The ever-evolving world of technology and cybersecurity present a unique set of challenges to businesses of all shapes and sizes. Security breaches are so commonplace these days that it’s no longer about “if” you will be hacked, but “when.” In an address at a major information security conference in 2012, then-FBI director Robert Mueller told the crowd: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And they are even converging into one category: companies that have been hacked and will be hacked again.” Remarks by Robert S. Mueller III at RSA Cyber Security Conference, San Francisco, CA, March 1, 2012.

Law firms are often viewed as “one-stop shops” for hackers given the enormous quantity of sensitive and confidential information stored in firms’ systems. Even more concerning, in general, law firms have lagged behind in adapting to the rapid changes in technology and cybersecurity, and many law firms (big and small) have been subject to well-documented cyber attacks in the last few years. For example, in 2015, a Panamanian law firm and corporate service provider Mossack Fonseca was the subject of a high-profile cyber attack, in which 11.5 million documents were exposed by an anonymous source.

For many solo and small law firms, staying up to date on every new tool or security feature can be daunting, confusing, and, frankly, overwhelming. We have heard many a lawyer say—“I don’t do technology… I practice law.” The truth of the matter is that, in the Digital Age, law firms cannot afford to take that approach. As we move further and further into a digital world, we create more sensitive data on our computers than ever before, and data security is crucial. Ignoring cybersecurity can leave your firm with a severely damaged reputation and thousands of dollars in breach notification costs.

Security needs to be the key part of digital case management, not just an afterthought. Bankruptcy practices have copious amounts of confidential client information, including financial records and social security numbers. Without proper security measures, all your digital records are at risk. Following a few key security best practices can ensure your firm protects valuable and sensitive client information, and is prepared for “when” (not “if”) a security breach occurs.

Password Management and Rotation

Firms need to use strong password protection for all of their key systems. This includes practice management software, email, and document management systems. Good “password hygiene” isn’t complex, and following just a few rules is all that is needed for most firms. Treat your passwords like underwear. That means not sharing them, not leaving them on your desk, and changing them regularly. In addition to those three simple steps, you should use complex passwords of at least eight characters. If you enter the passwords regularly, it can be helpful to use a phrase you’ve made up. “CorrectHorseBatteryStaple” is one example. It’s long, but it uses unrelated words and is easy to remember. For passwords, never use any information that could be easily found out about you. This means avoiding birthdates, anniversaries, addresses, names of children and pets, and favorite sports teams. This information is usually easily discovered from social media accounts like Facebook and LinkedIn. Also, be sure to use a different password for each important system. Using the same password for your online banking and your email is convenient, but also means that someone just needs to find that one password to get access to both systems.

Other good advice is to set a password rotation deadline for your firm. We recommend setting the rotation to 90 days—long enough that your staff will not complain about having to change passwords too often, and short enough to provide a decent layer of security.

Further, about the worst thing you can do is to save all of your passwords in one document (i.e., list on an electronic word file, in Outlook, or worse yet, on a printed or written piece of paper in your office). While this is very convenient, it leaves you extremely vulnerable. We recommend you obtain password management software that can serve the same function as a single word document or email. There are many password managers available for pretty low prices.

Two-Factor Authentication

Two-factor authentication is an extra layer of security for your digital environment designed to ensure that you’re the only person that can access your system, even if someone knows your password. With two-factor authentication, you can easily access your system on devices you trust, like your personal computer, your smart phone, or your tablet. However, when you sign in to your system from a new device for the first time (i.e., a computer at a hotel), you’ll need to validate your identity by not only providing your password—the first authentication factor—but also, a verification code that gets automatically sent to your cell phone or another email address—the second authentication factor. Because your password alone is no longer enough to access your system, two-factor authentication dramatically improves your security and all the confidential information in your system.

Device Encryption

Another way to protect your data is by using encryption. Encryption is basically the process of making any type of data unreadable (“scrambling the data”) by anyone without proper authorization (i.e., an “encryption key”). In other words, only you can make the data readable again with the right encryption key. This is particularly helpful in the even your computer is stolen—you can breathe a bit easier knowing that your data will have an additional layer of security. For those of you on Windows 10 Pro or Enterprise, this version of Windows includes BitLocker Drive Encryption, a feature that allows you to encrypt your computer’s hard drive. An explanation of this feature is available here. Note that other versions of Windows 10 do not have this feature available.

Mobile Device Management

Mobile device management is a type of security software that allows a firm administrator to monitor, manage, and secure mobile devices for an entire organization. Smartphones and tablets are often the primary personal computer for your employees, but that means there is a great risk to the firm if one of these devices is lost, stolen, or hacked. Employees usually mix their personal and work on these devices, and that makes it difficult for firms to have full control. You can imagine an employee’s reaction when you tell them that you’re allowed to wipe everything on their device if it is lost or stolen. Things like their family photos would be gone too.

The solution most mobile device management services provide is a separate secure “enclave” for work information. This might be just firm email, but can also be specific apps that your firm uses as well. This enclave is under the firm’s control and it can be locked down or erased without impacting the other items on the device. This also provides greater security as a hacker would not just have to get access to the mobile device, but separate access into that secure enclave. Of course ,the ability to wipe this secure enclave and disable it is also ideal if an employee leaves the firm.

Spam and External Email Filtering

Email correspondence continues to be an Achilles heel for most law firms. A single user opening an attachment or clicking a link with a virus or other malicious code can potentially infect the entire firm’s system.

Gone are the days of simple email spamming or spoofing when a user would receive an email from a purported prince in desperate need of cash and offering a handsome reward. Such emails are extremely easy to detect and users don’t fall for them anymore. Today, there is a whole new world of spamming—one based on social engineering that is extremely difficult to predict and combat. For example, spammers these days will mimic email templates from your bank, your cell phone company, UPS, or FedEX in an effort to get you to click on a link and infect your computer with malware. Some of these spam emails are extremely sophisticated and often hard to spot from a real email, which lures the user into clicking the link.

Another tactic is known as “spearfishing,” or the concept of mimicking a user’s email (i.e. [email protected]) with only one character off (i.e. [email protected]). The attacker will then use fake email to email users within the law firm organization in an effort to gain valuable information, passwords, or even to send cash. We have heard of examples when a hacker mimics a senior partner’s email and then sends a fake email to staff asking (in an urgent tone) for sensitive client information, a password, to wire funds to a “client,” or to buy a gift card for a “client”. The end user—thinking it is actually the real partner emailing with an urgent request—will go to great lengths to satisfy the partner request, not knowing that such request came from a hacker. There are many more examples of these types of social engineering that can be extremely difficult to spot.

We recommend that you obtain a third-party Spam filter that offers increased protection as compared to the base-level protection offered by your email provider. We particularly recommend software that lets your firm users know whether an email came from an internal or external source (i.e., the email header or subject line will display a message like “External Source: Proceed with Caution.”). This type of software is particularly helpful so that your firm users don’t fall for the social engineering spam emails that are extremely common these days.

Spam filtering doesn’t negate the need for consistent employee security awareness training, but it takes a good amount of risk out.

Data Access

The principle of limited access is also key to maintaining the security of your digital files. Limited access means only granting the most basic set of permissions that someone needs to do their job. If everyone has full access, meaning they can read, write, and delete information, then it is easy for an employee, or an outside hacker who has gotten an employee’s login information, to take, change, and delete information. If you have a larger firm with multiple practice areas, you wouldn’t give a paralegal in the estates & trusts section access to bankruptcy section files, unless they also worked with attorneys in that practice area. And, if someone doesn’t need permission to delete or modify files, then give them read-only access. Using groups to stay organized with your access permissions is key here, as otherwise it will turn into a long list of employees with different access permissions. Smaller firms might have just two groups – attorneys and paralegals. Remember that you can always provide the limited access you think a group needs and give them higher access levels later, if needed.

Whenever possible, put an auditing system in place that tracks who creates, changes, and deletes files. Most document management systems provide this functionality, but it needs to be configured properly. With auditing in place, you can go back and see who created, changed, or deleted a specific digital record. It isn’t a security panacea, but it can be an important tool in protecting the confidentiality of your information.

Data Backup

Backups are a must, and don’t rely on a single backup. At least one offsite backup that is encrypted and one local backup is a requirement. The offsite backup is kept in case something happens to the local backup kept at your office. The local backup provides a quick restore of information if files are deleted or damaged. Test your backups regularly, because too often you’ll find out your backup wasn’t working properly only when it is too late to do anything about it.

Francisco Morales is a partner at Waldrep LLP, a boutique law firm in Winston-Salem specializing in business insolvency, commercial bankruptcy, and healthcare transactions.

Chris Michalec is the founder of Parkway Tech, an IT services company in Winston-Salem serving small and mid-size law firms throughout the Southeast.

April 29, 2019/by Bankruptcy