This is a guest authored blog by Ben Schorr, Senior Content Designer at Microsoft.
Keeping your firm safe* from cybercriminals doesn’t have to be daunting. Just getting the basics right in your law firm’s cybersecurity strategy gets you on the right road.
You probably noticed the asterisk I put on “safe” above. That’s because it’s not possible to be completely, 100%, safe. A skilled, determined, and patient attacker with sufficient resources will eventually get in. But you can make it expensive enough for them that they don’t bother trying. Nobody is going to spend $10 to steal $3. Unfortunately, too many firms don’t get the basics right and let the bad guys steal $3 for a nickel.
So, what can we do to make it expensive for them?
How Your Identity Can be Compromised
The first, and most important, thing to get right in your digital security is authentication. That just means how your system knows that you are who you say you are.
Traditionally that’s been done with a username and password. Unfortunately, there are a lot of problems with that system. Too many people choose trivial passwords like “Pizza” or “Monkey”, and they reuse their passwords everywhere they can. Thinking up passwords is a headache and remembering them is a hassle.
Then we get into the problem of phishing. Phishing is where attackers pretend to be a person or organization you trust in an effort to coax you to reveal secrets – such as your username and password. Even if you have a great password, if you get tricked into telling it to a crook, things are about to get sad.
Start Protecting Yourself and Your Law Firm
The most important thing you can do to improve your security, and the security of your law firm, is to turn on two-step verification (also known as multifactor authentication) everywhere you can.
Wait…don’t go! I know that many of you consider two-step verification to be a nuisance, but it doesn’t have to be that way. For one thing, properly implemented two-step verification shouldn’t require the second step very often. I have two-step verification enabled at work and I can’t remember the last time I turned on my computer in the office and had to give it my second factor.
The reason for that is that the computer itself becomes a second factor. The first time you sign in after turning on two-step verification the system will ask for your second factor. Usually, that’s a code sent to your phone via SMS text message, or better yet a code generated by an authenticator app on your smartphone.
The system should only ask for your second factor if you’re signing in from a new device or new app, if you’ve just changed your password, or if it’s been a long time since your last sign-in. Otherwise, if you’re signing in from a device you sign into regularly, you shouldn’t have to provide your second factor unless you want to.
Why is Two-step Authentication More Secure?
If a crook steals or guesses your password and tries to sign in as you, it’s very unlikely that they’re doing it from your device. More likely they’re trying to sign in from their device; a device you’ve never signed into before. So, when they try to sign in as you, they WILL get prompted for that second factor, and not having it, they’ll be out of luck.
For law firms especially, having a law practice management platform, like PracticePanther, that offers the ability to enable two-step authentication is lucrative for safeguarding your sensitive information
Is Your Law Firm Trained in Cybersecurity?
You may have heard that your users are your weakest link, but I’m going to suggest that your users can actually be your best line of defense. What you need them to do is to make good decisions at the right moments – and that means not clicking on phishing emails, opening unexpected attachments, or reusing passwords.
Building awareness in your people is a matter of training. But nobody likes spending all afternoon staring at tedious security training videos. Additionally, if you only do security training once a year (or worse, once every few years) it’s even less effective. The trick is to do security training continuously but in bite-sized pieces. Rather than making people take the annual hours of training in one go, dedicate a few minutes every week to it.
This cybersecurity training can be done in a staff meeting, sharing a short, engaging video, an email newsletter, or a game. The trick is to do it often, make it interesting, and keep it brief.
Do You Know Where Documents Are Stored?
Especially these days, when so many of us have been scattered to our dining room tables to work, a lot of our precious data has gone to the dining room tables too.
Did your team take files on flash drives, laptops, or save them to their personal Dropbox so they could work remotely during the pandemic? If so, those files are more vulnerable to theft or loss, and they’re outside your document retention system.
Make sure you know where your files are. Find out where those files might be, then make sure you’ve got a solution you can control (like SharePoint) for your folks to store and work on the files they need, securely. Utilizing cloud-based software, like PracticePanther, makes document management simple with the Box integration. Safely store your files in one place that’s accessible wherever you go, securely share documents with clients, and eliminate the risk that comes with a paper-filling filing system.
While you’re at it…
As a part of your law firm’s cybersecurity strategy, review your exit process and make sure it includes confirming that ALL client and firm data is cleaned off any personal devices or accounts the outgoing person might have. This also includes ensuring sensitive data is removed from their smartphone.
Are You Keeping Your Software Up to Date?
Too many successful attacks are carried out against known vulnerabilities in software or devices. And too often those vulnerabilities were already patched by the vendor, but the firm simply didn’t apply the patches!
Have a plan to ensure your devices (including Wi-Fi routers, smartphones, and printers) have the latest firmware patches installed. Make sure your operating systems (Windows, Mac, Android, or iOS) have the latest security patches installed. Make sure your applications – especially your web browsers – have their latest updates installed.
Protecting your law firm’s data is easier than your think — a simple reboot of your smartphone, computer, or other device is often enough to finish installing the latest patches.
Is Your Law Firm Using the Right Technology?
PracticePanther makes implementing these law firm cybersecurity tips seamless. With built-in features like automatic software updates so you’re always using the most secure version of PracticePanther, two-factor authentication for an added layer of protection, native eSignature to safely send and store documents for electronic signature and the client portal to safeguard all your client’s data and any correspondences with your firm. PracticePanther takes the guesswork out of ensuring your law firm’s sensitive data is safe and secure in one place.
Making your firm more secure is a journey, but by using these tips and having the right technology, you’ll be on the right track.
This blog was published in February 2022. Recent update: October 2022.
