In today’s digital age, cybersecurity attacks have become all too common. Most of us have likely gotten at least one warning that a password of ours has appeared in a data breach. These attacks can become disastrous for any company that is targeted, but law firms in particular must remain especially vigilant over the treasure trove of sensitive information that they guard. Who knows what sort of profitable intel or lurid secrets a law firm holds? Hackers, if proactive steps are not taken to ensure your practice’s digital security.
Report and Resolution 109
In 2014, the American Bar Association adopted Report and Resolution 109, which addresses the need for cybersecurity within law firms. The Resolution “encourages private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations, and is tailored to the nature and scope of the organization, and the data and systems to be protected.” According to the Resolution, law firms possess a wealth of valuable records, including intellectual property, strategic business data, and litigation-related theories and records collected through e-discovery. Most of this data is confidential and protected by attorney-client privilege, which makes this information all the more important to protect.
image via Canva
Types of Attacks
According to Joshua Lenon of Clio Legal Software, the two most common types of cybersecurity attacks that law firms must contend with are social engineering attacks and phishing/ransomware.
- Says Lenon: “Socially engineered attacks mean that the hacker is targeting your specific organization.” These are the methodical, sophisticated attacks that involve researching your firm down to your employees, your vendors, your contact information, and more. Because law firms often manage hefty financial transactions, they are prime targets for incidents like this. Attackers using this method may also be seeking information from law firms that they can sell.
- Phishing and ransomware are automated, generic attacks. These are the attacks that come through email, texts, and social medias. Phishing involves sending deceptive emails or messages to trick recipients into divulging sensitive information or clicking on malicious links. Law firms may be targeted through phishing emails disguised as client inquiries or official communications. Ransomware is a form of malicious software that encrypts a law firm's data, making it inaccessible until a ransom is paid. This type of attack can severely disrupt operations and compromise sensitive client information if backups are not readily available.
image via Canva
Best Practices
There are many ways to approach protecting your firm from cyber attacks. Here are a few tips for when you are just starting out mitigating your practice’s risks.
- Risk assessment
Risk assessment should, at minimum, be performed annually, but preferably even more frequently. Risk assessment means determining where your firm’s weaknesses are before hackers can exploit them. You can’t fix what you don’t know about! Audits can be performed internally but the best results will come from a third party with experience in conducting these assessments. - Cybersecurity policy and incident response plan
Implementing a policy for cybersecurity should be one of the first steps that your firm takes to protect its vulnerable assets. Consider verifying your firm through a program like ISO 27001 – a global standard for information security management. Conformity to something like ISO 27001 certifies that your firm has taken necessary precautions against cyber attacks. Your firm should also focus on what your practice’s response will be if the worst ever does come to pass and your security is compromised. This plan should include procedures for detecting, containing, eradicating, and recovering from security breaches. Assign roles and responsibilities to team members, and regularly test the plan through simulated exercises to ensure its effectiveness.
- Encryption
Encryption – done with an algorithm – can be compared to having a secret code for your data that hackers would need to crack to get past. This way, even if sensitive information falls into the wrong hands, it will be unusable to them without being able to unscramble it. Encryption can and should be used virtually anywhere, from browsers to hard drives to mobile devices.
- Backup
Implement a regular data backup strategy to ensure critical client information is securely stored and can be recovered in the event of a data loss incident, such as a ransomware attack or hardware failure. Backups should be stored offline or in a separate location to protect against ransomware attacks targeting backup systems. Incremental backups are an efficient way to back up data. Instead of copying all data during each backup, only the changes made since the last backup are saved. This reduces backup time and minimizes storage requirements. Full backups can be performed periodically, such as weekly or monthly, to create a baseline copy of all data.
- Employee training
For a cybersecurity plan to work, it is critical to provide comprehensive cybersecurity awareness training to all employees, including attorneys, support staff, and contractors. Training should cover topics such as recognizing phishing emails, practicing strong password hygiene, identifying social engineering techniques, and reporting security incidents promptly. Encourage a culture of security awareness and ensure employees understand their role in maintaining cybersecurity.
- Cybersecurity insurance
Add an extra layer of protection to your firm by investing in cybersecurity insurance. This is an especially good idea for smaller firms and solo practitioners as it can soften the financial blow of a data breach or cyber attack. First-party cyber liability insurance will support your firm against the direct financial impact of an incident, such as lost time or internal investigations. Third-party cyber liability insurance will protect against liability claims from clients whose data may have been compromised in the breach. Either way, insurance against cyber attacks is definitely worth your consideration! Learn more about this protective step here.
Clio and Dexcomm for Cybersecurity
Clio Legal Software, a cloud-based legal software that incorporates many of an attorney’s day-to-day information management, offers advanced protections for your firm’s sensitive intel. Cloud-based services may seem daunting, but the correct one can actually enhance your firm’s cybersecurity. Clio not only features built-in security measures, such as encryption and automatic backups, but they also have a dedicated team focused entirely on protecting your practice’s data.
But wait, there’s more!!! With Dexcomm’s integration with Clio, you can receive all of its cybersecurity benefits alongside our premier virtual receptionist services! We integrate directly within your Clio account to effectively manage your client intake, schedule appointments, and answer your calls, all with prompt notifications to you to keep you in the loop. Plus, with our 24/7/365 services, you can be assured that you will always be covered!
For a more detailed look at the world of cybersecurity for law firms, the ABA offers a Cybersecurity Handbook that provides extensive information and resources for protecting your firm.
