Law Firm IT Support
Law firm cybersecurity grows more critical with higher complexity every year. Due to their vast intellectual property storehouses, providers of legal services are prime targets for hackers, as demonstrated by a 2019 Chinese cyberattack against a prominent U.S. law firm.
In October 2018, the ABA issued Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, which outlines attorneys’ responsibilities in securing confidential client records while transmitting data over the Internet. The Opinion states, “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.”
The ABA’s reach into cybersecurity underscores its importance, requiring special attention to data breach prevention and associated documentation.
So, what should law firms do?
1) Business-class firewall. Law firms must secure the network perimeter against intruders, malware, spyware, and illicit content. Sonicwall, Watchguard, Fortinet, and Sophos manufacture reputable network security appliances that scale from small business models to enterprise-class.
2) Strong endpoint security. All devices, including PCs, Macs, phones, and tablets, should be outfitted with a malware defense agent. Leading providers include BitDefender, F-Secure, and McAfee.
3) Secure remote access. Access to data must employ a VPN, whether that be a private VPN that connects endpoints to the central office or a commercial VPN, which protects information when using public WIFI. Business-class firewall products come with private VPN capability, while mobile users not connected to their central office VPN should use services such as NordVPN, ProtonVPN, or ExpressVPN to encrypt data transmitted over the Internet.
4) Monitoring. Law firms should be able to prove there has not been a breach by providing security logs.
5) Early Detection Systems. Proactive system management should protect all network appliances, and endpoints such that IT issues are prevented before they become significant.
6) Security awareness training. Arguably the weakest link in the cybersecurity chain is humans. End-users must undergo phishing simulations and if feasible, other cyberattack simulations to promote awareness of, and recognition of cyber threats.
7) Role-based security. Restricting document access per the “least privilege” model is vital in protecting sensitive information. Access to sensitive documents should be logged and traceable. It’s also important to tag documents that fall under special regulations, such as PII, or PHI for HIPAA.
8) Two-factor authentication. 2FA should be mandated for all online and Windows Active Directory logins.
Law firms who are unsure about their cybersecurity posture should start with an IT risk assessment to enumerate and prioritize vulnerabilities according to criticality. Mitigation efforts should be documented and tested with a follow-up risk assessment scan. Finally, an incident response plan is necessary in case a breach does occur. Remember that incident response is needed when your company is the focal point of a successful cyberattack and in cases where your data is stolen due to poor security practices by a supplier.
Always remember, good cybersecurity is two-fold: a meticulous process and the ability to prove you have it.