Preserving Confidentiality in an Online World

Success in the legal profession is typically gauged by achieving optimal outcomes for clients, generating new business opportunities, and remaining well-informed about the most recent legal developments.

However, with the expansion and increasing complexity of the digital era, even highly skilled attorneys often fail to adequately address cybersecurity and data protection.

This article tries to address the fundamental aspects of a firm's security demands, which are frequently determined by the size of the business and the sensitivity of the stored information.

For people who are not in the IT field, the simple reference to software and operating systems can evoke visions of small blinking lights, buzzing machines, and a tangle of daunting cables. This essay aims to assist legal professionals in implementing simple initial measures to enhance the technology security of their firm.

The procedure commences by comprehending the potential hazards, followed by implementing basic measures to mitigate them.

Why Should Law Firms Care?

Based on studies conducted by the Breach Level Index, a comprehensive database that monitors data breach statistics by date, location, and industry, around five million data records are lost or stolen on a global scale each day. This corresponds to approximately 60 records per second.

It is hardly surprising that high-profile breaches are receiving more attention in the media than ever before and are occurring more frequently. Furthermore, considering that lesser breaches are not highlighted in the mass media, it is quite probable that the actual numbers are significantly greater.

Undoubtedly, these breaches have a significant impact not only on stakeholders' emotional well-being and the reputation of the organization, but also on the financial losses that accumulate rapidly. A recent study revealed that the worldwide average expense incurred due to a data breach amounts to $3.6 million, which equates to $141 per data record. In the United States, the amount reached an even higher value of $7.3 million.

Cybersecurity hazards can be encountered by virtually any business or organization.  However, law firms face significantly higher risks due to the abundance of personal and transactional customer data that they are obligated to retain for extended periods of time.

Moreover, even a relatively minor data security breach has the potential to undermine the fundamental trust a client has in their legal advisor and inflict irreparable damage to a firm's reputation.

Put simply, data breaches in law firms can result in attorneys incurring expenses that go beyond just direct financial losses.

Considering this, lawyers and law firms should consistently assess and enhance their information security protocols.

What Can Be Done Easily?

Passwords serve as the primary barrier against hackers seeking to pilfer valuable data and emails. It is widely recognized that using the passwords “12345" and “password" greatly increases the risk of having your sensitive information compromised.

What are the criteria for a strong password?

Stay Away from Names and Words

Using a mix of uppercase and lowercase letters is advantageous. Numbers are also beneficial. Utilizing symbols is even more advantageous.

For example, replace the letter “S" with the symbol “$", change the letter “I" to the symbol “!", and convert the letter “E" into the number 3. The potential is boundless!

It is possible that your previous password was the easily breakable term “password." By applying the aforementioned suggestions, you have the ability to modify it to “p@$$w0rD." This employs both uppercase and lowercase letters, symbols, and the numerical digit 0 as a substitute for the letter “o".

This is merely an illustrative instance.  All you have to do is identify a word or phrase that is personally significant to you, and observe how you might rearrange its components.

However, ensure that it is not excessively simple. The National Institute of Standards and Technology (NIST) advises that passwords should have a minimum length of 8 characters and should not contain common words from a dictionary, repetitive or sequential characters, or context-specific words such as the service name, username, or related variations.

Research indicates that passwords consisting of 12 or more characters become exceedingly challenging to decipher.

No Sharing!

It is important to emphasize that one should not share passwords and should avoid using the same password for different websites and apps. If a single password is stolen, then all passwords will be compromised.

A password manager is essential in this context. Password managers are highly secure applications designed to store and manage usernames and password information, providing a convenient and efficient way to keep track of all your login credentials.

The crucial aspect is to mitigate the harm in the event of a hacking incident. Applications like LastPass, Dashlane, and 1Password are just a handful of the numerous choices that can quickly enable you to start simplifying your password security.

What Else?

Lawyers should additionally take into account the implementation of multi-factor authentication. Chances are, you have used it previously without being aware of it.

The National Institute of Standards and Technology (NIST) states that the traditional model for authentication systems recognizes three factors as the fundamental components of authentication: The three factors of authentication are: 

(1) knowledge-based authentication, which involves using a “something you know" such as a password or similar information; 

(2) possession-based authentication, which involves using “something you have" like an ordinary key, an ID badge or cryptographic key; and 

(3) biometric-based authentication, which involves using a fingerprint or other biometric data.

When more than one of these three archetypal authenticators are combined, this is referred to as “multi-factor authentication."

If you have ever accessed an account and subsequently been prompted to answer a security question (such as your mother's maiden name or school mascot), you have employed multi-factor authentication. Consider it as employing a combination to unlock your safe and subsequently utilizing a key to open a package included within.

Multi-factor authentication is a security measure that involves two steps. It combines your password (something you know) with another contact device, such as your phone (likely in your possession), to form a combination that is resistant to hacking. Multi-factor authentication requires the input of both a password and a code, which is given to your phone or email, in order to successfully log in.

Implementing a dual authentication system that combines a “proof of knowledge" (password) and a “proof of a physical key" (phone) is highly beneficial. By utilizing this system, you will greatly enhance the level of security provided to your clients.

Onward!

Having acquired a fundamental understanding of enhancing the security of your law firm, it is important to remember that this is merely a component of the contemporary lawyer's arsenal. 

Despite having a robust password, cybercriminals will make deliberate efforts to infiltrate your company's sensitive information.

Spear Fishing

Perhaps you're familiar with the term “phishing." You receive an email from what appears to be a reputable company, urging you to disclose sensitive information such as passwords and personal details.

Phishing is designed to reach a wider range of people, whereas spear fishing is more focused and specific. 

Targeted spear phishing attacks aim to exploit vulnerabilities in specific employees or individuals within an organization. When individuals who have been targeted open the infected email link or attachment, the hackers can proceed with their targeted attack.

Considering that spear fishing is mainly a result of human mistakes rather than technical issues, it is crucial for personnel to undergo training in different phishing tactics. Being vigilant in spotting emails with spelling errors, unusual language, or unfamiliar file formats can help prevent future challenges for your company.

Ransomware

News stories often highlight the unfortunate situation of a prominent law firm being affected by malware, causing significant disruption. When users power up their computers, they are frequently met with a notification stating that their company files have been encrypted. The only solution offered is to buy a decryption key from the hackers in order to regain access to their files. During the digital lockdown, there was a complete day without phones, six days without email, and almost two weeks of restricted access to crucial company documents.

The company successfully managed to mitigate the attack and recover certain files, although the complete extent of the damages remains uncertain.

It is crucial for your firm to have a well-defined plan in case of a ransomware attack. This includes measures such as securing servers, backing up files, and identifying vulnerabilities in your security system.

Cyber Insurance

As part of any comprehensive data protection strategy, it is beneficial to consider investing in cyber insurance. This industry is projected to reach nearly $30 billion by 2025.

A recent survey conducted by the American Bar Association revealed that a significant number of law firms, particularly those with 500 or more employees, have encountered cybersecurity breaches.

It would be wise to explore alternative coverage options that are not tied to a professional liability policy. Additionally, it is important to be mindful of any existing cybersecurity issues that may be lurking undetected. It's crucial to keep in mind that cyber insurance should be used alongside, rather than as a substitute for your company's cybersecurity measures.

Gaining Insight into Cybersecurity Standards

Keeping the public well-informed about the latest changes to cybersecurity standards is crucial in the ongoing battle against cyber attacks. To achieve this, a wide range of published materials are readily available.

As an illustration, a recent security study conducted in the United States revealed that 70% of the organizations surveyed consider the NIST Cybersecurity Framework to be the top contender in the industry. NIST employs test labs that specialize in mathematics, computer science, and engineering to foster innovation and advancement in the technology sector.

For an example of a recent recommendation, NIST implemented some changes aimed at enhancing password management. One of the suggestions is to avoid frequently changing your password. This practice has been followed for years, but NIST has discovered that it hinders effective password management.

Keeping Up with the Demands

Security and confidentiality are crucial for lawyers to provide the best service to their clients. Cybercriminals are growing more intelligent and audacious. By being cautious and proactive, you can stay ahead of the game.