Key Safety Tips for Telecommuting Law Firm Staff


Save for appearances in court, life as a lawyer is one that’s ideal for telecommuting. And amid the coronavirus outbreak, many attorneys are spending the brunt of their typical 9-to-5 schedules from the comfort of home rather than going to their workplace.

Given the kind of personal information that attorneys deal with on a day-to-day basis, the spike in remote work raises the risk of this same sensitive data falling into the wrong hands, an issue that has cybersecurity experts sounding the alarm.

During a recent webinar hosted by the American Bar Association, ABA Cybersecurity Legal Task Force Co-Chair Ruth Hill Bro warned of the potential perils law firms face should they not take the appropriate precautions.

“Cybersecurity is a moving target,” Bro explained. “Law firms are attractive targets and the risk of cyber breaches multiplies as more employees work remotely.”

Bro also noted the surge in malware viruses and websites that have been created over the past few months, each aimed at bilking people out of their money through misinformation campaigns.

Even though coronavirus restrictions are easing, remote work is here to stay, and may grow in frequency given that the shift in work arrangements for many law firms went smoothly. Here are a few suggestions to ensure the data that you and your remote staff handle is fully protected.

Take advantage of multifactor authentication
Multifactor authentication, or MFA, requires users to input several pieces of information before they can obtain access to a database. For instance, instead of only entering a username and password, MFA may also require answers to personal security questions (e.g. What is your mother’s maiden name?), fingerprint scanning or a code sent to an email address. These additional elements provide several layers of security, entailing more guesswork for would-be hackers.

As noted by Bro during the webinar, MFA enhances the protection of shared use servers.

Install antivirus software updates ASAP
Because cyberattacks are such an ongoing and pervasive threat, antivirus software developers are constantly releasing patches that address certain vulnerabilities. It’s easy to put these off, given they often take time to download. Try to avoid this if you can and get in the habit of downloading the patches as soon as they become available.

Time to change passwordPasswords serve as one component to multifactor authentication.

Check your Wi-Fi connection
When you click on the Wi-Fi symbol at the top of the page, you’ll likely see several networks that are in your immediate vicinity. If yours has a padlock next to it, that’s a good sign. If not, it means your network is free for anyone to log on. Even if you know your network is protected, get into the habit of checking it out on occasion; there may be instances in which the lock symbol doesn’t appear. If that’s the case, consider contacting your network provider to see what might be the problem. The issue may be confined to you or it could be widespread.

Be more discerning about access
Just because technology allows your staff to access information remotely doesn’t necessarily give them license to do so. In other words, if employees only need access to certain portions of a network to do their job, there is no point in granting more far-reaching access. As the U.S. Chamber of Commerce points out, setting access privileges can serve as a fail-safe mechanism by isolating network penetration so it doesn’t affect all users.

Back up your data frequently
Ransomware is quickly becoming among the most common ways cyberattackers obtain sensitive data. These can be devastating if you don’t have a carbon copy that can replace whatever is stolen. Here as well, make this process part of your daily or weekly routine, especially for information that may be compromising to your clients’ reputation should it be exposed.

At Afinety, we specialize in cloud-based solutions so your staff can continue their work in all environments. Leveraging the world’s largest cloud provider, Amazon Web Services, Afinety has the network protections that you, your clients and your staff can depend on. Contact us to learn more.

Stepping Up Your Cyber Security Game – Protecting Your Assets

Originally published June 26, 2020, by Bill Sorenson, VP of Product, Netgain at

Learning from the COVID-19 Impact

We’ve seen a dramatic change over the last four months in relation to the coronavirus pandemic. One of the significant places that have impacted most firms is the work-at-home requirements placed across the country. Some firms were able to respond quickly, and others struggled for a significant time to enable their employees to work. One of the large impacts has been the increased risk exposure associated with cybersecurity. How you handle this impacts your firm’s value, both overall as well as in the marketplace.

Risk Management at the Heart: Protecting Your Assets

It all gets back to risk. In our industry, most of what we do and the decisions we make are related to risk and risk mitigation. When we look at cybersecurity, there’s no difference. Expanding your risk footprint with work-at-home employees dramatically increased your risk. The question is, is it short-term or not?

  • Running Your Technical Environment: First let’s look at your technical environment and, as an example, how you run 3E® or ProLaw® and your other applications. You may run it internally with your own equipment, in a computer center somewhere else, or in the public cloud. Each implementation has different risks and productivity considerations for your employees and the firm. For the firms that have run it and the rest of their applications in the cloud, the move to work-at-home was simple. They were already used to the idea that their employees could work from anywhere. For the other firms, the move to work-at-home created a hectic environment with a struggle to get everyone working at the same time, the performance was horrible, and security became an immediate concern.
  • Cybersecurity as a Base: When we look at cybersecurity and the extension of a firm’s environment to each employees’ home, many things raise red flags. First, simply locking down employees’ technology to restrict confidential information exposure has been key. Additionally, in many situations, the computers people use at home are shared. This dramatically increases the exposure to the firm. By implementing key controls around the devices that employees use, firms have been able to reduce this risk exposure quickly. Make sure you’ve reviewed the risks specific to your firm and have implemented controls to keep your firm’s data secure.
  • Coming to Grips with Reality: Going forward, there will now be an increased focus on disaster recovery, business continuity, and cybersecurity. Focusing on those protections related to your employees and the remote workforce will significantly level-up your overall security. In a time when there is a dramatic focus on hacking each of your employees, there is no time to waste to secure your environment.

Protections Needed Now

  • Work-at-Home: You need to implement technical controls on each user’s device and put in place additional policies and procedures around work-at-home, bring your own device, and possibly, confidential information exposure.
  • Disaster Recovery / Business Continuity: You need to review your disaster recovery and business continuity plans and look at how they were implemented with COVID-19 and adjust.
  • The Human Element: Training, training, training. It is time to step up and help your employees protect you. If you haven’t already rolled out cybersecurity training, it’s time to do that now. And this includes partners. Partners are really the focus of phishing attempts and, many times, are greenfield for hackers. By training employees, you increase the sentries that are protecting the firm.
  • Direction to the Cloud: One thing COVID-19 has shown us is that firms that had already adopted the cloud were well prepared. They made those decisions based on cybersecurity, costs, and productivity gains for the firm. It is time for you to look at that as an adoption rather than a review.  By choosing Amazon® AWS, or Microsoft® Azure®, you’re able to leverage the best in the world at costs you can afford. The key piece is finding a partner who’s focused on your industry.

The Transition Back

As the pandemic progresses and different states begin to transition industries back to a more normal work life, it’ll be time for you to look at transitioning your firm back. As you’re making that decision, take into account the lessons you’ve learned during the pandemic. Key takeaways from this article for you and your core partners to review include:

  • Staffing Lessons: How did our staff respond, and how did we help them?
  • Client Lessons: Were we able to provide what our clients needed and expand our services in response to the pandemic? If not, could we have?
  • Technical Lessons: Were we prepared for this emergency? Did we use our disaster recovery plan, or did we take it for granted? Do we need more focus on moving to the cloud now to protect us from this type of situation going forward?
  • Firm Lessons: Was our mindset one of quick response and focus on where we could help, or was it reactive and overwhelming? Would we be better served by spending time walking through realistic examples and responses? Can we be better prepared?

Set up some time with the firm leaders and take the time needed to go through your new normal.  As you are reviewing the past months, be open to input, criticism, new methods, and ideas from all levels. Many people have been impacted in several different manners. Understand how you can step forward and help your partners, staff, and your clients now and in the future.

Why Multifactor Authentication is Essential


If there’s one thing that law firms have in massive quantities, it’s information. From email inboxes containing clients’ addresses and signatures to file folders that detail highly sensitive particulars about financials, attorneys possess reams of data that can damage reputations and ruin lives should it happen to fall into the wrong hands.

While numerous methods of protection exist to keep eyes-only information just that – including passwords, firewalls, identity theft resources and physical security – there are equally as many ways of gaining access. Be it hacking, malware, phishing or skimming, bad actors resort to a wide assortment of underhanded tactics to expose and make off with private data.

Multifactor authentication throws a wrench in these malicious methods. Instead of entering just one password or inserting a single keycard, multifactor authentication – otherwise known as 2FA – requires two or more credentials for access to be granted. Generally speaking, the more that are required, the harder it is for information to be stolen. As noted by Carnegie Mellon University, 2FA involves several “somethings”:

  • Something you know (e.g. password, security question, PIN number);
  • Something you own (e.g. key fob, ID card, smartphone);
  • Something you are (e.g. fingerprint, face, voice, palm vein)

This latter something is a fairly new technology in terms of availability and usage. It involves biometrics, or the analysis of physical characteristics for authentication. Because no two fingerprints are perfectly identical, it makes them difficult to replicate or steal.

Given the effectiveness of 2FA, more industries are adopting it. Many handheld devices now require users to input two or more credentials, or at least provide this option.

“Many attorneys and law firms aren’t fully embracing this security methodology.”

However, whether due to resistance to change, in general, or unfamiliarity with technology, attorneys and law firms aren’t fully embracing this security methodology, ABA Journal reported. If you’re among them, here are a few reasons why you may want to reconsider:

Data breaches are more common than ever
At one time, it seemed like every cyberattack was reported by the mainstream media, particularly those that impacted retailers. They’ve largely fallen out of the news cycle, but that doesn’t mean they’ve become any less common. According to the most recent statistics available from the Identity Theft Resource Center, the number of consumer records stolen in 2018 rose 126% from the previous year, totaling 446.5 million overall. That’s up from 197.6 million just 12 months earlier.

The chances of data being stolen are significantly lower when 2FA is in place. As reported by Forbes, household-name software providers say 99% of automated attacks can be successfully blocked by enabling 2FA. Several other telecommunications and technology companies also hail the effectiveness of multifactor authentication.

Firms are a top target
No business or industry is entirely immune from data breaches, and that especially includes the business sector, an umbrella that law firms fall under. Of the 1,632 breaches that took place in 2018, 907 of them affected business, ITRC reported from its findings. This equated to 181 million records, with healthcare in a distant second at 5.3 million records and 384 breaches.

Small law firms in the crosshairs
According to the most recent polling available, tracking how many practicing lawyers are currently in the U.S., the number sits at over 1.3 million, based on the ABA’s figures. The vast majority of these attorneys work for small firms. Conventional wisdom might suggest the big firms would be targeted the most, but as Attorney At Law Magazine reported, those that have fewer partners tend to receive the lion’s share of the attacks because there are more out there to potentially exploit.

2FA helps to guard against attempted data heists by adding an extra layer of security.

If your firm has transitioned to the cloud, you can’t afford a software solution that doesn’t incorporate multifactor authentication. Built on the largest cloud provider in the world – Amazon Web Services – Afinety leverages 2FA, firewall protection and unparalleled monitoring to ensure information stays under lock and key. For more information on the Afinety Cloud Platform and its offerings, contact us today.

How to Protect Your Firm’s Data


Security is one of the top concerns for most law firms, especially those which deal with large cases or protect corporations. The reality of this day and age is that much of the evidence brought up in legal cases is digital, and that data has to be protected. Even non-digital evidence needs to be indexed for future use. Physical files aren’t secure enough to be used for this sensitive information. It’s far too likely that they will become damaged or get lost, which is a problem law firms simply cannot afford to have. It is wise for law firms and private practitioners to move their data to the cloud.

What is cloud computing?

Cloud computing is the practice of using a remote Internet server instead of a local server or a personal computer to store, manage, and process data. While the idea of it may seem foreign at first, it is actually likely your firm or practice already employs the cloud for daily tasks.

Often times, files on private servers are too large to be sent by email. They are instead sent as Google drive attachments, or with Dropbox or OneDrive links. All of these services are, in fact, cloud platforms. And they’re safer than you may think.

cloudCloud technology has measures in place to keep your data safe.

Encryption and security in the cloud

According to Security Week, when it comes to protecting data in the cloud, encryption is considered the most effective. Encryption not only makes the file easier to store, but it also makes it harder to access by a potential intruder. Medium defines encryption as a process that encodes a message or file so that it can be only be read by certain people who have an access key. Before a piece of encrypted data is unscrambled, it’s completely unreadable and is referred to as ciphertext. After being unlocked, the message is translated back into plaintext.

Rudimentary encryption can be as simple as switching out certain letters for others and render a sentence or even a word unreadable. For example, if you were to switch out every vowel for the character “@” and every “s” for the letter “c,” the word “biologist” would be encrypted as “b@@l@g@ct.”

Cryptography has since developed into a more complex practice. Medium reports that computer algorithms have more or less replaced mechanical encryption in recent years, making codes even harder to crack. Keys, or passwords, are generated using random number generators or computer algorithms with similar functions. Modern systems sometimes generate a fresh key for every single session to add another layer of security.

Because of the constant development of cryptography and encryption styles, data is as safe in the cloud as it would be under lock and key, if not safer. Thanks to dedicated professionals in the cybersecurity industry, you don’t have to fear cloud technology.

Accessibility of files

Security and accessibility go hand in hand. Having files uploaded to a protected cloud platform makes it possible to access case files from anywhere at any time. Lawyers no longer need to spend every second of their time in the office, and will be able to work from the road, while traveling or from home. Increased accessibility to work materials leads directly to increased productivity.

Choosing a provider

Afinety is the best choice for law firms and private practices looking to migrate their files to the cloud. Not only is our platform secure, but it was also designed specifically for lawyers, and is optimized to run a variety of apps. To learn more about cybersecurity and other IT options and services offered by Afinety, browse our website, or get in touch today.

Is it ethical for lawyers to store and send information through the cloud?


Firms considering reducing their paper and physical storage use and costs by switching their data to the cloud sometimes worry about security and trustworthiness. Especially in the business of law, firms want to avoid ethics violations due to data breaches of confidential client information at all costs.

What these firms may not know is they are likely already storing files and communicating with clients using cloud technology. Think Dropbox, Google Drive, and Microsoft One Drive.

The technology exists and is already being put to use. However, there are measures that law firms can take to ensure the security of their information when they put it in the cloud and ways to verify the ethics of doing so.

Is it ethical to use the cloud to store and transmit client information?

In short, yes it is. Lawyers can use cloud-based data storage of confidential information while still maintaining client confidentiality. Over 20 state bar associations have issued ethics opinions on this very topic, and all have reached the conclusion that “lawyers may ethically use cloud computing, so long as they exercise reasonable care to keep client information and files confidential,” according to Attorney At Work. Lawyers just need to be aware of the risks and rewards of technological applications like the cloud and the standards that regulate them. And you certainly don’t need to have a computer science degree to know how it all works — you just need to take due diligence to know everything is secure.

Should law firms store client information on the cloud blog_Afinety, Inc.There are certain steps lawyers can take to ensure data security at their firm.

What steps can lawyers take to ensure the security of their stored data?

There are certain steps lawyers can take to ensure data security at their firm.

Know cybersecurity threats for law firms

The first step is to be aware of threats to security. According to Law Technology Today, this can come in the form of state-sponsored hackers such as those from China, industrial espionage by clients’ competitors, departing employees and even scripts or programs which scan for and attack computer systems and networks.

Prepare, plan and train law practice staff on security awareness

Disruptions in operations and productivity are easily avoidable through planning and preparation. Once you’ve selected your security systems, make sure they’re vetted and tested by a small group of users before implementing them widely. Prepare the new users by giving them ample notice as well as a training plan based on results from the initial test group. Security awareness training is likely the most effective measure you can take when it comes to preventing incidents, says Law Technology Today. When putting together a training, make sure to cover electronic communications, incident reporting, internet access, mobile device security, password policies, remote access, social media use, the firm’s acceptable use policy, visitor policies and wireless access security. You should emphasize the need for good judgment.

Verify law firm vendors

The vendor which provides the cloud technology to your firm should also be following appropriate security protocols. They need to pay close attention to securing and protecting your data. You can learn more about Afinety’s dedication to security for its clients’ data on the website or by calling the office.

Testing your law firm security

Consider hiring a third party to handle your security audits. It will keep you accountable and honest when it comes to the effectiveness of your security measures. According to Law Technology Today, an outside security expert will perform a top-down evaluation of your systems, security policies and practices and access to the systems. After a professional third party audit, you should also try to break in yourself. This is known as a penetration or pen test, and will help you identify areas of vulnerability. Following a security audit or pen test, the firm’s IT department should carefully review the recommended changes in the remediation plan before implementation to consider any possible adverse effects on other systems and end users.

Cloud-based storage has become the standard method for storing and sharing data. The legal profession, like other industries, must adapt to compete in the ever-evolving market. If firms take the right steps to ensure security, there should be no issue with the transition, and all proceedings should move along smoothly.

Cybersecurity checklist to prepare for the new year

Law Firm Cybersecurity Guide For 2020

It is vital, regardless of the size of your law firm, that you utilize astute cybersecurity practices. The IT landscape is constantly evolving, as is the rest of our digital-centric world, and we must learn to proactively adapt and respond to these challenges. Denial-of-service attacks, where perpetrators disrupt services and make a machine unavailable to its users, have decreased since 2018 — as well as ransomware attacks. However, according to the Online Trust Alliance, losses caused by business email compromises have doubled and crypto-jacking incidents have more than tripled.

The ever-changing landscape of the web can make it difficult to truly know if you’re protected against these attacks. The checklist provided here will give you the basics of securing your law firm against a variety of threats, so here are five things to add to your cybersecurity checklist:

Assess law practice risks

Assessing the risks within your own IT infrastructure can be difficult because it relies on a detailed understanding of potential weaknesses before they are attacked; it requires you being steps ahead of any potential threats. To start, you need to address certain questions to develop a plan:

  • How would a cybersecurity attack affect the functions of your firm? Who would be affected, and how would it impact your credibility?
  • What data or client records are critical to your firm’s operations?
  • Are there any specific regulatory requirements your firm should comply with?
  • What is your budget for cybersecurity?

Control company domain

Most companies have a domain controller, used to set up email profiles or provide permissions to users for certain programs. When establishing a new hire in the office, there’s typically an onboarding process to add them to the domain controller. You may be lacking an off-boarding process, however, for when a user should no longer have access to company data, programs and computers, says Inside Business.

The domain controller is where all domain login and password information is stored. Using this can keep the login/permission all in one location, and simplify the process. The list of users and their permissions should be checked and updated frequently. If someone is no longer working at the firm, they should be removed from the domain so they no longer have access to company information.

Keep software updated

Set up your operating system for automatic updates – turning off computers at night will enable them to update (and clean out system clutter) on a regular basis. System updates are particularly important for server operating systems where they should be reviewed on a recurring schedule. While these updates may seem like an occasional inconvenience, they’re important to utilize because they’re often updating security features based on past attacks or flaws in protection.

Also, make sure that none of your software is reaching “End of Life.” All this entails is that the maker is no longer providing updates, support or security fixes. For example, on January 14th, Windows 7 Service Pack 1 will no longer be supported, which puts users at risk for security breaches.

Law firm cybersecurity guide for 2020_AfinetyTactics have changed over time, now including “vishing,” which is the practice of criminal phone fraud, so businesses must remain vigilant and aware of how these scams can surface.

Educate staff on phishing

Avoiding uncommon or suspicious links may seem like a simple practice, but there is a reason phishing continues to persist — people still fall for it. Tactics have changed over time, now including “vishing,”  which is the practice of criminal phone fraud, so businesses must remain vigilant and aware of how these scams can surface. Educate staff to never provide log-in information on a website that they’re unsure of, and to be wary of links or pop-up windows that rely on a sense of urgency, suggests My Tech Decisions.

Consider the cloud

Storing your company’s information in the cloud offers extra layers of security and additional steps to ensure your network is protected. You could wrap up 2019 and head into the new year knowing that you’ve made all possible advances towards the best cybersecurity practices and utilize the Afinety Cloud Program, which offers unmatched security through Amazon Web Services.

A guide to stronger passwords for lawyers


Cybersecurity and data protection may not be at the forefront of most lawyers’ minds, especially with pressing deadlines, evolving laws and ongoing work with clients — but that doesn’t mean it should be neglected. Data breaches can have serious consequences, especially when it comes to protecting confidential information at your law firm. According to the Breach Level Index — a database responsible for tracking breach statistics — nearly 5 million data records are lost or stolen every day. With personal client data at risk, taking the necessary precautions can prevent firms against a breach and keep their reputation intact. As having strong passwords can be the initial step in protecting your firm, here are five tips for making sure they are hard-to-crack:

Consider using a password manager

Password managers, like 1Password or LastPass, create unique passwords for all of your accounts. Consumer Reports notes that while there has been growing encouragement across the web to create stronger passwords, there has been no guidance on how to manage them, which means they’re often reused for many different accounts. Cybercriminals will exploit these vulnerabilities. With a password manager, all you need is to create one solid, complicated password that’ll be used as your master key — once you have that created and memorized, the password manager will do the rest for you.

Long and complicated is best

Hackers are familiar, as are you, with the quick and easy picks for log-in credentials. “Password123” is not a viable password, nor are the names of your children or pets. Despite years of advising against it, variations of the word “password” remain one of the most common picks out there. Out of 130,000 passwords analyzed by cybersecurity company Rapid7, 4,000 of those included the word “password,” says Consumer Reports. While unique characters and uppercase letters can be useful for strengthening passwords, length may be the most important aspect of creating a solid line of defense. Once you have a range of 12-15 characters, hackers are much less likely to be able to guess their way in, reports Wired. Avoid simple patterns or pop culture references, and mix it up — or better yet, make up your own phrase and include special characters.

Law firms need strong passwords to protect their practices_Afinety, Inc.Hackers are familiar, as are you, with the quick and easy picks for log-in credentials

Recycling is bad for passwords

This is where a password manager can really come in handy. Researchers discovered that 2.2 billion stolen email and passwords had been posted online, aggregated from years of data breaches across various websites. That means that using the same password for your favorite blog and your bank account could put you at serious risk.

Embrace two-factor authentication

With 62% of Americans using two-factor authentication, it’s becoming a much more commonplace practice throughout the internet. 2FA often involves entering added verification sent to a smartphone, a one-time code, along with your password. By using the multi-step process, which consists of a proof of knowledge (like a password) and physical proof (like having your phone by your pocket), you’ll be ensuring a more trustworthy, secure process that your clients will appreciate, says Law Technology Today.

Change can be a good thing

While updating passwords too frequently can lead to forgetting them — and getting increasingly less creative with adjustments — it is important to remember that the longer a password is used, the more likely it has been deciphered by a hacker. If you hear that a company has had a security breach, one that you’ve used, change your password (even if you’re not sure if it affected your account). Also, if you have accounts that have gone untouched for a while, delete them. This can avoid your log-in credentials getting breached, just because of an old AOL account you had years ago.
In the digital age, it’s vital for everyone to do their best to stay a step ahead. Hackers are becoming smarter, which can be risky for your law firm if not properly secured. Start by taking measures to have strong, complicated passwords. However, if you’re looking to take it a step further, consider utilizing cloud technology for further data protection. The Afinety Cloud Platform is designed specifically for law firms by law firm experts.

To learn more about moving your network, and the data protection of the cloud, click here.

Key Takeaways From The 2019 Cloud Computing Report By The ABA


On Oct. 2, 2019, the American Bar Association released its 2019 Cloud Computing report highlighting the changing relationship between law firms and the cloud. From concerns and questions to moving towards the future, we have summarized some of the most important and surprising information obtained from the ABA 2019 Legal Technology Survey.

Cloud Technology Is Slowly But Surely Becoming The Norm For Law Firms

Some of the most promising news from the survey is more law firms are using cloud services. The number increased from 55% in 2018, to 58% in 2019. Surprisingly, this technology is being utilized more often by individual and small firms, at 60% of those surveyed, while only 44% of larger firms with 50-99 lawyers have adopted it.

Though this increase is small, it’s a move in the right direction.

Security Fears And Loss Of Control Are Holding Law Firms Back

Cloud users and nonusers had similar reservations about the still relatively new technology. The survey found that 65% of current cloud users identified “confidentiality/security concerns” as their biggest concern. Similarly, 50% of nonusers reported not having tried the cloud due to the same concern.

Considering the cloud is one of the most secure ways to store data due to its redundancy, security and safe sharing methods that Forbes outlines, these numbers come as a surprise. If law firms are not adopting the cloud, what are they using? There should always be multiple copies of important documents, ideally stored in different locations. Unlike hard drives and physical paperwork, the cloud will always store duplicates in multiple places, so even if the worst case scenario occurs, your data will most likely still be accessible.

On the same note, lawyers are also concerned about losing control of data. This was the second largest pain point for both users and nonusers. The results from this portion of the survey did not change much from the prior year, which is disappointing. There’s a long way to go when it comes to educating law firms about how beneficial cloud technology is for securing sensitive documents without losing control.

The majority of law firms have reservations about using the cloud due to cybersecurity threats_Afinety, Inc.The majority of law firms have reservations about using the cloud due to cybersecurity threats.

Law Practice Contradictory Behavior On Cloud Computing Is Alarming

One of the biggest, and most concerning, pieces of information gained from the survey is the contradiction between lawyers’ understanding of the cloud and their actual use and implementation of it.

Even though more law firms are now using the cloud, they are dropping the ball surrounding cybersecurity. Considering security and control are their top concerns, it’s odd that their behavior does not reflect this.

The ABA does not hold back with their dissatisfaction with these results, and considers the lack of effort on security to be, “a major cause for concern in the profession.” To give more context, the survey listed 13 standard precautionary security measures. The most commonly used was by only 35%, and it was using secure socket layers. Beyond that, the numbers get more dismal.

Only 28% of respondents reviewed their vendor privacy policies, down from 38% that did last year. Again, if security is a main concern, reviewing privacy policies should be the first thing law firms do with their cloud provider. Numbers for security measures were down across the board, a fact that the ABA is explicitly upset about.

Another interesting point the ABA highlights is the lack of legal formality that lawyers take with their cloud vendors. A meager 4% of respondents negotiated a confidentiality agreement with their provider, and barely 5%, arranged service legal agreements. These disappointing numbers around these actions lawyers should be well-versed in leaves the ABA questioning technology competency requirements.

Finally, the overwhelming majority of law firms (94%) consider vendor reputation to be important when selecting a cloud provider. When looking for a cloud service provider for your firm, consider the Afinety Cloud Platform.   ACP is a cloud network designed for law firms by law firm experts.  With a focus on the legal industry since 1986, Afinety understands the unique challenges law firms face when it comes to data protection and proper configuration of a cloud network.

Legal Profession: The New Frontier For Cyberattacks

Law Firms Are Now Cyberattack Targets

Retail. Finance. Healthcare. Hospitality. Government. Transportation. You name the industry, it’s likely experienced the ills of data theft. Yet one sector that’s remained relatively unaffected by sensitive information hackers is that of private law.

At least, that was the case, until recently. A newly released study from the American Bar Association suggests firms of all sizes are in computer criminals’ crosshairs like never before.

“Nearly 25% of attorneys acknowledge their offices have been affected by a breach.”

Roughly 1 in 4 attorneys in ABA’s 2018 TechReport acknowledge that their offices have been affected by a breach at one point or another. That’s a considerable uptick from as recently as five years ago, when the rate was in the teens. Of those who attest to being victimized, firms with between 50-99 employees on staff were affected the most at 42%, followed by firms employing 100 or more at approximately 31%.

Rich Santalesa, a cybersecurity expert and counsel for the New York City-based law firm Borstein Legal Group, told the ABA Journal that no industry is entirely immune, but one thing that lawyers and attorneys have going for them is hindsight. Because the frequency of attacks on firms have risen only recently and remain fairly low relative to sectors like retail and healthcare, they can glean insight from others’ miscalculations.

“Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” Santalesa explained. “Unfortunately, other industries have had to learn their lessons the hard way – by having breaches that have received media attention.”

At the same time, though, law firms haven’t entirely escaped the fourth estate’s observations. Indeed, as chronicled by the National Law Review, a Washington-based lawyer noted in February 2018 that attempted cyberattacks were a daily frustration at his firm, up 500% during the previous 24 months. In June 2017, multinational law firm DLA Piper was one of several other organizations whose networks were hijacked by ransomware, forcing the shutdown of the company’s IT systems for days in several of the 40 countries where DLA Piper has offices). And in April of last year, a specialist law firm’s computer networks were breached, which wound up exposing the personal commercial insurance policy data of over 1,500 companies in the U.S.

“North of 446 million records were exposed in 2018 and 1.68 billion email-related credentials.”

Ways Law Practice Data Can Be Breached

Part of the problem – both for law firms as well as virtually all other businesses that aggregate data – is the variety of means by which identifying material can be purloined. As previously referenced in this space, ransomware is increasingly common and phishing – which utilizes bait-and-switch emails to bamboozle targets – has never gone away since this means of communication debuted. According to the Identity Theft Resource Center, north of 446 million records were exposed in 2018, along with 1.68 billion email-related credentials.

“When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” warned Adam Levin, founder and chair of CyberScout, a Scottsdale, Arizona-based data security services firm.

Left alone or quickly deleted, phishing emails are benign. But because they look so authentic and are designed to mimic the typeface, tone and design of legitimate companies, approximately 33% of them are eventually opened, according to a 2017 data breach report from Verizon.

Adopt A Security Culture

How can law firms immunize themselves from data disaster? It’s virtually impossible to avoid cyberattacks completely, but it starts by doing what so many other companies have failed to do, which is adopting a culture of security, Verizon Communications CSO Michael Mason. Speaking to ABA Journal, Mason said firms should approach protecting their data like they would vetting a babysitter.

“When you hire a babysitter for your child, what sort of background check do you use? Hopefully, something so precious is not put into the hands of strangers without a background check,” warned Mason. “Your firm’s data is also precious.”

He further advised that law firms often assume a “one-and-done” approach toward data security, obtaining a professional risk assessment a single time and assuming that it alone should suffice. These must be conducted consistently over time to remain above the fray, ideally once a year.

Take your network security a step further by moving to the cloud for enhanced data protection and true mobility.  The Afinety Cloud Platform (ACP) is designed specifically for law firms by law firm experts and runs on the largest, most mature cloud provider in the world, Amazon Web Services.  AWS data centers and network architecture are built to meet the requirements of the most security-sensitive organizations and designed to keep data safe.  This includes built-in, state-of-the-art network firewalls, automated encryption for data in transit and at rest, plus continuous infrastructure testing with summarized results.   This allows you to maintain the highest standard of security without the cost of having to manage your own network or facility. Other options, such as Multifactor Authentication, will enhance your network security even further to guard against cyberthreats or lost data.

Click here to learn more about moving your network, including all data and applications, to the cloud.

Is Paying the Ransom Always a Non-Starter?

What Should Law Firms Do When Faced With Ransomware

Ransomware attacks are increasingly common, with some estimates suggesting that they’ve risen in frequency by nearly 500% from 12 months ago, according to Forrester Research. If your law firm IT were to be affected by such a cyber incident, would you pay the ransom?

Entertaining such a question seems to not only go against conventional wisdom but what IT security experts have long cautioned – that you can’t negotiate with the unscrupulous. Further, capitulating to hackers’ demands in no way guarantees that they’ll wind up surrendering the information stolen or encrypted.

However, given the sensitivity of the data involved, some IT authorities say it’s not so nonsensical a notion after all, as its in bad actors’ best interests to deliver on their promises when those they prey upon pay up.

Florida City Opts To Pay $600k To Retrieve Data

From small-business owners to international conglomerates, companies of all sizes have ultimately decided to cut their losses and pay the amount that perpetrators insist on. Even municipalities are acquiescing, the latest example being Riviera Beach, Florida. Located north of West Palm Beach, the city and its 35,000 residents have been unable to use public service utilities over the last three weeks because attackers hacked into the city’s network servers, disabling phone lines, emails and payment processing, The New York Times reported. Unable to retrieve the hijacked data, local lawmakers voted unanimously to pay the $600,000 ransom, which officials are hopeful will put computer servers back online as happened for a  Georgia county that paid $400,000 when it was victimized in March, according to The Wall Street Journal.

Riviera Beach spokeswoman Rose Anne Brown told the Times that it’s coordinating with law enforcement and informed them of its decision prior to wiring the money.

“We are well on our way to restoring the city system,” Brown explained.

“170 government entities have experienced ransomware infections since 2013.”

In addition to Baltimore, which is steadfast in its decision to not paying the ransom, Riviera Beach is only the latest municipality hit by such a cyberattack. Based on data obtained by CNN, no fewer than 170 government entities – meaning cities, counties or state – have fallen prey to ransomware infections in the last six years. Forty-five of these were sheriff’s or police departments. This may be particularly worrisome for law firms, given they’re often in regular communication with law enforcement regarding pending cases, which entails the sharing of data.

“We were crippled, essentially, for a whole day,” Albany Police Department patrolman Gregory McGee told CNN. “All of our incident reports, all of our crime reports, that’s all digitized.”

Acceding To Ransomware May Be Best Of Bad Options

IT teams were able to resolve the issue in New York’s capital city within 48 hours and did so without giving in to the offenders’ demands. However, given the stakes involved, many believe that paying should not be summarily dismissed as a non-starter.

“There’s a tendency to answer the question by sloganeering: Never negotiate with terrorists,” wrote Stephen Carter, law professor at Yale University, in an opinion piece for Bloomberg. “Otherwise, so the reasoning goes, you will get more terror attacks. But while this argument makes sense for those who are likely to suffer repeated attacks, it’s not clear that those less likely to be regular targets should reason the same way.”

Josh Zelonis, a senior analyst at Forrester Research, feels similarly, noting that cities who hold the line may suffer from diminishing returns as Baltimore is learning first hand. The financial fallout from the attack is believed to be in excess of $18 million and counting. In other words, the ransom demanded may be a pittance compared to the alternative.

“Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack,” Zelonis warned.

He added that while paying the ransom may indeed be inadvisable, it should at the same time not necessarily be completely out of the question, but explored “in parallel with other recovery efforts to ensure you’re making the best decision for your organization.”

Of course, the best solution is to avoid becoming a ransomware victim altogether. This is possible by remaining vigilant.   Perhaps above all else this also means leveraging a multilayered approach to data security, including multifactor authentication, software patches, updates and a good disaster recovery plan.  Look to a reliable cloud solution, like the Afinety Cloud Platform, which runs on the largest and safest cloud provider in the world, Amazon Web Services to reduce your risk of outside threats in today’s world.