Law firms sit on a veritable treasure trove of sensitive client data, and with high-profile hacks, cyber attacks, and password cracks becoming a near daily occurrence, making it crucial to increase security of law firm data. It’s a question of if, not when, your law firm will face a cyber security breach.
Solo and small firms in particular are a target—lacking a dedicated IT department to oversee firm security or formal education in data security, many leave glaring holes in their data security policies that put client data at risk. Here are five things you can do today that, while they may not guarantee you against a data breach or security risk, will certainly help alleviate some of the most glaring IT security concerns that solo and small firm departments face.
Use Strong Passwords
It’s said time and time and time again, but apparently many people aren’t getting the memo, if this list of 2014’s most common passwords is any indication. Make sure you’re changing your passwords frequently, using random combinations of letters, numbers and symbols 10-20 characters in length, and never using the same password across multiple sites or services. Password management applications like 1Password or Passpack have the ability to generate and store strong passwords for all of your services, letting you break your reliance on ‘password’ or ‘123456’.
Enable two-factor authentication for all of your accounts
Cloud services are great because they assume most of the security risk for you—but lax security policies on the user end can sink even the most secure service. And even if you’re using strong passwords, brute force attacks and phishing can still grant access. Enabling two-factor authentication on any of your cloud accounts (including email, document management, and practice management software) can help mitigate some of the risk of tying your security to your phone, a device you (assumedly) usually have on your person. Bonus points if you have biometric scanning enabled—requiring your thumbprint to gain access to your account is infinitely more secure than your mother’s maiden name or first pet’s name, both of which are easily gleaned via social media accounts or search engines.
Implement a Bring Your Own Device policy
Allowing your employees to use personal devices to access confidential client data can be a boon to firm productivity, but also a tremendous risk if they’re not properly educated in how to take measures to protect and secure their devices both in and out of the office. We previously discussed the importance of and how to implement a BYOD policy in a post here, but the fundamental message is the same—if you allow the members of your firm to access law firm data from a personal device, you should have a clear and concise policy that both provide a framework for keeping their devices secure, and advises staff of their obligation to do so.
Encrypt Your Locally Stored Client Files
The encryption that cloud services provide by default has lulled many lawyers into a false sense of security regarding their locally stored files. If you lost a laptop full of client files, how easy would it be for someone to access that data? Encrypting your files scrambles all of your locally stored information, making it virtually unreadable to prying eyes. Best of all, it’s ridiculously simple to enable—Lawyerist’s Sam Glover gives a rundown on how to do so here.
Don’t Communicate Sensitive Data Via Email
Email security hasn’t come a long way since the medium was introduced, but most lawyers still rely on unsecure, unencrypted email when communicating externally with clients or co-counsel, and internally with other law firm members. By utilizing a Client portal (such as Clio Connect), law firms can reduce the risk of an email being intercepted by an unintended recipient—or the dreaded ‘accidental CC’. Client portals add an additional layer of security and ensure that third parties must log in to view messages, documents and files. Additionally, use a secure internal channel for communicating with other firm members—there’s a number of internal chat applications that include all the functionality of email but won’t put your firm at risk if an employee’s email is ever hacked. While law firms might not be able to completely avoid data breaches, by following these five recommendations they’ll at least be able to add additional safeguards in the event one occurs—and show clients that they take data security seriously.
For even more information on getting your law firm up to speed, download our free guide by Brian Focht, the North Carolina Cyber Advocate, on 12 Steps to Cyber Security now.
Editor’s Note: in a case of ‘great minds think alike’, Heidi Alexander of the Massachusetts Law Office Management Assistance Program published this post on digital data security tips, including these and adding a few more.