Colin Bohanna, General Manager at Clio EMEA, discusses how cybersecurity needs to be a key priority for all.
A dedication to maintaining robust cybersecurity and data protection protocols is vital to any law firm. While law firms have traditionally relied on physical documents, filing cabinets, and office-based servers to maintain security, a changing environment and the pivot towards remote work are necessitating a more technology-based solution.
The importance of cybersecurity to legal professionals
It’s not surprising to learn that legal firms are high-value targets to hackers given how much privileged data and sensitive information law firms store. This includes intellectual property, business sensitive information such as merger and acquisition data, and crucially, clients’ personal information.
Any potential breaches can cause issues for a law firm: Legal professionals have both an ethical and professional obligation to ensure this data remains confidential.
Here are some basic steps law firms should take to strengthen their cybersecurity.
Create an effective cybersecurity strategy
At a minimum, firms must develop effective, clear strategies and procedures that promote the security of confidential information. It is also vital that firms document cybersecurity procedures clearly and ensure that all members of the firm are trained (and regularly refreshed) on these procedures.
Procedures should be kept as simple as possible while maximising effectiveness. An excellent starting point would be implementing a two-step verification program for all logins used for firm activity. If the firm has a BYOD (bring your own device) policy (whether for phones, laptops or both), two-step verification can be a particularly effective way to safeguard against hacks. The reason is because, while cheaper overall, personal devices can leave the company more exposed to inbound viruses and malware. If firms do adopt a BYOD policy, it is important that they instruct employees to keep personal and professional accounts separate.
Keeping data encrypted is another essential element to any effective security strategy. Essentially, encryption takes data and translates it into a secret code that requires a password to unlock. Check to see if your chosen software providers provide encryption as standard. Additionally, firms must be confident that the system has been assessed by a third-party authority. For example, Clio’s encryption service is audited by the trusted certificate authority, DigiCert.
Finally, train for staff error. One common cause of breaches that is overlooked is human error – for instance, an easily guessable password, falling for phishing scams, or using the same password in numerous places. This is a particular point to labour in 2022. As remote/hybrid working arrangements become more commonplace, ensuring that employees access sensitive data securely will only grow in importance.
Vetting software vendors
When considering any type of software for your firm, there are a number of measures to consider ensuring that sensitive data will not be vulnerable.
As a starting point, review any potential vendors’ terms of service closely – understand how the vendor processes and stores information and how much access a vendor has to sensitive information. Following on from this, ensure that any software provider being considered takes data security seriously. Ask:
- is all data encrypted?
- is the system audited by third parties to ensure security?
- are there multiple servers to provide geographic redundancy?
Cloud-based providers, such as Clio, will have the necessary infrastructure to support storage in multiple locations and data residency requirements. Firms must also have assurance that the secure data stored with providers can be retrieved upon termination of any contract agreement.
Damage control disaster recovery
Legal firms must ensure that they have an incident response plan in case of breaches. While you will hopefully never have to use it, this should be devised before a breach and should be included in any cybersecurity training and documentation you develop.
The below is a good starting point when it comes to creating an IRP checklist:
- Contain the damage and begin any recovery protocol.
- Connect with a data breach expert.
- Notify your insurance provider.
- Report the incident to law enforcement.
- Ensure all third parties are notified.
- Make compliance a top priority.
Your plan should detail how you will identify incidents, what needs to be done, how communications will be handled, and any notification requirements. It should also clearly articulate who is responsible for what task(s).
Increasing communication security on mobile
If employees are using their personal devices for work activities, they should use separate communication apps for each. An increasingly popular choice for work communication is Signal, which features end-to-end encryption even in a group conversation setting. Additionally, Clio’s Mobile App allows for secure access to the firm’s data anywhere – individuals can retrieve client data, add documents, and record time on the go without compromising on security.
Cybersecurity is understandably a concern for law firms, especially as hybrid and remote working becomes more common. However, with the right vetting, procedures, and training in place, firms can protect themselves, their employees, and their clients.
For more on law firm data security, see Clio’s 2022 Law Firm Data Security Guide.