When the subject of lawyers comes up, we like to imagine steely, highly resourceful, organized professionals. They can spot most oppositional traps and threats a mile away, and regularly pair this foresight with rhetorical eloquence to manipulate case outcomes in their favor. Lawyers are also tasked with knowing an awful lot, and we don’t just mean information found in books and statutes. We are talking about highly sensitive client data. Data of such a level of sensitivity that is often restricted to counsel and client alone.
But who better to keep this data? The most well-known and successful law firms are physically and figuratively impregnable, right? Well, not exactly. Unfortunately, cyber-attacks against law firms have been increasing at a disquieting rate. Defense against such attacks hasn’t exactly been air-tight, and lawyers seem to be walking head-on into the same traps. Today we will touch upon some common issues, and measures lawyers can take to safeguard their firms, clients, and reputations.
Common modus operandi
Law firms are a regular target for hackers and cyber thieves and, as we stated above, it’s no secret as to why. In the digital realm, an attorney’s enemies are as patient, determined, and astute as they are. However, one money-stealing method hackers have been using to great success of late is as common as typical B&E. We speak, of course, of “phishing”: criminals intercept emails between lawyers, clients, and third parties in an effort to steal payments. We all know what happens next. Armed with official e-mail addresses, thieves send mail directing all parties involved to transmit funds to bank accounts controlled by them.
Vigilance and common sense are the best defense in this case. Attorneys and their staff must be extra careful while viewing e-mails about payments and closing funds to spot any inconsistencies. It is also a wise tack to confirm electronic funds by phone, or send hard copies of instructions through traditional mail.
Unfortunately, both the ambition, and depth of a cyber criminal’s tool box extend beyond simple phishing scams. A number of practices have fallen victim to “ransomware”, software that freezes a computer and encrypts all its data. Criminals then demand a ransom for the system’s restoration. Most forms of ransomware infiltrate in the form of harmless, common files attached to e-mails. Once such files are opened, a computer’s hard drive is quickly infected, and the malicious program auto-encrypts all the data it touches, as well as any other important files on linked external drives.
We don’t need to explain the magnitude of such an attack, or remind you of what’s at stake. As with phishing, there are basic, common-sense approaches to avoiding ransomware intrusions. Practices should set up their e-mail to block random “executable” and “compressed” files types. In addition, they should always keep operating systems, internet browsers, and various media plugins 100% up to date, and regularly back up important data.
The best tactics
Poor data protection will cost lawyers clients and inevitably tarnish their reputations. Law firms must get serious. Common professional liability insurance does not always cover important costs related to cyberattacks. Luckily, cyber insurance is available to fill in these important gaps. First, it is up to an attorney to assess how real the threat of cyber-attack is for them, and how much room they have in their budget for such insurance. Typical policies can cover the services of security consultants and other loss-prevention experts, loss of revenue, and lawsuits resulting from loss of data.
In addition to cyber insurance, law firms should invest in the implementation of a strong information security program. Rome wasn’t built in a day, and neither are systems for data security, but the first brick is up-to-date intrusion detection and prevention (i.e., full anti-malware and virus protection). Beyond this, a solid security program addresses patch management, firewall configuration, web and email gateway monitoring, and encryption. User access control is important, as it ensures that only those who absolutely need to will be able to access confidential client files.
Conversion to a cloud-based data service will not only increases functionality at your practice, but can protect it from unwanted intrusion. While not totally impermeable, the cloud system removes information from localized networks and individual machines, eliminating vulnerable access points to data storage, and protecting against unapproved software installation.
| HCRC Staffing | Brian@hcrcstaffing.com | www.hcrcstaffing.com