This article was originally published on LawFuel.com on May 29, 2019.
by Josh Taylor
According to an American Bar Association survey, only 42 percent of firms reported taking action to increase their digital security measures in the previous year.
Even more concerning: 27 percent said they did so to better protect client or contract data security. For a group of professionals often entrenched in weighing risks for their clients, why are lawyers so seemingly unconcerned about their own exposure — especially when the consequences can be devastating?
The recent Exactis data leak is a classic case study in what happens when a small business doesn’t take security seriously enough. While the breach transpired due to a combination of technical errors and pure accident, the company still exposed the personal information of more than 230 million people and 110 million businesses.
The moral of the story: Small businesses can expose just as much sensitive data as the biggest enterprises; and in an age where smaller operations handle far more data than ever, the risks keep growing.
For law firms, these risks can be even higher. Not only are firms handling clients’ personal details, but they also store sensitive business information, including proprietary data, financial details and confidential deals. A leak or breach can lead to an exodus of clients, an IT nightmare, financial stress and regulatory fines.
To avoid these consequences, law firms need to be more proactive about their security, and doing so doesn’t have to be a complicated process. There are simple changes and low-hanging fruit small firms can tackle in order to increase data security. Firms looking to make these changes should follow the following principles:
Security is people-first.
People can often prove to be the biggest data security risk for small businesses. While larger firms are more likely targets of sophisticated hacking operations, smaller firms can fall prey to ransomware and phishing scams that rely on human error.
Regular training is essential to avoid employees ending up as the source of a data breach. Keep staff up-to-date on the latest ways to protect themselves against email schemes and malicious apps that can compromise data. Prepare a mechanism to distribute information in the case of a major vulnerability so all employees can take action early. While small firms may be wary of the time and cost to offer training, doing so pays dividends if even one breach is prevented.
Weak tech is weak protection.
Law has a reputation as being slow to adapt to digital transformation. Small law offices might contain machines running inconsistent operating systems, software that needs updates and even unsecured Wi-Fi networks. Fortunately, these major vulnerabilities also are a simple fix. Getting employees on a regular schedule of hardware and software updates is an easy way to patch weaknesses, as is frequently changing Wi-Fi credentials.
Smaller firms should also be particular about passwords. As elementary as it may seem, one weak password can be the key to your entire database of client information. Keep access credentials for the most sensitive data limited to essential personnel, change passwords frequently and consider deploying a password manager for all employees.
Don’t overlook physical security.
Digital data security can be a nebulous concept. Where is the data exactly? Where are attacks coming from? These security questions aren’t nearly as difficult in the physical world, yet firms often fail to protect their physical assets.
For one, it is a misconception that on-premise servers make data safer. Yes, you can touch and see your infrastructure, but this doesn’t mean it is more secure. Think of it this way — a pair of burglars can do a lot of damage to tech assets when breaking into a small law office. But if firm data is instead housed and backed up in the cloud, the risk is much lower.
Small firms should consider cloud migration if they have not already, and if they have reservations about the cloud, they should get over them fast. The cloud is not some ethereal insecure storage place; it is quite literally the most security money can buy (and cloud companies like Amazon have plenty of that to ensure it stays secure).
Additionally, while digital documents are increasingly pervasive, small law firms know a lot of legal work still is completed on paper. Carelessness with paper documents is a major security red flag for any law firm, including items left in plain view, or even accidentally in the background of social media photos. Paper may be rapidly disappearing in business, but it doesn’t mean it can’t expose just as much information as an Excel sheet.
Data breaches at small firms can still have a big impact. In order to protect themselves, firms must commit to basic changes and improvements to technology processes and ensuring everyone within the firm is on board with better security best practices