GrowPath’s Cybersecurity Diagnostic and Roundup – 22 Questions For Diagnosing Your Firm
Your responsibility of cybersecurity as a legal professional
It goes without saying that it’s a good idea to wear a helmet when riding a motorcycle. Nevertheless, some bikers can still be witnessed riding without a helmet. You would never do that, of course, but it’s always easier to spot someone else’s lapses than our own. When it comes to the safety of your law firm’s data and confidential information, are you blithely speeding along without top-of-the-line digital protection? Proactive prevention against cybercriminals and cyber attacks is an immediate, ongoing, and absolute necessity of legal tech in 2020 and a legal cybersecurity checklist can help! Ignoring tech advice is as bad as riding that bike without a helmet.
The ABA’s Ethics and Professional Responsibility Opinions on Client Data and Monitoring
Law firm cybersecurity best practices has been a hot topic of conversation and professional analysis recently. In 2017’s Formal Opinion 477R, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued some guidelines for how attorneys should transmit client data over the internet. A lack of reasonable efforts to protect confidential information from hacking or inadvertent disclosure could result in violating some ethical rules.
The ABA followed 477R with Formal Opinion 483, which focuses on a lawyer’s duties and responsibilities in the event of a data breach. Clearly, the topic of cybersecurity vis-a-vis client confidentiality demands attention.
An essential aspect of legaltech in 2020 is data and email encryption. When you encrypt a document or other sensitive information, the data is scrambled and unintelligible to outside readers. It is only through the use of a digital key that the data is unlocked and made readable once again. Unencrypted data sent across the internet can be intercepted and read by hackers, which is obviously a legal and ethical confidentiality issue.
For lawyers, transmitted data must be sent through an HTTPS website rather than a simple HTTP site. To verify that you data in transit will be encrypted and safe, a simple website address check is required. A lot depends on one letter, as that extra S stands for secure and means that your sensitive info is safe from prying eyes. A secure site may also be indicated by the icon of a padlock in the address bar. Remember that your fastidiousness in encrypting your data in transit can be quickly undone if your third party vendors are careless in how they handle your data. Hackers finding their way into your system through an indirect security breach is a real concern.
Even your data that’s not actively being transmitted (data at rest) should be encrypted. Yes, your laptop requires a password to be unlocked. However, if your laptop or phone is lost or stolen, your password-protected but unencrypted files can still be accessed. A Mac, for example, can be booted up with just a Linux Live CD, with all files fully accessible. Here, then, is your first tip: Full disk encryption, like BitLocker for PCs and FileVault for Macs, is not completely impervious but does increase your data at rest security and (should an issue arise) demonstrates your proactive steps in safeguarding sensitive client information.
Are you following law firm cybersecurity best practices? 22 legal cybersecurity checklist questions to ask.
Here are 22 legal cybersecurity checklist questions to ask yourself about the current state of your law firm’s cybersecurity. Indicate whether you’re currently compliant and, if not, when you expect to be compliant:
Legal Cybersecurity Protocols and Policies:
- Is your software set to automatically patch and update?
- Do you encrypt your internet traffic through the use of a VPN?
- Are your off-site security protocols as stringent as your on-site procedures?
- Does your security policy address the use of mobile computing in unprotected environments?
- Does your security policy address employees who telecommute?
- Do you have strong physical security of your office to complement your network security?
- Do you maintain meticulous network access logs long past the date of logging?
Employee and Third Party Accountability:
- Is there a specific and accountable owner for your security policy?
- Do your employees receive hands-on, regular, and mandatory security training in law firm cybersecurity best practices?
- Do you know what security measures your service providers are taking?
- Do you know the security procedures of third-party vendors that can access your sensitive information?
- Do executives in your organization adhere to the same security policies and procedures as other employees and staff?
- Have all of your employees signed a non-disclosure agreement?
- Do your employees know what reporting procedure to follow if they detect a security threat?
- Does anybody who doesn’t need access to your system nevertheless have access to your system?
- Have you disabled the credentials of workers no longer with your organization?
- Do you know when your last cybersecurity audit was conducted?
- Do you utilize the services of an ethical hacker to probe your cyber defenses?
- Do you have a tested incident response plan in the event of a cyber crisis?
- Do you know the first person you will call in the event of a security event?
- Do you have a continuously-updated inventory of key items each information system contains?
- Are your backups segmented from the main network?
Free Cybersecurity Tools Roundup
Search for real-world passwords previously exposed in data breaches.
Evaluate the strength of your current password.
Download this Google Chrome extension to protect your data as you browse the internet.
Encrypt your secret files with an NSA-level cipher.
Stream this podcast on defending your data.
Draft or Update your firm’s cybersecurity policy.
Documents and Resources:
FFIEC Cybersecurity Assessment Tool
FINRA Cybersecurity Checklist
Auditing Resources from NIST
Cybersecurity for Smaller Firms
Cybersecurity Guide for Legal Executives
Security Audit Questionnaire
Incident Response Checklist
FTC’s Cybersecurity Basics
As you’ve seen by now, the real threat to your law firm is data insecurity. If you enjoyed this article, you might also be interested in learning how our patented cybersecurity methods can help keep your data safe. After all, when it comes to legal cloud security, not all clouds are created equal. To schedule a demo of our game-changing platform, click here.
Ted Seward is GrowPath’s Vice President of Marketing, joining its executive leadership team in 2019. Ted is responsible for all marketing and initiatives at GrowPath including growth through the development and execution of the marketing/sales strategy, brand awareness, lead generation, and business development.