Something to think about…
In 2016–2017, about two-thirds of law firms reported a breach in their cybersecurity, and that might be understated. As more and more firms digitize their client data in case management software (CMS), hackers and malware have now become the biggest threats to your legal practice. But before you rethink your entire security strategy, it’s vital to have an accurate understanding of the most significant law firm data security threats. In this post, you’ll learn how to start forming a smart, effective strategy for dealing with cybersecurity risks—and what your firm’s biggest vulnerability really is.
The Truth about Law Firm Data Security Threats
When you think of what a security hack looks like, many imagine a scene out of a Hollywood movie: an expert team of anarchist techies teaming up to tear apart your case management software’s source code. Others imagine hackers who look like stock photos of some hooded or ski-masked individual at a laptop. In short, they think of dramatic and flashy attacks on their software and network that no ordinary company could hope to withstand.
The truth about cybersecurity risk is more mundane, but no less scary. Of the two-thirds of law firms that suffered a cybersecurity breach in 2016–17, 95% did not follow their own security policies. In other words, what failed at 19 out of 20 breached firms was not the software or systems, but rather the human beings. Hacks are the work of bad actors, to be sure—but behind the majority of security breaches were ordinary people who made a mistake.
What do these data security mistakes look like? Perhaps they stepped away from their open work laptop. Maybe they clicked a phishing link in an email. They may even have accessed the internet on their smartphone using an unsecured wifi network. No matter how breaches happen, the way to combat them is clear: You must teach and adopt smart security practices for your law firm to prevent unauthorized access to your clients’ data.
Security Best Practices to Protect Your Law Firm’s Data
Before you implement the following security protocols for your firm, it’s vital you begin by educating your staff about how breaches happen. This helps your team know how to recognize threats before they gain access to your data. Above all, your staff should do everything they can to protect the passwords and devices they use to access your case management software. This means guarding passwords closely, not opening suspicious email messages, and only using authorized devices (including thumb drives) to access case management systems.
Knowledge about breaches is important, but it’s not enough by itself. Here are proven security practices your firm should adopt to protect your clients’ data:
Two Factor Authentication for All Logins
This method requires each employee to enter a randomized code along with their password whenever they log into your case management system. That way, even if a hacker acquires a password, they still won’t be able to get inside your system.
Define Strong BYOD Protocols
It’s completely understandable your staff wants to access your CMS and work email on their personal smartphones and tablets. However, be sure to define your Bring Your Own Device rules. For example, require each employee to password protect their phones and immediately notify your firm if the device is lost or stolen. An unlocked phone could easily have access to both your CMS and your two-factor authentication system.
reCaptcha or Captcha Challenge on Login Page
This method requires employees to type in a random string of text from an image or to click an “I’m not a robot” option whenever they log in. This can deter automated hacks from gaining access to your CMS.
Expiring Password Reset Tokens Work with Two Factor Authentication
When your staff forgets their password, they should be able to request a password reset link to be sent to their email. It’s important this link expires quickly (usually within 30–60 minutes) to avoid leaving password access open. Also, be sure no one can bypass your two-factor authentication by using these tokens to request a new password. Make sure any password change sends the user back to the regular login menu instead of taking them directly into the CMS.
SSNs Presented as Images Rather than Text
Countless legal cases use social security numbers to identify clients. When your firm needs to collect and share this information, be sure not to present SSNs using image files like jpg instead of as text. This makes it harder for a malicious program to scan your electronic messages for SSNs and steal client identities.
Immediately Close Access to Insiders Who Leave the Firm
Whenever someone leaves your firm’s employ for any reason, have your IT team ready to remove their access to your CMS as soon as they exit the office. Because many of the best CMS solutions are web-based, you don’t want to accidentally permit access to former employees or others who no longer represent your clients.
Get Serious about Case Management Software Security
The data security threats facing modern law firms are scary, but it’s important to not panic or mistake worrying for action. Instead, treat these breach headlines as calls to action that demand your firm’s attention and diligence. Have serious conversations with your employees about information security, and create a security strategy that will safeguard your clients’ information and protect your business.
If you’d like to learn more about how GrowPath approaches information security in our case management software, please contact us.
Eric Sanchez serves as Chief Product Officer of GrowPath.
Eric has a well-earned reputation for logistics, efficiency and technical savvy, born from his diverse background and from his over seventeen years as an executive in what has become the largest plaintiffs’ practice in North Carolina.