In the three decades that we’ve been serving the technology and security needs for law firms, we have never seen such dramatic, rapid change as we did in 2020 when COVID-19 sent us all home.
While the pandemic will (eventually) pass, many of the law firms we’ve spoken with have plans to continue allowing attorneys and staff to work remotely at least partially for the long term.
Below we’ll explore how working from home changes the nature of cybersecurity, how a solid security strategy can help grow your firm, and what key steps we recommend you take.
Small firms were always at risk, even prior to Covid-19
Any business that stores sensitive information is a potential target for a data breach. If your business happens to be a law firm, keeping confidential information secure is an intrinsic part of your service. The ABA actually spells out the incentives for hacking a law firm in Formal Opinion 477, Securing Communication of Protected Client Information:
Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.
A file that includes SSN, date of birth, and full name sells for $50 to $100 on the black market. At these prices, stealing a decade’s worth of client records from a small estate-planning firm would yield a windfall. And data breaches like this one are well within the realm of possibility: cyber attacks on small businesses (including law practices) increased by 400% between 2018 and 2019. Given the disruptions caused by the Covid-19 pandemic, this trend most certainly continued throughout 2020.
For the law firms, the most tangible disruption was the explosive growth of telework. Most law firms are operating remotely on account of social distancing measures. However, WFH is gaining popularity as a long-term business strategy: In response to an industry-wide survey by Martindale-Avvo in early 2020, 50% of the responding firms reported plans to permit telework indefinitely.
If your firm has similar plans, keep this in mind: While an expansive WFH policy may be advantageous to your workforce (beyond the necessity of social distancing), the best interests of your clients must drive the conversation about how to implement it.
Working from home (WFH) makes it harder to defend your clients’ data
Whether it’s baseline or cutting-edge, a cyber defense only works if everyone in the firm follows policy and uses the proper tools. When traditionally office-bound employees work out of the home, they often lack the gear that makes your office a secure workspace.
Because of this, WFH arrangements generally increase the risk of a data breach:
- Equipment like routers and firewall appliances are stuck in the office, and policies like password hygiene are harder to enforce.
- The lack of physical proximity between colleagues creates new possibilities for social engineering by cyber criminals.
- If your employees are working on personal computers, logging into your DMS and other databases over their home WiFi networks, and moving documents between work and personal email accounts for convenience, any level cyber defense becomes inadequate.
We’ll assume that your firm enforces basic cybersecurity policies, such as:
These policies are the baseline of a cybersecurity defense – not having them will incentivize cyber criminals to target your firm over other potential victims.
Clients want to know how you handle their data
In the wake of data breaches at well-known firms like DLA Piper (2017) and Grubman Shire Meiselas & Sacks (2020), it’s not surprising that clients are concerned about their confidential information staying secure. Data breaches lead to drained bank accounts, lost clients, litigation by aggrieved former clients, and a loss of goodwill from potential clients down the road.
Your firm’s approach to cybersecurity will play an increasingly important role in how you distinguish yourself from the competition. We know that clients are shopping for legal services with their data security in mind: in a 2019 survey by a leading cybersecurity consultancy that addresses the legal space, 51% of the respondents reported getting a cyber-security audit from an existing or potential client.
Mitigate risk and establish a reputation for being the safest, most secure competitor
What can you do about all this?
Educate yourself and your employees! For starters, we have written several blog posts about the risks posed by employees who access sensitive company data on personal devices and/or from a home network:
- Top 10 Tips to Avoid Social Engineering Scams
- Phishing vs. Spear-Phishing vs. Spoofing: How to stay protected
- The Anatomy of Comprehensive Ransomware Protection
- What are the Best Ways to Secure PII/PHI?
- What are the Top Cybersecurity Threats to Law Firms?
Small and regional law firms who are contemplating a long-term WFH policy, we recommend taking these five actions to harden your defense against data breaches:
- Consider the two most effective and flexible technology setups that we explore in this piece for Attorney at Law Magazine
- Look beyond standard centralized antivirus and implement artificially intelligent threat detection that will pick up on “unusual” behavior, not just known threat definitions
- Enforce multi-factor authentication wherever possible (strong passwords are still critical, but are not enough)
- Implement an ongoing security awareness training program for all attorneys and staff to help them identify and avoid the latest scams
- Have periodic security assessments to identify and remediate gaps in technology, policy, and behavior.
We’ve been serving the mobility and cybersecurity needs of law firms for 30 years, and we have been quite pleased to see how well our law firm clients navigated the transition to WFH over the past year. If you haven’t implemented the solutions listed above, please give them serious consideration.
And if you need some guidance, don’t hesitate to reach out.