyes-only information just that – including passwords, firewalls, identity theft resources and physical security – there are equally as many ways of gaining access. Be it hacking, malware, phishing or skimming, bad actors resort to a wide assortment of underhanded tactics to expose and make off with private data.

Multifactor authentication throws a wrench in these malicious methods. Instead of entering just one password or inserting a single keycard, multifactor authentication – otherwise known as 2FA – requires two or more credentials for access to be granted. Generally speaking, the more that are required, the harder it is for information to be stolen. As noted by Carnegie Mellon University, 2FA involves several “somethings”:

  • Something you know (e.g. password, security question, PIN number);
  • Something you own (e.g. key fob, ID card, smartphone);
  • Something you are (e.g. fingerprint, face, voice, palm vein)

This latter something is a fairly new technology in terms of availability and usage. It involves biometrics, or the analysis of physical characteristics for authentication. Because no two fingerprints are perfectly identical, it makes them difficult to replicate or steal.

Given the effectiveness of 2FA, more industries are adopting it. Many handheld devices now require users to input two or more credentials, or at least provide this option.

“Many attorneys and law firms aren’t fully embracing this security methodology.”

However, whether due to resistance to change, in general, or unfamiliarity with technology, attorneys and law firms aren’t fully embracing this security methodology, ABA Journal reported. If you’re among them, here are a few reasons why you may want to reconsider:

Data breaches are more common than ever
At one time, it seemed like every cyberattack was reported by the mainstream media, particularly those that impacted retailers. They’ve largely fallen out of the news cycle, but that doesn’t mean they’ve become any less common. According to the most recent statistics available from the Identity Theft Resource Center, the number of consumer records stolen in 2018 rose 126% from the previous year, totaling 446.5 million overall. That’s up from 197.6 million just 12 months earlier.

The chances of data being stolen are significantly lower when 2FA is in place. As reported by Forbes, household-name software providers say 99% of automated attacks can be successfully blocked by enabling 2FA. Several other telecommunications and technology companies also hail the effectiveness of multifactor authentication.

Firms are a top target
No business or industry is entirely immune from data breaches, and that especially includes the business sector, an umbrella that law firms fall under. Of the 1,632 breaches that took place in 2018, 907 of them affected business, ITRC reported from its findings. This equated to 181 million records, with healthcare in a distant second at 5.3 million records and 384 breaches.

Small law firms in the crosshairs
According to the most recent polling available, tracking how many practicing lawyers are currently in the U.S., the number sits at over 1.3 million, based on the ABA’s figures. The vast majority of these attorneys work for small firms. Conventional wisdom might suggest the big firms would be targeted the most, but as Attorney At Law Magazine reported, those that have fewer partners tend to receive the lion’s share of the attacks because there are more out there to potentially exploit.

2FA helps to guard against attempted data heists by adding an extra layer of security.

If your firm has transitioned to the cloud, you can’t afford a software solution that doesn’t incorporate multifactor authentication. Built on the largest cloud provider in the world – Amazon Web Services – Afinety leverages 2FA, firewall protection and unparalleled monitoring to ensure information stays under lock and key. For more information on the Afinety Cloud Platform and its offerings, contact us today.

How to Protect Your Firm’s Data


Security is one of the top concerns for most law firms, especially those which deal with large cases or protect corporations. The reality of this day and age is that much of the evidence brought up in legal cases is digital, and that data has to be protected. Even non-digital evidence needs to be indexed for future use. Physical files aren’t secure enough to be used for this sensitive information. It’s far too likely that they will become damaged or get lost, which is a problem law firms simply cannot afford to have. It is wise for law firms and private practitioners to move their data to the cloud.

What is cloud computing?

Cloud computing is the practice of using a remote Internet server instead of a local server or a personal computer to store, manage, and process data. While the idea of it may seem foreign at first, it is actually likely your firm or practice already employs the cloud for daily tasks.

Often times, files on private servers are too large to be sent by email. They are instead sent as Google drive attachments, or with Dropbox or OneDrive links. All of these services are, in fact, cloud platforms. And they’re safer than you may think.

cloudCloud technology has measures in place to keep your data safe.

Encryption and security in the cloud

According to Security Week, when it comes to protecting data in the cloud, encryption is considered the most effective. Encryption not only makes the file easier to store, but it also makes it harder to access by a potential intruder. Medium defines encryption as a process that encodes a message or file so that it can be only be read by certain people who have an access key. Before a piece of encrypted data is unscrambled, it’s completely unreadable and is referred to as ciphertext. After being unlocked, the message is translated back into plaintext.

Rudimentary encryption can be as simple as switching out certain letters for others and render a sentence or even a word unreadable. For example, if you were to switch out every vowel for the character “@” and every “s” for the letter “c,” the word “biologist” would be encrypted as “b@@l@g@ct.”

Cryptography has since developed into a more complex practice. Medium reports that computer algorithms have more or less replaced mechanical encryption in recent years, making codes even harder to crack. Keys, or passwords, are generated using random number generators or computer algorithms with similar functions. Modern systems sometimes generate a fresh key for every single session to add another layer of security.

Because of the constant development of cryptography and encryption styles, data is as safe in the cloud as it would be under lock and key, if not safer. Thanks to dedicated professionals in the cybersecurity industry, you don’t have to fear cloud technology.

Accessibility of files

Security and accessibility go hand in hand. Having files uploaded to a protected cloud platform makes it possible to access case files from anywhere at any time. Lawyers no longer need to spend every second of their time in the office, and will be able to work from the road, while traveling or from home. Increased accessibility to work materials leads directly to increased productivity.

Choosing a provider

Afinety is the best choice for law firms and private practices looking to migrate their files to the cloud. Not only is our platform secure, but it was also designed specifically for lawyers, and is optimized to run a variety of apps. To learn more about cybersecurity and other IT options and services offered by Afinety, browse our website, or get in touch today.

Is it ethical for lawyers to store and send information through the cloud?


Firms considering reducing their paper and physical storage use and costs by switching their data to the cloud sometimes worry about security and trustworthiness. Especially in the business of law, firms want to avoid ethics violations due to data breaches of confidential client information at all costs.

What these firms may not know is they are likely already storing files and communicating with clients using cloud technology. Think Dropbox, Google Drive, and Microsoft One Drive.

The technology exists and is already being put to use. However, there are measures that law firms can take to ensure the security of their information when they put it in the cloud and ways to verify the ethics of doing so.

Is it ethical to use the cloud to store and transmit client information?

In short, yes it is. Lawyers can use cloud-based data storage of confidential information while still maintaining client confidentiality. Over 20 state bar associations have issued ethics opinions on this very topic, and all have reached the conclusion that “lawyers may ethically use cloud computing, so long as they exercise reasonable care to keep client information and files confidential,” according to Attorney At Work. Lawyers just need to be aware of the risks and rewards of technological applications like the cloud and the standards that regulate them. And you certainly don’t need to have a computer science degree to know how it all works — you just need to take due diligence to know everything is secure.

Should law firms store client information on the cloud blog_Afinety, Inc.There are certain steps lawyers can take to ensure data security at their firm.

What steps can lawyers take to ensure the security of their stored data?

There are certain steps lawyers can take to ensure data security at their firm.

Know cybersecurity threats for law firms

The first step is to be aware of threats to security. According to Law Technology Today, this can come in the form of state-sponsored hackers such as those from China, industrial espionage by clients’ competitors, departing employees and even scripts or programs which scan for and attack computer systems and networks.

Prepare, plan and train law practice staff on security awareness

Disruptions in operations and productivity are easily avoidable through planning and preparation. Once you’ve selected your security systems, make sure they’re vetted and tested by a small group of users before implementing them widely. Prepare the new users by giving them ample notice as well as a training plan based on results from the initial test group. Security awareness training is likely the most effective measure you can take when it comes to preventing incidents, says Law Technology Today. When putting together a training, make sure to cover electronic communications, incident reporting, internet access, mobile device security, password policies, remote access, social media use, the firm’s acceptable use policy, visitor policies and wireless access security. You should emphasize the need for good judgment.

Verify law firm vendors

The vendor which provides the cloud technology to your firm should also be following appropriate security protocols. They need to pay close attention to securing and protecting your data. You can learn more about Afinety’s dedication to security for its clients’ data on the website or by calling the office.

Testing your law firm security

Consider hiring a third party to handle your security audits. It will keep you accountable and honest when it comes to the effectiveness of your security measures. According to Law Technology Today, an outside security expert will perform a top-down evaluation of your systems, security policies and practices and access to the systems. After a professional third party audit, you should also try to break in yourself. This is known as a penetration or pen test, and will help you identify areas of vulnerability. Following a security audit or pen test, the firm’s IT department should carefully review the recommended changes in the remediation plan before implementation to consider any possible adverse effects on other systems and end users.

Cloud-based storage has become the standard method for storing and sharing data. The legal profession, like other industries, must adapt to compete in the ever-evolving market. If firms take the right steps to ensure security, there should be no issue with the transition, and all proceedings should move along smoothly.

Cybersecurity checklist to prepare for the new year

Law Firm Cybersecurity Guide For 2020

It is vital, regardless of the size of your law firm, that you utilize astute cybersecurity practices. The IT landscape is constantly evolving, as is the rest of our digital-centric world, and we must learn to proactively adapt and respond to these challenges. Denial-of-service attacks, where perpetrators disrupt services and make a machine unavailable to its users, have decreased since 2018 — as well as ransomware attacks. However, according to the Online Trust Alliance, losses caused by business email compromises have doubled and crypto-jacking incidents have more than tripled.

The ever-changing landscape of the web can make it difficult to truly know if you’re protected against these attacks. The checklist provided here will give you the basics of securing your law firm against a variety of threats, so here are five things to add to your cybersecurity checklist:

Assess law practice risks

Assessing the risks within your own IT infrastructure can be difficult because it relies on a detailed understanding of potential weaknesses before they are attacked; it requires you being steps ahead of any potential threats. To start, you need to address certain questions to develop a plan:

  • How would a cybersecurity attack affect the functions of your firm? Who would be affected, and how would it impact your credibility?
  • What data or client records are critical to your firm’s operations?
  • Are there any specific regulatory requirements your firm should comply with?
  • What is your budget for cybersecurity?

Control company domain

Most companies have a domain controller, used to set up email profiles or provide permissions to users for certain programs. When establishing a new hire in the office, there’s typically an onboarding process to add them to the domain controller. You may be lacking an off-boarding process, however, for when a user should no longer have access to company data, programs and computers, says Inside Business.

The domain controller is where all domain login and password information is stored. Using this can keep the login/permission all in one location, and simplify the process. The list of users and their permissions should be checked and updated frequently. If someone is no longer working at the firm, they should be removed from the domain so they no longer have access to company information.

Keep software updated

Set up your operating system for automatic updates – turning off computers at night will enable them to update (and clean out system clutter) on a regular basis. System updates are particularly important for server operating systems where they should be reviewed on a recurring schedule. While these updates may seem like an occasional inconvenience, they’re important to utilize because they’re often updating security features based on past attacks or flaws in protection.

Also, make sure that none of your software is reaching “End of Life.” All this entails is that the maker is no longer providing updates, support or security fixes. For example, on January 14th, Windows 7 Service Pack 1 will no longer be supported, which puts users at risk for security breaches.

Law firm cybersecurity guide for 2020_AfinetyTactics have changed over time, now including “vishing,” which is the practice of criminal phone fraud, so businesses must remain vigilant and aware of how these scams can surface.

Educate staff on phishing

Avoiding uncommon or suspicious links may seem like a simple practice, but there is a reason phishing continues to persist — people still fall for it. Tactics have changed over time, now including “vishing,”  which is the practice of criminal phone fraud, so businesses must remain vigilant and aware of how these scams can surface. Educate staff to never provide log-in information on a website that they’re unsure of, and to be wary of links or pop-up windows that rely on a sense of urgency, suggests My Tech Decisions.

Consider the cloud

Storing your company’s information in the cloud offers extra layers of security and additional steps to ensure your network is protected. You could wrap up 2019 and head into the new year knowing that you’ve made all possible advances towards the best cybersecurity practices and utilize the Afinety Cloud Program, which offers unmatched security through Amazon Web Services.

A guide to stronger passwords for lawyers


Cybersecurity and data protection may not be at the forefront of most lawyers’ minds, especially with pressing deadlines, evolving laws and ongoing work with clients — but that doesn’t mean it should be neglected. Data breaches can have serious consequences, especially when it comes to protecting confidential information at your law firm. According to the Breach Level Index — a database responsible for tracking breach statistics — nearly 5 million data records are lost or stolen every day. With personal client data at risk, taking the necessary precautions can prevent firms against a breach and keep their reputation intact. As having strong passwords can be the initial step in protecting your firm, here are five tips for making sure they are hard-to-crack:

Consider using a password manager

Password managers, like 1Password or LastPass, create unique passwords for all of your accounts. Consumer Reports notes that while there has been growing encouragement across the web to create stronger passwords, there has been no guidance on how to manage them, which means they’re often reused for many different accounts. Cybercriminals will exploit these vulnerabilities. With a password manager, all you need is to create one solid, complicated password that’ll be used as your master key — once you have that created and memorized, the password manager will do the rest for you.

Long and complicated is best

Hackers are familiar, as are you, with the quick and easy picks for log-in credentials. “Password123” is not a viable password, nor are the names of your children or pets. Despite years of advising against it, variations of the word “password” remain one of the most common picks out there. Out of 130,000 passwords analyzed by cybersecurity company Rapid7, 4,000 of those included the word “password,” says Consumer Reports. While unique characters and uppercase letters can be useful for strengthening passwords, length may be the most important aspect of creating a solid line of defense. Once you have a range of 12-15 characters, hackers are much less likely to be able to guess their way in, reports Wired. Avoid simple patterns or pop culture references, and mix it up — or better yet, make up your own phrase and include special characters.

Law firms need strong passwords to protect their practices_Afinety, Inc.Hackers are familiar, as are you, with the quick and easy picks for log-in credentials

Recycling is bad for passwords

This is where a password manager can really come in handy. Researchers discovered that 2.2 billion stolen email and passwords had been posted online, aggregated from years of data breaches across various websites. That means that using the same password for your favorite blog and your bank account could put you at serious risk.

Embrace two-factor authentication

With 62% of Americans using two-factor authentication, it’s becoming a much more commonplace practice throughout the internet. 2FA often involves entering added verification sent to a smartphone, a one-time code, along with your password. By using the multi-step process, which consists of a proof of knowledge (like a password) and physical proof (like having your phone by your pocket), you’ll be ensuring a more trustworthy, secure process that your clients will appreciate, says Law Technology Today.

Change can be a good thing

While updating passwords too frequently can lead to forgetting them — and getting increasingly less creative with adjustments — it is important to remember that the longer a password is used, the more likely it has been deciphered by a hacker. If you hear that a company has had a security breach, one that you’ve used, change your password (even if you’re not sure if it affected your account). Also, if you have accounts that have gone untouched for a while, delete them. This can avoid your log-in credentials getting breached, just because of an old AOL account you had years ago.
In the digital age, it’s vital for everyone to do their best to stay a step ahead. Hackers are becoming smarter, which can be risky for your law firm if not properly secured. Start by taking measures to have strong, complicated passwords. However, if you’re looking to take it a step further, consider utilizing cloud technology for further data protection. The Afinety Cloud Platform is designed specifically for law firms by law firm experts.

To learn more about moving your network, and the data protection of the cloud, click here.

Key Takeaways From The 2019 Cloud Computing Report By The ABA


On Oct. 2, 2019, the American Bar Association released its 2019 Cloud Computing report highlighting the changing relationship between law firms and the cloud. From concerns and questions to moving towards the future, we have summarized some of the most important and surprising information obtained from the ABA 2019 Legal Technology Survey.

Cloud Technology Is Slowly But Surely Becoming The Norm For Law Firms

Some of the most promising news from the survey is more law firms are using cloud services. The number increased from 55% in 2018, to 58% in 2019. Surprisingly, this technology is being utilized more often by individual and small firms, at 60% of those surveyed, while only 44% of larger firms with 50-99 lawyers have adopted it.

Though this increase is small, it’s a move in the right direction.

Security Fears And Loss Of Control Are Holding Law Firms Back

Cloud users and nonusers had similar reservations about the still relatively new technology. The survey found that 65% of current cloud users identified “confidentiality/security concerns” as their biggest concern. Similarly, 50% of nonusers reported not having tried the cloud due to the same concern.

Considering the cloud is one of the most secure ways to store data due to its redundancy, security and safe sharing methods that Forbes outlines, these numbers come as a surprise. If law firms are not adopting the cloud, what are they using? There should always be multiple copies of important documents, ideally stored in different locations. Unlike hard drives and physical paperwork, the cloud will always store duplicates in multiple places, so even if the worst case scenario occurs, your data will most likely still be accessible.

On the same note, lawyers are also concerned about losing control of data. This was the second largest pain point for both users and nonusers. The results from this portion of the survey did not change much from the prior year, which is disappointing. There’s a long way to go when it comes to educating law firms about how beneficial cloud technology is for securing sensitive documents without losing control.

The majority of law firms have reservations about using the cloud due to cybersecurity threats_Afinety, Inc.The majority of law firms have reservations about using the cloud due to cybersecurity threats.

Law Practice Contradictory Behavior On Cloud Computing Is Alarming

One of the biggest, and most concerning, pieces of information gained from the survey is the contradiction between lawyers’ understanding of the cloud and their actual use and implementation of it.

Even though more law firms are now using the cloud, they are dropping the ball surrounding cybersecurity. Considering security and control are their top concerns, it’s odd that their behavior does not reflect this.

The ABA does not hold back with their dissatisfaction with these results, and considers the lack of effort on security to be, “a major cause for concern in the profession.” To give more context, the survey listed 13 standard precautionary security measures. The most commonly used was by only 35%, and it was using secure socket layers. Beyond that, the numbers get more dismal.

Only 28% of respondents reviewed their vendor privacy policies, down from 38% that did last year. Again, if security is a main concern, reviewing privacy policies should be the first thing law firms do with their cloud provider. Numbers for security measures were down across the board, a fact that the ABA is explicitly upset about.

Another interesting point the ABA highlights is the lack of legal formality that lawyers take with their cloud vendors. A meager 4% of respondents negotiated a confidentiality agreement with their provider, and barely 5%, arranged service legal agreements. These disappointing numbers around these actions lawyers should be well-versed in leaves the ABA questioning technology competency requirements.

Finally, the overwhelming majority of law firms (94%) consider vendor reputation to be important when selecting a cloud provider. When looking for a cloud service provider for your firm, consider the Afinety Cloud Platform.   ACP is a cloud network designed for law firms by law firm experts.  With a focus on the legal industry since 1986, Afinety understands the unique challenges law firms face when it comes to data protection and proper configuration of a cloud network.