The rising threat of data breaches has led customers to call for more due diligence on the part of service providers to ensure that confidential information remains in safe hands.
One sector that has been affected by frequent data breaches is the legal industry. With an increasing amount of sensitive data stored online, law firms have to battle threats of data theft continuously.
The increasing number of data breaches has also placed a question mark over the future of many law firms, and, in fact, the legal industry as a whole. Obviously, the legal profession isn’t going away; however, what it will look like to practice law in the coming decade will depend on how law firms react to the growth of cybercrime and what they do to shore up the security of their firm’s data.
Why Should Data Security Matter for Lawyers?
The past decade witnessed the realization of many security-related predictions regarding the legal industry.
The threat of impending data breaches became evident in 2012, when the Wall Street Journal reported that, “attorneys who want to protect their clients’ secrets are having to reboot their skills to the digital age.”
As events from the rest of the decade showed, many law firms ignored these warnings—only to find out the true extent of damage that data breaches can actually cause.
Here’s why I.T. security should headline your law firm’s agenda going forward.
The Risk Is Rising
The entire world was shocked when Mossack Fonseca, the Panama-based law firm, lost 11.5 million documents in 2015—the infamous “Panama Papers.”
This event sparked heated debate surrounding data security and placed doubt on the legal industry’s ability to protect client data. The latest research shows that the legal industry is still coming to terms with upgrading their cybersecurity measures.
According to a survey by the American Bar Association in 2018, 23% of law firms have experienced a security breach at some point in time. This represents a 9% increase from the number of incidents reported in 2013.
In the past few years, data breaches have become somewhat of a norm, highlighting how even major organizations do not have adequate security protocols in place.
Be it the Uber hack that affected the records of 57 million people, or the infamous hack at the multi-national law firm, DLA Piper—these incidents serve as a warning against lax data security protocols.
While multi-national organizations may have the resources to bounce back, the same cannot be said for medium and small-sized law firms.
A Secure Law Firm Exudes ReliabilityAll successful law firms have one thing in common: excellent reputation management. For a profession that has historically taken pride in the secrecy of its dealings and confidentiality of client information, data breaches can be disastrous.
What good is a lawyer who can’t safeguard the very secret they were hired to protect?
Also, once word gets out about firms that cannot protect their client information, it becomes difficult to recover. Case in point: Mossack Fonseca closed in March 2018, just under two years after the Panama Papers scandal.
Given the volume of information and the level of details that attorneys hold, they are considered to be trusted advisors by clients. Since a data breach means that a client’s information is now with a third party, this can lead to loss of trust and confidence—which in turn means loss of reputation and business.
Small Firms Are Equally Threatened
There’s a common misconception about cybercriminal activity, such as the Panama Papers, or the DLA Piper case, that only large firms are susceptible to data theft.
Links to politicians, government agencies, and “high-profile” cases, do make bigger law firms more susceptible to hacking attempts. However, this doesn’t mean that smaller firms are safe from hacking attempts—it’s just that small firms and small breaches don’t often make the headlines.
One good example is what happened to the 10-attorney firm located in Rhode Island, Moses Afonso Ryan. The firm was infected with ransomware, and the hackers refused to budge unless paid $25,000 in cryptocurrency.
Even after the law firm paid the ransom, the hackers refused to budge—leaving the attorneys unable to bill even a single hour for three months, which resulted in a loss of $700,000 for the firm. The only reason that this incident gained notoriety was due to their battle for insurance payout.
An ABA survey has also revealed that a significant percentage of small and medium-sized law firms experience data breaches. For example,
- 14% of single attorney firms have experienced a breach in the past
- 24% of firms with 2-9 attorneys have experienced a breach
- 24% of firms with 10-49, attorneys have experienced a breach
- 42% of firms with 50-99 attorneys have also experienced a breach
The point is, regardless of the size of your practice, the legal industry as a whole needs to prioritize data security. Even if you’re a small practice, there is an ever-present threat to your business in the form of potential data breaches.
Tips to Keep Your Data Secure
Here are four tips on how small and mid-sized firms can keep their data secure:
1. Invest in a Disaster Recovery PlanData breaches and data loss can occur anywhere and at any time, and there is no such thing as “perfect” security.
While you can do your due diligence to protect against a potential breach, what about loss caused by in-house negligence, or a natural disaster?
When drafting a list of the top global risks that harm the modern economy, the World Economic Forum tagged extreme weather, and natural disasters, as the biggest threats—followed by cybersecurity issues in third place.
It doesn’t have to be a sophisticated group of cybercriminals who cause a data breach. This can be as simple as an employee opening a suspicious email that should have been reported to the I.T. department or sending a confidential email to the wrong address.
Invest in a Hybrid, Multi-Site PlanA disaster recovery plan ensures that you have a reliable backup in case of an emergency, which can allow you to restore your primary services step-by-step.
Tape drives and hard drives cannot keep pace with the amount of information collected by law firms. Additionally, opting for an entirely cloud-based disaster recovery backup can limit control and cause frustrating downtime.
The key is to invest in a multi-site depository disaster recovery plan, where the data remains safe, even in the event of a regionalized disaster.
2. Prioritize Security Management
It’s no secret that law firms are a lucrative target for cybercriminals. Confidential client data usually fetches a higher price regardless of whether it is held for ransom or sold off to potential buyers.
Lawyers are charged with the responsibility to ensure that their client’s information is secure, and that all possible security measures are put in place to minimize risks.
Firewalls, anti-virus software, and other basic practices are incapable of stopping advanced hackers who utilize the latest technology and hacking procedures.
What Entails a Cohesive Security Management Plan?An organized security management plan ensures that there is a mechanism in place for the detection and prevention of server-based hacks. (Web and email are the main areas where such targeted attempts are made.)
It’s important to ensure that your security plan involves an email content management system that includes an advanced filter, which can identify and remove viruses, spam or ransomware, etc. In the case of data theft, encryption will help ensure that it remains undecipherable for anyone who has stolen it.
Multi-factor authentication is another hallmark of strong and secure systems. In this, one alphanumerical cue is matched with another cue (typically biological), to ensure that access is only granted to authorized personnel.
While security management should lead the agenda of the legal industry as a whole, attorneys need to ensure that a cohesive and well-strategized plan is in place.
A good security strategy is also crucial for avoiding potential loopholes that can be exploited later on to hurt the law practice.
3. Protect Your Mobile Devices
When mobile phones first came to the scene, nobody could have foreseen how they would revolutionize the entire world. Now, smartphones are considered essential for the modern workforce, with every employee holding a powerful computer in their pocket.
The rapid evolution of smartphones, coupled with the bring-your-own-device (BYOD) trend, means that law firm employees use their phones for multiple tasks. These tasks include dealing with clients, replying to emails, and storing crucial data on their smartphones.
A rise in remote working has also contributed to the growing need for securing mobile phones. According to a study, 52% of employees report working from home at least once per week, with 21% working from home more than once per week, and 18% always working from home.Attorneys and law firm employees often connect to unsecured networks in public. Such networks provide easy access for hackers looking to break into files stored on personal devices.
The challenge for law firms is to secure such devices to ensure that confidential client data doesn’t fall into the wrong hands. A mobile device management plan helps employees leverage the capabilities of smartphones while protecting crucial data stored on personal devices.
What Does Mobile Device Management Include?
A good mobile device management plan should be based around securing data that is saved on these devices. Emails, corporate documents, and client information are some examples of such data.
Additionally, emails should be assessed and filtered for spam, as 59% of all emails that law firms receive are phishing or spam.
With a solid mobile management strategy in place, law practices can impose control on certain websites and applications, which can further secure the device against potential data breach attempts.
4. Instill a Culture of Learning and Prevention
According to Managing Insider Risk Through Training And Culture, 66% of data protection and privacy training professionals said employees were the “weakest link” in their security efforts against cyber threats, and data breach attempts.
What’s more: According to research by CompTIA’s International Trends in Cybersecurity, over half the respondents felt that human factors caused cybersecurity issues.
Whether employees are negligent, reckless, or simply unaware, training is an important part of keeping your critical data, and back-end systems, secure from the threat of data breaches.
The most common mistakes employees make include: opening unknown attachments, clicking on links, and entering confidential, or personal information, into an account they believe to be similar.
These errors are driven in part by a technique called social engineering, which is leveraged by hackers to take advantage of human behavior.
How to Ensure Ongoing Learning About Cybersecurity Threats
A culture of learning and proactively avoiding a situation where a data breach is possible requires careful planning.
The first step towards ensuring an informed workplace is to develop policies and procedures that account for the latest tools and tactics used by cybercriminals.
Additionally, employees need to be trained using engaging activities (such as video demonstrations) on how to avoid falling into the trap of social engineering.
Conventional classes are not a good way to educate your employees on data security. A better idea is to send phishing emails to employees from external addresses designed to catch users off guard in order to test them. These are then followed up with emails that teach users how to avoid falling victim to such attacks.
An informed and up-to-date workforce ensures that your firm is safe from cybersecurity threats that could be easily avoided, saving you an average of $3.86 million!
Partner with the Best
With years of experience in dealing with modern threats faced by law firms, JMARK possesses a unique perspective on security compliance and cybersecurity.
As one of the leading I.T. security providers in the world, JMARK provides law firms with I.T. solutions designed to prevent and protect against data breaches. From securing your servers to providing compliance management, we pride in tailoring our solutions to meet the requirements of our customers.