10 Security Practices Every Law Firm Should Follow

Originally published December 1, 2020, by Steve Sobka, Director of Technology and Infrastructure, and Bill Sorenson, VP of Product, at www.elite.com.

Cybersecurity has long been an area of concern for law firms; New York has even proposed cybersecurity CLE requirements. The changes of 2020 require every firm to reevaluate their current security posture and determine if changes are needed.

Certainly, the focus on cybersecurity pre-dates COVID-19, especially as law firms continue to be actively targeted by cyber threat actors in well-publicized breaches. However, the issue becomes even more urgent today. Leaders need to consider how the drastic changes in working environment brought on by the pandemic have impacted their security controls.

In this article, we’ll outline 10 best practices that every law firm should consider adopting or reviewing and why.

1. Re-evaluate Your Security

As firms this year have grappled with the challenges of supporting remote work and adapting in-office processes, technology, and client interaction to accommodate, security may have taken a back seat to productivity and “keeping the lights on.” It’s time to take a look at how those necessary changes have impacted security.

For example, where before you may have concerned yourself primarily with the security of your physical offices, you need to now also consider home security and how to adjust your policies and technical controls to accommodate.

And all this isn’t just limited to the current remote work situation. For many firms, big and small, 2020 has shown that remote workers can remain highly productive. Regardless of how long remote work is necessary, for some firms, some level of remote work will remain an option post-pandemic.

From reviewing your Bring Your Own Device and remote work policies to a full-scale review of your technical controls, taking a step back and considering how recent changes impact security will help ensure your client data remains secure no matter how it’s being accessed.

2. Least Access Approach

One of the most common techniques cybercriminals use is to target junior staff members as a means into an organization. Once they secure such credentials, they can then either a) access everything that employee has access to, or b) use that account as a “Patient Zero” account to infect others, even up to managing partners.

With a least access approach, firms can control their exposure by being vigilant about what any given person can access. Instead of determining what data and which systems should be blocked from a given user, think critically about what they need to access. Doing so helps ensure that even if a cybercriminal gains credentials or if ransomware is deployed at the firm, that your exposure is limited.

3. Security-first Mindset

A defensive mindset is critical to maintaining a secure environment—not just digitally, but physically as well. In an office setting, that might mean validating the copy repairman or the person who waters the plants. Online, it could include confirming that an email requesting data is actually real.

The crux of the security-first mindset is that it’s not limited to IT. Every person at your firm needs to take a “Question everything” mindset. You can’t afford for it to be “just IT’s problem.”

4. Ongoing (Not Annual) Training

This one seems obvious, but it’s critical that firms consider training as an ongoing activity rather than an annual one. Required annual cybersecurity training typically isn’t sufficient to keeping staff vigilant. Instead, consider lighter, more frequent training, and use responsive training tools to help educate your team on phishing attacks. Ultimately, your employees are your last line of defense. Make sure they’re prepared.

5. Email Security Is Not Just About Tools

While email security tools are an important component of catching phishing emails, they are far from infallible. The rising sophistication of phishing attacks means that no email security tool alone can defeat phishing attacks.

In addition to the training highlighted above, law firms should ensure they have policies and procedures in place to mitigate risk. This includes proactive measures such as a policy that requires financial transactions to be confirmed in person / by voice, not just email or reactive, outlining a clear incident response plan so everyone knows what to do if they’ve been phished.

6. Multi-factor Authentication and Password Managers

It’s time to get serious about these two. Any firms that haven’t yet implemented these (and it could be as many as 50%) need to make this a priority.

Cybercriminals exploit the very human desire to keep things simple and convenient. The result? Gaining access to one account can often be easily translated to several of that person’s accounts. With multi-factor authentication, criminals would need access to multiple components to access a target’s data. One nuance here; text-based two-factor authentication is better than nothing. But given the choice, firms should require authenticator apps which are far harder to hack.

Meanwhile, password managers make it easier to maintain different, long, and complex passwords for every account. With a corporate account, firms have the added benefit of quickly shutting down access to all those passwords in the event of a termination.

7. Encryption Everywhere

The simple message here: encrypt everything, everywhere. Ensure your data is encrypted at rest (if you’re operating in a cloud environment, this will be automatically built-in), as well as in transit.

8. Remote Workspace Adoption

Virtual desktops provide a significant security upgrade. While the experience for the user is nearly identical to keeping everything on the local machine, the desktops are actually hosted in a public cloud environment where everything—from the data sitting on the desktop to the connection to critical applications such as Firm Central and ProLaw®—are running in cloud-based servers and are both encrypted and backed up. Cloud desktop represents a much more secure environment than a typical virtual private network and can also eliminate the performance impact that VPNs introduce.

With a virtual desktop, you can isolate your damage, particularly in an era where employees are accessing their applications and data from insecure home WiFi networks. If a computer is stolen or a laptop is damaged, no data is exposed or lost. You can just procure a new computer and get access to your cloud desktop as if nothing ever happened.

9. Physical Security

With many offices only lightly staffed, if at all, there are often minimal controls to ensure that only authorized personnel can access the office. If your infrastructure is still on-premises, you may not have insight into who can access your hardware.

The simple solution? Stop owning physical infrastructure. The truth is that there’s nothing you can do that will be more secure than Amazon® or Microsoft®. By upgrading your infrastructure to the cloud, you transfer your risk to the cloud providers and save yourself the expense and headache of keeping that physical infrastructure secure.

10. Cloud Security

The move to the cloud can be a huge security upgrade for law firms. But how do you ensure that your cloud security is secure as well? The first is to confirm what you mean by “the cloud.” Public cloud providers such as Amazon and Microsoft spend hundreds of millions—even over a billion—dollars on security, far more than you or even a private cloud provider can spend.

You’ll also want to consider how your cloud provider is treating your environment. In many private cloud environments, for example, you can consider the infrastructure to be similar to an apartment building. While your locked door helps to keep your environment secure, you’re still subject to communal impact. If another tenant has a fire, that fire could easily spread to you.

In contrast, a single-tenant environment is like owning your own house, with lots of land around. The actions of your neighbors won’t impact you as heavily, if at all.


Security is a hefty responsibility. Undoubtedly, you’ve already implemented at least some of these 10 best practices. But there are likely at least a few that bear further consideration or upgrading from your current set up.

It can be daunting to consider implementing all of them. But the good news is, that by turning to the cloud, and a trusted cloud services partner to help you, 8 out of 10 of these best practices can be either offloaded or significantly supported by a partner. (If you guessed 2 and 3 as the outliers, you’re right).

Security practices should be reviewed regularly and at any time a major change happens to the business. So as 2020 comes to a close, take the time to review, re-evaluate, and emerge with a stronger security posture and confidence that you’ve done everything you can to keep your client and firm data secure.

10 Best Security Practices for Securing Client Data

Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.

Why address security now?

As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.

To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.

1. Re-evaluate your security policies and posture

The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.

2. Remote Workspaces / Virtual Desktops

One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.

Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.

3. Physical Security

So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.

4. Cloud Security

While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.

5. Security-First Mindset

It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.

6. Training

Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.

7. Email Security

Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.

8. Multifactor Authentication and Password Managers

While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.

Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.

We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.

9. Encryption

While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.

10. Least-Access Approach

One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.

The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.

Getting started

To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.

Key Takeaways From The 2019 Cloud Computing Report By The ABA

On Oct. 2, 2019, the American Bar Association released its 2019 Cloud Computing report highlighting the changing relationship between law firms and the cloud. From concerns and questions to moving towards the future, we have summarized some of the most important and surprising information obtained from the ABA 2019 Legal Technology Survey.

Cloud Technology Is Slowly But Surely Becoming The Norm For Law Firms

Some of the most promising news from the survey is more law firms are using cloud services. The number increased from 55% in 2018, to 58% in 2019. Surprisingly, this technology is being utilized more often by individual and small firms, at 60% of those surveyed, while only 44% of larger firms with 50-99 lawyers have adopted it.

Though this increase is small, it’s a move in the right direction.

Security Fears And Loss Of Control Are Holding Law Firms Back

Cloud users and nonusers had similar reservations about the still relatively new technology. The survey found that 65% of current cloud users identified “confidentiality/security concerns” as their biggest concern. Similarly, 50% of nonusers reported not having tried the cloud due to the same concern.

Considering the cloud is one of the most secure ways to store data due to its redundancy, security and safe sharing methods that Forbes outlines, these numbers come as a surprise. If law firms are not adopting the cloud, what are they using? There should always be multiple copies of important documents, ideally stored in different locations. Unlike hard drives and physical paperwork, the cloud will always store duplicates in multiple places, so even if the worst case scenario occurs, your data will most likely still be accessible.

On the same note, lawyers are also concerned about losing control of data. This was the second largest pain point for both users and nonusers. The results from this portion of the survey did not change much from the prior year, which is disappointing. There’s a long way to go when it comes to educating law firms about how beneficial cloud technology is for securing sensitive documents without losing control.

The majority of law firms have reservations about using the cloud due to cybersecurity threats_Afinety, Inc.The majority of law firms have reservations about using the cloud due to cybersecurity threats.

Law Practice Contradictory Behavior On Cloud Computing Is Alarming

One of the biggest, and most concerning, pieces of information gained from the survey is the contradiction between lawyers’ understanding of the cloud and their actual use and implementation of it.

Even though more law firms are now using the cloud, they are dropping the ball surrounding cybersecurity. Considering security and control are their top concerns, it’s odd that their behavior does not reflect this.

The ABA does not hold back with their dissatisfaction with these results, and considers the lack of effort on security to be, “a major cause for concern in the profession.” To give more context, the survey listed 13 standard precautionary security measures. The most commonly used was by only 35%, and it was using secure socket layers. Beyond that, the numbers get more dismal.

Only 28% of respondents reviewed their vendor privacy policies, down from 38% that did last year. Again, if security is a main concern, reviewing privacy policies should be the first thing law firms do with their cloud provider. Numbers for security measures were down across the board, a fact that the ABA is explicitly upset about.

Another interesting point the ABA highlights is the lack of legal formality that lawyers take with their cloud vendors. A meager 4% of respondents negotiated a confidentiality agreement with their provider, and barely 5%, arranged service legal agreements. These disappointing numbers around these actions lawyers should be well-versed in leaves the ABA questioning technology competency requirements.

Finally, the overwhelming majority of law firms (94%) consider vendor reputation to be important when selecting a cloud provider. When looking for a cloud service provider for your firm, consider the Afinety Cloud Platform.   ACP is a cloud network designed for law firms by law firm experts.  With a focus on the legal industry since 1986, Afinety understands the unique challenges law firms face when it comes to data protection and proper configuration of a cloud network.

Legal Profession: The New Frontier For Cyberattacks

Law Firms Are Now Cyberattack Targets

Retail. Finance. Healthcare. Hospitality. Government. Transportation. You name the industry, it’s likely experienced the ills of data theft. Yet one sector that’s remained relatively unaffected by sensitive information hackers is that of private law.

At least, that was the case, until recently. A newly released study from the American Bar Association suggests firms of all sizes are in computer criminals’ crosshairs like never before.

“Nearly 25% of attorneys acknowledge their offices have been affected by a breach.”

Roughly 1 in 4 attorneys in ABA’s 2018 TechReport acknowledge that their offices have been affected by a breach at one point or another. That’s a considerable uptick from as recently as five years ago, when the rate was in the teens. Of those who attest to being victimized, firms with between 50-99 employees on staff were affected the most at 42%, followed by firms employing 100 or more at approximately 31%.

Rich Santalesa, a cybersecurity expert and counsel for the New York City-based law firm Borstein Legal Group, told the ABA Journal that no industry is entirely immune, but one thing that lawyers and attorneys have going for them is hindsight. Because the frequency of attacks on firms have risen only recently and remain fairly low relative to sectors like retail and healthcare, they can glean insight from others’ miscalculations.

“Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” Santalesa explained. “Unfortunately, other industries have had to learn their lessons the hard way – by having breaches that have received media attention.”

At the same time, though, law firms haven’t entirely escaped the fourth estate’s observations. Indeed, as chronicled by the National Law Review, a Washington-based lawyer noted in February 2018 that attempted cyberattacks were a daily frustration at his firm, up 500% during the previous 24 months. In June 2017, multinational law firm DLA Piper was one of several other organizations whose networks were hijacked by ransomware, forcing the shutdown of the company’s IT systems for days in several of the 40 countries where DLA Piper has offices). And in April of last year, a specialist law firm’s computer networks were breached, which wound up exposing the personal commercial insurance policy data of over 1,500 companies in the U.S.

“North of 446 million records were exposed in 2018 and 1.68 billion email-related credentials.”

Ways Law Practice Data Can Be Breached

Part of the problem – both for law firms as well as virtually all other businesses that aggregate data – is the variety of means by which identifying material can be purloined. As previously referenced in this space, ransomware is increasingly common and phishing – which utilizes bait-and-switch emails to bamboozle targets – has never gone away since this means of communication debuted. According to the Identity Theft Resource Center, north of 446 million records were exposed in 2018, along with 1.68 billion email-related credentials.

“When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” warned Adam Levin, founder and chair of CyberScout, a Scottsdale, Arizona-based data security services firm.

Left alone or quickly deleted, phishing emails are benign. But because they look so authentic and are designed to mimic the typeface, tone and design of legitimate companies, approximately 33% of them are eventually opened, according to a 2017 data breach report from Verizon.

Adopt A Security Culture

How can law firms immunize themselves from data disaster? It’s virtually impossible to avoid cyberattacks completely, but it starts by doing what so many other companies have failed to do, which is adopting a culture of security, Verizon Communications CSO Michael Mason. Speaking to ABA Journal, Mason said firms should approach protecting their data like they would vetting a babysitter.

“When you hire a babysitter for your child, what sort of background check do you use? Hopefully, something so precious is not put into the hands of strangers without a background check,” warned Mason. “Your firm’s data is also precious.”

He further advised that law firms often assume a “one-and-done” approach toward data security, obtaining a professional risk assessment a single time and assuming that it alone should suffice. These must be conducted consistently over time to remain above the fray, ideally once a year.

Take your network security a step further by moving to the cloud for enhanced data protection and true mobility.  The Afinety Cloud Platform (ACP) is designed specifically for law firms by law firm experts and runs on the largest, most mature cloud provider in the world, Amazon Web Services.  AWS data centers and network architecture are built to meet the requirements of the most security-sensitive organizations and designed to keep data safe.  This includes built-in, state-of-the-art network firewalls, automated encryption for data in transit and at rest, plus continuous infrastructure testing with summarized results.   This allows you to maintain the highest standard of security without the cost of having to manage your own network or facility. Other options, such as Multifactor Authentication, will enhance your network security even further to guard against cyberthreats or lost data.

Click here to learn more about moving your network, including all data and applications, to the cloud.