Ensuring Cybersecurity For Law Firms



Law firms with lawyers working remotely and using mobile devices are vulnerable to a variety of cybersecurity issues_Afinety, Inc

How To Ensure Your Law Firm’s Cybersecurity

Cybersecurity isn’t an issue facing the legal profession alone – across the board, it affects nearly every profession and industry. And usually, not enough attention is devoted to it until something serious happens. For example, Forbes reports that a major breach occurred in the legal field in 2017, when 11 million files were leaked from one law firm.

Research by CNA Insurance showed that 80% of the largest law firms in the U.S. have already experienced a malicious breach. In most of those cases, the firms either failed to discover the breach on their own, or discovered the breach a number of months after its occurrence.

Before your law firm falls prey to a cybersecurity incident, here is some helpful advice for taking preventive measures.

Any Device Can Be Compromised

The ABA Journal warns that almost any type of advanced technology has the potential to be hacked. For example, even obsolete equipment being thrown out with the trash – such as old copying machines containing hard drives – could contain data that you don’t want falling into the wrong hands. In 2010, Affinity Health Plan, a Bronx, New York-based managed care provider, had a cybersecurity breach in which hundreds of thousands of health care records were put at risk. The lease was up on the copy machines, and when the equipment left the building, so did files on more than 344,000 clients.

Law firms, like other professions, are facing the need for tighter cybersecurity measures.

Dealing With Cybersecurity Vendors?

The American Bar Association’s Cybersecurity Legal Task Force suggested measures your firm can take when beginning a relationship with a new cybersecurity consultant. For example, when you’re doing a background check of the company, make sure the prospective vendor’s existing clients haven’t suffered any recent security incidents or breaches, or that the vendor doesn’t have any lawsuits and regulatory claims against them as a result of such incidents. Also verify that they have all the staff, certifications, programs and equipment necessary to do what they’ve promised – and that they don’t plan on sharing or sending out your data for offsite storage with any outside third-party contractors without your knowledge or permission.

Under Cyberattack? Know The Signs

The Department of Homeland Security says to be aware of “Denial Of Service” attacks, which happen when legitimate users can’t access computer devices or other network resources because a hacker is flooding your server or network with requests or junk data traffic. This attack typically continues until your system cannot respond or simply crashes. Services affected may include email, websites, online accounts or other services that rely on the affected computer or network. Sometimes the hacker accomplishes this by remotely assembling a large group of unrelated computers and systems from other unsuspecting individuals and organizations to join in the attack. The more devices participating in the attack, the harder it is to trace the origin of the hack.

Have A Policy On BYOD / Bring Your Own Devices

Gathering and sharing information is an essential part of a law firm’s business. Despite the growing trend towards e-Discovery and using various digital media for storing or distributing information however, you need to be very cautious regarding thumb drives and other portable USB devices. The ABA Journal compares mini-storage devices to a dirty needle – they can come preloaded with malicious software and are often used by hackers and penetration testers to exploit human vulnerabilities and gain access to a network. According to CNA Insurance, while BYOD capability makes smart business sense because it enables attorneys to access their firms’ networks and download client data onto their devices, it also creates risks stemming from unrestricted use of outside devices. You might want to consider requiring password protection, encryption or remote wiping capability for BYOD situations. Otherwise, when devices are lost or stolen, you’re not only vulnerable to a data breach, but your firm’s network itself may be exposed to malware and viruses.