It’s 10:30 AM on a Tuesday. You are deep in your response to a motion for summary judgment. A notification pops up that says a new security patch is available and encourages you to update your operating system now. But your response is due in two days and you don’t want to stop your flow. You press the “ignore for one week” button and carry on with your day.
The next day a new message pops up on your screen that says your computer is locked, and none of your data is accessible unless you pay a $50,000 ransom. First of all, you don’t have that kind of money to throw around. And if you did, can you trust that you will get access to your computer again if you pay?
Unfortunately, ransomware attacks are on the rise. In 2020, there was a 435 percent increase in ransomware as compared to 2019.
In 2017, hundreds of thousands of computers in 150 countries in a matter of hours were infected with a virus, locking the computers and demanding a ransom to regain access in the now famous WannaCry ransomware attack. How were all these computers infected? Well, remember that security patch update? The commonality between all of the hacked computers is that they failed to upgrade their security patches. This simple oversight left them more vulnerable to intrusion.
Making sure your operating system and other software is up-to-date with the most recent security patches is one best practice to secure your client and firm’s data.
Law firms house treasure troves of confidential and sensitive information that make hackers’ eyes gleam: attorney-client privileged information, client trade secrets, all types of personally identifiable information (PII), financial, health care, law-enforcement, and many other valuable records. As a result, law firms, big and small, are prime targets for cybercrimes. A security breach can devastate a firm, subjecting it and its clients to identify theft, fraud, lawsuits, ethical violations, and financial ruin. The reputational harm alone could sink a lawyer and their firm.
Cybersecurity Best Practices for Lawyers
You do not need to be an expert or an IT expert to fortify your cybersecurity defenses. Below are a few easy steps you can take to better protect yourself and your firm against cybercriminals; however, it’s only a brief overview. For more cybersecurity information and deeper dives into each of these best practices, check out the WSBA’s new Law Firm Guide to Cybersecurity. The guide covers your ethical responsibilities: how the cloud works and how to use it safely to house data, best practices for passwords, Internet of Things (IoT) device protections, and email phishing.
- Update Your Systems: Remember WannaCry? You will want to cry if hacked because of the same oversight. Ensure that the operating systems and software on all your devices are up to date with the latest security patches.
- Use Firewalls: If you work from home or share a physical office with other lawyers in a different firm, then you should have a firewall and use the firewall to separate your networks into separate virtual local area networks (vLAN). To learn more about firewalls and how to create your own, see The Department of Commerce’s Guidelines on Firewalls and Firewall Policy.
- Use an Anti-Malware Program: Use a program to protect against malware. Malware is malicious code that is, unbeknownst to the user, inserted into another program with the intent to destroy your data, run malicious programs, or otherwise compromise the confidentiality, integrity, or availability of your data and devices.
- Require Two-Factor Authentication: Wherever possible, implement two-factor authentication for your logins. Two-factor authentication utilizes two methods to confirm your identity before gaining access to your account (e.g., your password combined with a code delivered via text message) so you have a way to prevent someone from gaining full access even if they obtain some of your login information.
- Encrypt Wherever You Can: Encryption secures data by making it difficult and very time consuming to hack. It turns information into muck, only readable by those with the “key.”
- Protect Email: Please say this with me slowly: email is one of the least secure ways of sending and receiving information. The response I get from many attorneys when I reveal this during consultations is usually, “What?!?” Sending information by email is like sending a message on a postcard, anyone who gets hold of it can easily read it. Encrypting email is possible, but not straightforward. Other ways to transmit sensitive information include:
- Password protect individual emails.
- Utilize a client portal to securely communicate and send information between you and your clients.
- Password protect files.
For personalized advice, WSBA members can schedule a free confidential consultation with a practice management advisor here. You can also download our Law Firm Cloud Checklist and explore other practice guides and accompanying forms on disaster planning and recovery, hanging your own shingle, and document retention.