In 2012, then-FBI director Robert Mueller said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Mueller’s observation continues to be true today for large global companies and small business alike — including law firms. There have been numerous reports over the last decade about law firm data breaches in both the popular and legal press. The FBI has reported that law firms are often viewed as “one-stop shops” for attackers (with information on multiple clients), and it has seen hundreds of law firms being increasingly targeted by hackers.
Attorneys have a duty to guard against such breaches. The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6 and Comments).
The most frightening thing about this for law firms is that every new hack increases the chances your data will find its way into the hands of someone who can use it to do some damage. At the same time, you may have limited resources to invest in protecting yourself from being targeted. However, there are a few simple steps you can take to ensure your firm is prepared.
CHANGE YOUR PASSWORDS
The easiest thing you can do to up your security is to change your passwords regularly. At the same time, it’s best to avoid changing login information so frequently that your employees suffer password fatigue and settle for variations on the same theme. Make your passwords “complex,” and use password manager tools to store that information securely.
USE A PASSWORD MANAGER
You should use a password manager tool. There are several options out there to fit your specific needs. These tools help you use unique, secure passwords for every site you need while also keeping track of all of them for you. That way, you get the security benefits of changing your password, without having to worry about making things hard on your employees. Even better, if you need someone on your team to log into any of your accounts, you can share password sets so they can update your website, post to your social media accounts, and much more.
DELETE ANY UNUSED ACCOUNTS
An easy way for an attacker to gain access to your network is to use old credentials that have fallen by the wayside. When you’re looking at ways to up your security on a budget, doing some housekeeping on your old accounts is a great place to start.
ENABLE TWO-FACTOR AUTHENTICATION
If you haven’t already, you need to think about enabling two-factor authentication to add some extra security to your logins. Generally, it’s as simple as registering a phone number or installing an app, but it adds that extra layer of security that makes it harder for an attacker to get into your accounts.
KEEP YOUR SOFTWARE UP-TO-DATE
Software updates always seem to pop up at the most inconvenient time, and so it becomes easy to dismiss them and save it for a later date. But keep in mind, one of the reasons you are being prompted to update your software is often due to a known vulnerability that exists and has been made public.
As with passwords, the thing to understand here is that once these vulnerabilities become public, hackers go looking for people running that specific software who could be vulnerable. Even if an update pops up at an inconvenient time, it’ll almost certainly cost you less time to install an update than it will to deal with an actual data breach.
TRAIN EMPLOYEES ON SECURITY
Train employees to spot phishing attempts and educate them on standards that will help prevent the risk of a data breach. Phishing attacks are more generalized, but spear-phishing is personalized to each target and can often be extremely convincing. The only way to be sure that your organization will be safe is through training. By cultivating your firm’s awareness, you’ll decrease the likelihood hackers get anywhere near your clients’ data.
IMPLEMENT MANAGED SECURITY SOLUTIONS
Set up firewalls, spam filters and anti-virus tools. These solutions will monitor your network activity and alert your IT team to malicious vectors and compromised devices. Considering the amount of data your firm generates and stores, you need solutions that continuously scan for potential threats.
HAVE A RESPONSE PLAN IN PLACE
Work with your IT and security teams to create data protection and recovery policies. Establishing a response plan well in advance of an attack can slash the time it takes to remediate a potential breach and recover lost time.
Cyber threats aren’t going anywhere—and hackers are constantly discovering new ways of accessing data. Law firms must protect client information, and the best way to do that is by empowering their IT teams to build a robust defense from the inside out.
The good news for all of OAMIC’s insured firms is that Cyber and Data Breach coverage is included with their legal malpractice insurance at no charge to them. It’s just another way that OAMIC looks out for the Oklahoma legal community.