Brought to you by the Real Law Editorial Team
In security, you are only as strong as your weakest link. A recent FBI investigation has shown that a company’s weakest link might be its law firm. Every law firm keeps valuable and sensitive information on each of its clients—information that hackers would love to get access to. And that makes the firm an attractive target.
It is up to law firms to protect both themselves and their clients with security measures that keep up with increasing risk. The firm can’t risk losing the trust of its clients. Here are some important ways that individual lawyers, and their firms, can improve the security of the information entrusted to them.
Choose Strong Passwords
Even though hackers can now employ powerful software to try to crack computer passwords, many times they don’t need to; they can simply guess. That’s because even in our high-tech world, most people still choose lousy passwords. In 2011, “password” was still the most popular password. Even lawyers can’t feel too superior to the average person: a large law firm was recently hacked, partly due to its password policy where each code was simply “law321”, preceded by the user’s initials. That’s not much better. To get an idea of how tough your password is, it’s worth testing it.
Change Passwords on a Schedule
It is also much harder for hackers to hit a moving target. Even if your IT department doesn’t require it, you should change your password regularly. Set yourself a reminder every 90 days or so and stick to a schedule. It may seem like a lot of work for a seemingly invisible reward, but the stakes involved make it too important to skip. Choose strong passwords and change them regularly for the same reason you go to the dentist or get the oil changed in your car: the hassle is well worth it to help prevent the potential long-term downside.
Be a Healthy Skeptic
Thanks to popular movies, many people imagine that hacking goes on invisibly, with guys in basements directly accessing top-secret databases, typing in lines and lines of code. In reality, hacking computers is very hard. It is much easier to hack people. Often, a hacker exploit looks more like this: you receive an email from what seems to be a new colleague at your client’s office. Attached in the email is a link to a document. You click on the link, and perhaps you read the document. Six months later, you find out your client files have been compromised and your firm’s name is in the news. That’s how hackers got the employees of several law firms to compromise their own security.
As a legal professional, and as someone who has the access to information that a hacker would love to have, it’s up to you to be an extreme skeptic. Discs, drives, emails, and even documents from established as well as unknown sources should all have to prove themselves before you do anything with them. Technology changes so fast, it’s almost impossible to tell how a hacker’s exploit might arrive. As a result, it’s up to you to look at what you can find out: what’s the source, have you seen it before, and is it vetted in some way? If you aren’t sure, report it to your IT department ASAP. That goes for unexpected phone calls too.
Stay on a “Need to Know” Basis
The IT department that won’t give you access to something may actually be doing you a favor. After all, the fewer people have access to an asset, the safer that asset is. High-risk assets, and the people with access to them, need to be watched more closely. That can mean more oversight and procedure, which might slow you down.
Law Firms Need to Keep the Trust of their Clients
Law firms need to stay sharp because corporate security is getting harder, not easier. According to Deloitte, the number of risks and security breaches increased in 2012. Both criminals and state-sponsored attackers are targeting intellectual property, customer information, and avenues for business disruption. That makes law firms an ideal target. With increased threats, clients will be more careful about choosing partners that they can trust. The solution can’t rely only on user behavior. People will continue to choose their pets’ names as passwords, and none of those names will be something really secure like “C”^S=K~=y-“5(ss”.
In response, law firm partners and their IT departments need to leverage technologies and create policies that protect themselves and their clients. Security policy needs to intelligently define who has access to which resources, and clearly outline and enforce the consequences of violating that policy. It also needs to protect from both the inside and the outside, with strong network security, usage monitoring, intrusion detection, and sophisticated reporting.