The truth of the matter is simple: law firm hacks are front-page affairs. It’s an inevitable consequence of dealing with valuable confidential information.
But big headlines come from small openings. Hackers consistently bypass fancy IT gadgetry when people accidentally grand them the keys to the kingdom (phishing in IT parlance). That means your best, first line of defense isn’t expensive and confusing IT wizardry, but down-to-earth policies that understand how people use the technology in your firm.
A few key ways of approaching IT security:
Create and implement data security policies
If you walk away from this article with one policy it implement, it’s this:
Make sure no one at your office (from the admin assistants manning the phones to the attorneys) opens an attachment on an email that they were not expecting or clicking a link in an email.
If they get an email from a client, from your cloud hosting company, from anyone – and they are sending an attachment or an embedded link – the policy should be to always verify that they intended to send it. They key is not to reply to the email, but sending a separate email (with a new subject line and where you manually enter their email address). Even better – do a phone call (this is where it pays to have a quality Address Book and/or up-to-date CRM information so you are not grabbing the phone number from their email signature…that the scammers set up intentionally to ensnare your firm.
When in doubt, just don’t open it.
Other policies to consider:
- Using two-factor authentication for logins
- Password protection tools like Keeper.
2FA through a Password Manager is hands-down the cheapest and most effective way to protect yourself from any number of login hacks, loss of PII, or a great place to keep that ‘immutable’ documentation like routing numbers.
Continuously train staff on mitigating data risk
This doesn’t need to be a formal thing – instead, when you get a phising email in your inbox, take a screenshot before deleting it, then send the screenshot around to the team to show them what it looks like. Just don’t forward the actual phising email with a note – chances are too high that someone will click it. Remove the email first and never send the actual message.
If the policy is in place and once every month or two you take five minutes to point it out to them, they will be better prepared to notice a phishing attack on them.
Establish a protocol on staff using their own devices
With the pandemic, work/life balance has taken an adjustment. One of the side-effects is more work is being done from personal devices than ever before.
The trouble is – if work product is on a personal device, and their personal device gets hacked, it’s your problem now too.
Figuring out a process that works best for your firm is complicated and best done on a case-by-case basis. If you have any questions on how to develop a system that protects your firm’s data and doesn’t impede work getting done, feel free to reach out to schedule a consultation.
