As a demographic generally thought to be rather conservative, protective, and effective at managing risk, lawyers sure are careless about cybersecurity. Here’s why that’s a big deal: 43% of cyber attacks target small businesses. 60% of small businesses go out of business within six months of experiencing a cyber attack. Here’s the beginning of a fix: perform a law firm security audit.
We get it. The word “audit” is daunting. Performing the process itself is a bit scary, and your fears about what it will reveal are, too. Ignorance is bliss, right?
Well, bliss doesn’t come without risk, and you can’t ignore the facts. So, here’s a fact: your law firm is a target for hackers. Don’t think “it will never happen to us.” The stakes are high, too. Your personal and professional finances and your firm’s reputation are at risk, and the logistics of correcting a breach when it happens could quickly overwhelm your resources.
What Is a Law Firm Security Audit?
A law firm security audit is an important part of protecting your law firm (and your clients). Performing your first law firm security audit is critical (and, at this point, table stakes). Doing it annually is how you’ll ensure you’re up-to-date on technology trends, risks, and controls. As you perform your audit, you’ll see what you’re doing well and what you could stand to improve.
Scope Your Audit
Before diving headlong into your first audit process, you first need to list all of your assets. This includes computers, hard drives, cloud storage solutions, law practice management software, thumb drives, cell phones, tablets, and anything else that might store company or customer data. Don’t forget everyone’s mobile devices and the BYODs (“bring-your-own-devices”) in your ecosystem.
Depending on your firm’s size, this process could result in a lengthy list of assets. At some point, you’ll need to decide what is worth auditing and what isn’t.
Your first audit will be successful if you choose your most valuable asset(s) and focus on them. (Side note: just because you’re auditing your MVPs doesn’t mean that lesser assets don’t require security checks. Make sure they’re protected through employee education on things like passwords strength and being able to spot a phishing email.)
Contemplate the Threats
You can only properly examine threats if you know what constitutes one. Really, a threat is anything that could compromise data, performance, or accessibility.
Stolen passwords are the number one way hackers perpetrate cyber attacks. Common, simple, or repeated passwords are a hacker’s dream scenario.
Downloading software from untrusted sources—knowingly or otherwise—invites malicious code that can silently open vulnerabilities in your machine and your network. Be careful what you click.
Less common, sure, but natural disasters are still something to consider if you live in an area prone to hurricanes, floods, mudslides, etc.
Does your team know how to create a strong password or identify a potential phishing scam? Their understanding of general security guidelines can help prevent risk. Believe it or not, people are easier to hack than machines.
Phishing scams are usually sent by email and are designed to capture financial or personal data. Some of these are silly and ham-handed. Others are surprisingly sophisticated. Somewhat shockingly, all of them enjoy some measure of success.
More than 87% of companies rely on employees using their own devices. If that number includes you (or your employees), you’ve inherited the responsibility to ensure those devices have adequate security coverage.
Review Your Current Security Situation
This part of your law firm security audit can get a little hairy. It requires that you look at your firm, your employees, and yourself under a microscope. Look through your standards with a fine-toothed comb.
Keeping bias at bay is the only way to perform this part of the law firm security audit effectively. If you don’t think that’s possible, then you may want to consider hiring an external auditor.
If you’re confident you can take off the rose-colored glasses, the perfect starting point is with yourself. Ask yourself how well you follow current guidelines. Look at your passwords and whether you reuse them. Determine if the security software you use (if any) is working for you. If it isn’t (or you don’t use any) use this to launch your search for the right one.
Once you’ve audited yourself, it will be much easier to audit the rest of the office (and you won’t feel like such a hypocrite, either, which is nice).
Determining the right order to tackle threats will help you get the ball moving on improvements. For example, if your audit finds that employees tend to reuse personal passwords but are unlikely to open phishing emails or suspicious emails, then you’ll obviously start by deploying systems and tools to bring passwords to the ideal length and character combination. Later, you can have them read Ghost in the Wires by Kevin Mitnick and educate them about phishing schemes.
Once you’ve prioritized your threat list, brainstorm ways to improve or eliminate them. If you run on a quarterly system, this will be your to-do list for the next quarter. Involve partners and employees where necessary.
First, the low-hanging fruit. Thankfully, your low-hanging fruit is pretty basic:
- Two-Factor Authentication is “the single best thing you can do to help yourself.” According to Martin, “We put a heck of a lot of faith in passwords, and people aren’t very good at creating or remembering passwords.” Turn on 2FA. Everywhere. For everyone.
- You need a good, strong password for every single account you have. That is, you need a different and hard-to-remember one for every single account. That almost certainly means you and your team need to use a password manager like 1Password, Dashlane, or LastPass.
- Phishing (particularly when combined with social engineering) is a huge threat. Hackers sending a message or trying to get someone to disclose something they shouldn’t need only one person to take the bait. Text messages, emails, and phone calls are all common methods. Don’t take the bait. Even once.
- Workstations. Secure them. Use a strong password, install updates to your browser, operating system, applications, etc., use disc encryption, and make backups to the cloud and offline storage.
Some other common solutions include:
Educate your employees on security best practices. Make a game of it and make it personal so they can apply it to both their home networks (like private banking or credit card accounts) and at work.
Create spam filters to protect your system and filter out internal and external emails. Use software if you’re still not getting rid of all the spam.
Software of many different flavors can help you identify intruders and alert you the instant the threat is detected. Find what works for you.
If your data backup processes are outdated, worry. Not to be too hyperbolic, but losing your data could put your entire business at risk. Make sure your data is regularly backed up to the cloud and an offline storage solution.
Ensure every device being used for work at your firm has up-to-date software. This can be done manually or you can purchase a software to do it for you.
Use it wisely. You probably do more to protect yourself in the coffee shop bathroom than you do on the coffee shop’s public wireless network. There are some absurdly simple (and cheap) VPNs out there that can take care of this for you.
Once you’ve finished your first audit, you’ll have a baseline to measure future audits against. Perform your law firm security audit annually. If you’re really staying out in front of the bad guys, doing it quarterly will let you incrementally improve your security standards and keep your practice protected as technology proceeds apace.
Latest posts by Ayesha Schroeder (see all)
- Cybersecurity Best Practices: Conducting A Law Firm Security Audit - November 26, 2018