The digital age is not just upon us, it is here in full force. Cybersecurity is an issue that must stay top of mind as data breaches can affect any industry at any time. A recent study from the American Bar Association shows that one in every four law firms is a victim of a data breach, with those numbers steadily increasing. Since 2016, ABA has found that there has been an 8% increase in the number of respondents reporting that their firms had experienced a security breach at some point.
It’s no longer a matter of “if” a breach will happen, rather “when” will it happen. Even back in 2012 while addressing the audience at a major information security conference, then-FBI director Robert Mueller put it this way “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.
Why are Law Firms a Target?
Law firms have been and continue to be attractive targets for two main reasons: (1) they obtain, store and use highly sensitive information about their clients and (2) the information they possess may be wanted by cybercriminals for financial gain, political agendas, insider trading, personal health information or secret material that is potentially valuable to an individual or larger entity. Understanding the different kinds of information your firm is in possession of and how you treat that data could determine the outcome of a case as well as the future health of your firm.
What are Some Firms Doing to Protect Themselves and Their Client’s Data?
Although lawyers have an ethical obligation to preserve the confidentiality of client information, the question remains: are they doing enough? A sound cybersecurity program includes three primary parts: prevention, detection, and corrective systems. The program should address people, policies and procedures, and all technology.
Here are several things to consider as you assess your security threat risk:
Define Responsibility for Security
Many large law firms have a dedicated full-time Chief Information Security Officer on staff, however, that isn’t always within budget or available for smaller firms. Regardless of a firm’s size, an individual or individuals should be designated as responsible for coordinating security.
Authentication and Access Control
Using a password on all devices should be considered the first line of defense. In the ABA 2018 Tech Report on Cybersecurity, 98% of respondents report using a password on their laptop and 92% report using authentication on their smartphones. While this may suggest that all firms use authentication protection on their devices, that isn’t necessarily the case. Some smaller firms are not mandated by security controls and thus do not have authentication security measures in place.
Protecting data being stored or transmitted on computers, laptops, smartphones, tablets, and portable devices is a strong security measure, however, it is not yet a common practice. Only about 24% overall report using full-drive encryption and about 46% overall use file encryption (those numbers go up as firm size increases). These seem like very low numbers when considering how easy encryption can be. Encryption is automatically enabled in almost all smartphones to protect against stolen or lost devices - so many attorneys who use smartphones don’t even have to think about it. However, email encryption depends on the email provider. Commercial email services offer easy to use and inexpensive email encryption services, yet only 29% of respondents reported that they use encryption of email for confidential/privilege communications/documents sent to clients (these numbers go up as firm size increases).1
The most common security tool is the spam filter, which is reportedly used by 87% of the ABA respondents.1 Other tools included anti-spyware, firewall software, pop-up blockers, desktop and laptop virus scanners, email virus scanners, mandatory passwords, network virus scanning, and hardware firewalls. Although digital tools aren’t the only security measures being taken. Securing physical access is another way law firms are helping to protect the hardware located onsite. The use of key fobs, secure building access, locked server rooms, computer locks, security alarms, surveillance cameras, are a few of the ways some firms are expanding on their overall protected.
Security Assessments and Education
If you’ve gotten here and checked most all of the boxes above, congratulations. There are, however, a couple of additional items that firms unintentionally forget to consider. Most companies have a cybersecurity response plan, but surprisingly few actually test their programs. When a real breach occurs, they are left feeling unprepared. Ensuring that your firm has a comprehensive security assessment and education program for attorneys and staff is as important as digital tools and other cyber-defense systems.
Work with a Secure Vendor
We’ve all heard of firms having a breach due to external factors such as using an outside vendor who is not fully protected. Ensure your privacy by engaging a retrieval partner who is trusted on both sides of the courtroom. When you select a retrieval vendor like T-Scan, you’re building operational integrity by installing a trusted partner who can keep your data safe and can scale with your demand. T-Scan helps firms enhance access to records while guarding against modern information technology threats by storing records in the T-Scan document repository.
How Does Your Firm Compare?
Some attorneys and law firms mistakenly believe that a security breach won’t happen to them. With the rise in attacks and the accessibility of reliable forms of security, it should be a no-brainer to all companies that they need to implement some level of security practices. Taking the necessary steps to safeguard your client’s data and your practice should be common practice. To learn more about what you can do to protect yourself contact T-Scan today.