How to Reduce Your Law Firm’s Cyber Risk

law firm cyber security

Experts agree that cybersecurity threats present significant risks to businesses, including law firms. Clients place a great deal of trust in law firms, which have a clear duty to protect their clients’ sensitive information. While bigger targets exist, hackers have begun targeting law firms because they found them to be the weakest link.

Law firms usually have relatively weak or non-existent cyber-defense systems or protocols in place. Fortunately, mitigating risks from data breaches or ransomware requires a small number of relatively simple measures. Here are some cybersecurity best practices any law firm can put in place.

1. Use Multi-Factor Authentication

Also known as two-factor authentication, this simple procedure makes use of a user password and something else the user has (e.g., token, app, device, etc.) to generate a second temporary password or code to login to an information system. It may seem cumbersome to require a password plus a second step, but it is the easiest procedure a law firm can implement to significantly improve security.

2. Never Share Logins or Passwords

Password sharing remains a common practice, even in businesses. Employees do this all the time, often just to give a coworker access to a program or to simplify login procedures from a remote location. In some cases, passwords can be found on notes sitting on employee desks or sticking to monitors.

Reusing accounts presents a similar risk. In this instance, employees continue to use the account of a departed employee to maintain access to a specific profile or to data that profile can access.

Law firms should eliminate password and login sharing, requiring their IT department to create new logins for incoming employees and delete old accounts.

3. Choose Better Passwords

law firm cyber security Passwords constitute the first, and sometimes only, line of defense against cyber-attacks. Hackers today use improved technology to crack passwords, ending the days when an employee could use the same simple password forever.

Law firms should require passwords that are longer, use more diverse characters, and are changed regularly. A good password consists of at least eight characters, a mix of letters, numbers, and special characters, a limitation on repeat characters (e.g., BB).

Each system should have a unique password, and law firm employees should be encouraged to vary passwords on different websites they access. Another good practice is to use an extremely complicated password for email accounts, which is needed to reset passwords. Password managers also exist to help manage many different accounts.

4. Update Systems

Installing updates, while often frustrating, protects an operating system from vulnerabilities. Upgrading the operating system to the current version (e.g., Windows 10 or Sierra) provides extra protection.

5. Encryption

This uses a formula to make data unreadable without a key. As long as the key is secure, the data remains safe. Several services exist that provide encryption, and the latest computers have encryption that simply needs to be enabled.

These steps are relatively easy to set up, but transform a firm’s cybersecurity. Law firms face risks like every other business. By enacting industry best practices, a law firm reduces the dangers of an attack and gives their clients the security they expect.

Contact Us

JDL Group can help your law firm adopt the right cyber security strategy. Contact us today.

Additional Resources:
http://www.onelegal.com/blog/5-steps-to-getting-serious-about-law-firm-cyber-security/
http://www.lawtechnologytoday.org/2017/02/tips-for-risk-mitigation/
http://www.lawtechnologytoday.org/2017/01/why-remote-security-is-a-must/
https://blog.lexicata.com/how-to-improve-data-security-at-your-law-firm/

ransomware attacks on law firms

law firm cyber security

Experts agree that cybersecurity threats present significant risks to businesses, including law firms. Clients place a great deal of trust in law firms, which have a clear duty to protect their clients’ sensitive information. While bigger targets exist, hackers have begun targeting law firms because they found them to be the weakest link.

Law firms usually have relatively weak or non-existent cyber-defense systems or protocols in place. Fortunately, mitigating risks from data breaches or ransomware requires a small number of relatively simple measures. Here are some cybersecurity best practices any law firm can put in place.

1. Use Multi-Factor Authentication

Also known as two-factor authentication, this simple procedure makes use of a user password and something else the user has (e.g., token, app, device, etc.) to generate a second temporary password or code to login to an information system. It may seem cumbersome to require a password plus a second step, but it is the easiest procedure a law firm can implement to significantly improve security.

2. Never Share Logins or Passwords

Password sharing remains a common practice, even in businesses. Employees do this all the time, often just to give a coworker access to a program or to simplify login procedures from a remote location. In some cases, passwords can be found on notes sitting on employee desks or sticking to monitors.

Reusing accounts presents a similar risk. In this instance, employees continue to use the account of a departed employee to maintain access to a specific profile or to data that profile can access.

Law firms should eliminate password and login sharing, requiring their IT department to create new logins for incoming employees and delete old accounts.

3. Choose Better Passwords

law firm cyber security Passwords constitute the first, and sometimes only, line of defense against cyber-attacks. Hackers today use improved technology to crack passwords, ending the days when an employee could use the same simple password forever.

Law firms should require passwords that are longer, use more diverse characters, and are changed regularly. A good password consists of at least eight characters, a mix of letters, numbers, and special characters, a limitation on repeat characters (e.g., BB).

Each system should have a unique password, and law firm employees should be encouraged to vary passwords on different websites they access. Another good practice is to use an extremely complicated password for email accounts, which is needed to reset passwords. Password managers also exist to help manage many different accounts.

4. Update Systems

Installing updates, while often frustrating, protects an operating system from vulnerabilities. Upgrading the operating system to the current version (e.g., Windows 10 or Sierra) provides extra protection.

5. Encryption

This uses a formula to make data unreadable without a key. As long as the key is secure, the data remains safe. Several services exist that provide encryption, and the latest computers have encryption that simply needs to be enabled.

These steps are relatively easy to set up, but transform a firm’s cybersecurity. Law firms face risks like every other business. By enacting industry best practices, a law firm reduces the dangers of an attack and gives their clients the security they expect.

Contact Us

JDL Group can help your law firm adopt the right cyber security strategy. Contact us today.

Additional Resources:
http://www.onelegal.com/blog/5-steps-to-getting-serious-about-law-firm-cyber-security/
http://www.lawtechnologytoday.org/2017/02/tips-for-risk-mitigation/
http://www.lawtechnologytoday.org/2017/01/why-remote-security-is-a-must/
https://blog.lexicata.com/how-to-improve-data-security-at-your-law-firm/

ransomware attacks on law firms

Responding to a Data Breach Best Practices

 

All organizations, private or public, depend on stored data. Companies and governments implement procedures to protect their data, especially Personally Identifiable Information (PII). Despite this, breaches continue to happen and every organization needs to prepare for this eventuality, rather than doing damage control and dealing with the fallout after a breach.

To be prepared, a breach response plan should be established, detailing which teams will take action in the event of a breach to inform affected clients, respond to the media, and block the intruder and eliminate the weakness that led to the breach. What are some of the basic elements of an incident response plan? Here are a few critical components every plan should include.

Information Inventory

Keep detailed information on what data the company collected, processed, and stored, where that information is stored, and access privileges. Prioritize the data according to sensitivity, compliance requirements, and total damage that could be done if lost. If your storage plan includes the cloud, specify where those servers are located, what protections are in place, and who has access to the data stored there.

Monitor Access/Audit

data breaches NJIT departments usually carry out monitoring processes, but the breach response plan should include procedures on monitoring access and completing audits. Many organizations fail to completely remove old accounts or compartmentalize data access.

Be Aware of Compliance Requirements

Healthcare and financial services information assurance are heavily monitored. Stay informed on what regulations exist that affect company data and audit the procedures regularly to ensure continued compliance with changing laws. Make sure all requirements and recommended steps are covered in a response plan.

Assess Your Legal Risks

Data breaches can lead to long, expensive class-action lawsuits. Include in a response plan a list of contracted legal agencies that specialize in breach response so a company can activate their teams immediately.

Establish a Crisis Communication Plan

By far the most important element of a response plan. Clear chains of communication will eliminate confusion and ensure each party knows exactly what they need to know. Any teams and assigned leaders from various departments that play a role in the internal and external communication processes should be included. If a company employs an outside agency to handle external communications (e.g., drafting/sending letters, press conferences, informing law enforcement agencies, etc.) following a breach, list these on the plan and clearly identify how that agency will be contacted.

Practice Incident Response Plans

A successful response plan relies on team members and any third-party agencies knowing their roles and being able to execute them correctly. For this to happen, incident response plans should be practiced regularly, especially communication procedures. This is especially important after an update to the response plan. Repetition helps team members internalize their roles, turning responses into automatic actions.

A successful response requires planning, attention to detail, informed team members, clear lines of communication, and constant vigilance. A response team that knows their roles, and practices the procedures, is a team that will succeed. While data breaches will remain a risk, being prepared remains the best defense, and that depends on having the right response plan in place.

Contact Us

Don’t let your data fall into the wrong hands, contact us today.

Additional Resources:
https://www.ftc.gov/news-events/blogs/business-blog/2016/10/responding-data-breach
https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf
https://usa.visa.com/dam/VCOM/global/support-legal/documents/responding-to-a-data-breach.pdf
http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf
http://www.prim.osd.mil/cap/cio-ia.html
https://www.forbes.com/sites/allclearid/2015/08/27/the-first-three-things-to-do-in-a-data-breach-response/#1964e735b53e
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-right-way-to-respond-to-a-data-breach/
https://www.dlapiper.com/~/media/Files/Insights/Publications/2015/04/Cyberdata_breach_response_checklist_V7.pdf
http://www.lindquist.com/portalresource/LindquistDataBreachGuide.pdf
https://www.stoutadvisory.com/insights/article/practical-steps-responding-data-breach  

 

ransomware attacks on law firms

 

All organizations, private or public, depend on stored data. Companies and governments implement procedures to protect their data, especially Personally Identifiable Information (PII). Despite this, breaches continue to happen and every organization needs to prepare for this eventuality, rather than doing damage control and dealing with the fallout after a breach.

To be prepared, a breach response plan should be established, detailing which teams will take action in the event of a breach to inform affected clients, respond to the media, and block the intruder and eliminate the weakness that led to the breach. What are some of the basic elements of an incident response plan? Here are a few critical components every plan should include.

Information Inventory

Keep detailed information on what data the company collected, processed, and stored, where that information is stored, and access privileges. Prioritize the data according to sensitivity, compliance requirements, and total damage that could be done if lost. If your storage plan includes the cloud, specify where those servers are located, what protections are in place, and who has access to the data stored there.

Monitor Access/Audit

data breaches NJIT departments usually carry out monitoring processes, but the breach response plan should include procedures on monitoring access and completing audits. Many organizations fail to completely remove old accounts or compartmentalize data access.

Be Aware of Compliance Requirements

Healthcare and financial services information assurance are heavily monitored. Stay informed on what regulations exist that affect company data and audit the procedures regularly to ensure continued compliance with changing laws. Make sure all requirements and recommended steps are covered in a response plan.

Assess Your Legal Risks

Data breaches can lead to long, expensive class-action lawsuits. Include in a response plan a list of contracted legal agencies that specialize in breach response so a company can activate their teams immediately.

Establish a Crisis Communication Plan

By far the most important element of a response plan. Clear chains of communication will eliminate confusion and ensure each party knows exactly what they need to know. Any teams and assigned leaders from various departments that play a role in the internal and external communication processes should be included. If a company employs an outside agency to handle external communications (e.g., drafting/sending letters, press conferences, informing law enforcement agencies, etc.) following a breach, list these on the plan and clearly identify how that agency will be contacted.

Practice Incident Response Plans

A successful response plan relies on team members and any third-party agencies knowing their roles and being able to execute them correctly. For this to happen, incident response plans should be practiced regularly, especially communication procedures. This is especially important after an update to the response plan. Repetition helps team members internalize their roles, turning responses into automatic actions.

A successful response requires planning, attention to detail, informed team members, clear lines of communication, and constant vigilance. A response team that knows their roles, and practices the procedures, is a team that will succeed. While data breaches will remain a risk, being prepared remains the best defense, and that depends on having the right response plan in place.

Contact Us

Don’t let your data fall into the wrong hands, contact us today.

Additional Resources:
https://www.ftc.gov/news-events/blogs/business-blog/2016/10/responding-data-breach
https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf
https://usa.visa.com/dam/VCOM/global/support-legal/documents/responding-to-a-data-breach.pdf
http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf
http://www.prim.osd.mil/cap/cio-ia.html
https://www.forbes.com/sites/allclearid/2015/08/27/the-first-three-things-to-do-in-a-data-breach-response/#1964e735b53e
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-right-way-to-respond-to-a-data-breach/
https://www.dlapiper.com/~/media/Files/Insights/Publications/2015/04/Cyberdata_breach_response_checklist_V7.pdf
http://www.lindquist.com/portalresource/LindquistDataBreachGuide.pdf
https://www.stoutadvisory.com/insights/article/practical-steps-responding-data-breach  

 

ransomware attacks on law firms

Why Law Firms Need to Make Cybersecurity a Priority

ransomware protection for law firms

Are Law Firms Prepared for Malware Attacks?

A majority of law firms are unprepared to defend against a cyber-attack, primarily because of financial limitations in their budgets and/or a fundamental lack of appreciation for the full scope of the risks they face. As most enterprises deploy some form of cyber-defense, hackers continue to target the weak link: law firms.

Consequences of Inaction

A breach in security damages a law firm’s reputation across the industry and triggers fiscal and compliance procedures that will hamper a firm’s ability to work. Additionally, the law firm will face legal proceedings in the event of data loss. In some cases, this can lead to bankruptcy. If the law firm survives, their customer base will flee, spreading the word to their peers to steer clear.

Moral Obligations

ransomware protection for law firmsThe confidentiality and privacy of client data and PII are paramount for any law firm. Lawyers bear the burden of preventing accidental or intentional disclosure of PII and other customer data. Many states have laid out clear guidelines for lawyers and their firms concerning customer privacy and confidentiality.

What Law Firms Can Do to Protect Themselves from Malware Attacks

Beyond prioritizing cyber-security and deploying adequate cyber-defense measures, law firms need to spread awareness throughout their organization. At a minimum, recommendations for cyber-security include:

  • Data encryption
  • Limited network and data access privileges
  • Multi-factor authentication
  • Multiple layers of data and network security
  • Data discovery and classification
  • Patching and software updates
  • Cyber security policy and compliance
  • Employee training and education in cyber security

Law firms also need to do business only with trusted vendors and have clear vendor cybersecurity procedures in place. Remember, a vendor breach threatens the law firm as well.

Law firms are irresistible targets for cyber-criminals. Hackers continue to innovate, creating new, more sophisticated, and creative methods to attack networks and steal sensitive and confidential information. In order to keep data safe, law firms must deploy a strong cybersecurity defense immediately.

Contact Us

Contact JDL Group today to learn more about protecting your law firm from cyber attacks.

 

Additional Resources:
https://www.teachprivacy.com/law-firm-cybersecurity-an-industry-at-serious-risk/
http://www.abajournal.com/magazine/article/managing_cybersecurity_risk
https://www.americanbar.org/publications/law_practice_magazine/2013/july-august/cybersecurity-law-firms.html
https://www.dhs.gov/national-cyber-security-awareness-month
https://www.forbes.com/sites/centurylink/2017/02/16/the-cyber-security-to-do-list-for-law-firms-in-2017/#2170cda87ba6
http://www.insidecounsel.com/2017/07/13/how-can-law-firms-strengthen-their-cybersecurity-w
http://www.law.com/sites/almstaff/2017/07/18/outside-counsel-guidelines-lack-cyber-requirements-does-it-matter/?slreturn=20170830134613
https://www.forbes.com/sites/eycybersecurity/2017/03/20/why-cybersecurity-should-be-a-no-1-business-priority-for-2017/#7b5645761719 

ransomware attacks on law firms

ransomware protection for law firms

Are Law Firms Prepared for Malware Attacks?

A majority of law firms are unprepared to defend against a cyber-attack, primarily because of financial limitations in their budgets and/or a fundamental lack of appreciation for the full scope of the risks they face. As most enterprises deploy some form of cyber-defense, hackers continue to target the weak link: law firms.

Consequences of Inaction

A breach in security damages a law firm’s reputation across the industry and triggers fiscal and compliance procedures that will hamper a firm’s ability to work. Additionally, the law firm will face legal proceedings in the event of data loss. In some cases, this can lead to bankruptcy. If the law firm survives, their customer base will flee, spreading the word to their peers to steer clear.

Moral Obligations

ransomware protection for law firmsThe confidentiality and privacy of client data and PII are paramount for any law firm. Lawyers bear the burden of preventing accidental or intentional disclosure of PII and other customer data. Many states have laid out clear guidelines for lawyers and their firms concerning customer privacy and confidentiality.

What Law Firms Can Do to Protect Themselves from Malware Attacks

Beyond prioritizing cyber-security and deploying adequate cyber-defense measures, law firms need to spread awareness throughout their organization. At a minimum, recommendations for cyber-security include:

  • Data encryption
  • Limited network and data access privileges
  • Multi-factor authentication
  • Multiple layers of data and network security
  • Data discovery and classification
  • Patching and software updates
  • Cyber security policy and compliance
  • Employee training and education in cyber security

Law firms also need to do business only with trusted vendors and have clear vendor cybersecurity procedures in place. Remember, a vendor breach threatens the law firm as well.

Law firms are irresistible targets for cyber-criminals. Hackers continue to innovate, creating new, more sophisticated, and creative methods to attack networks and steal sensitive and confidential information. In order to keep data safe, law firms must deploy a strong cybersecurity defense immediately.

Contact Us

Contact JDL Group today to learn more about protecting your law firm from cyber attacks.

 

Additional Resources:
https://www.teachprivacy.com/law-firm-cybersecurity-an-industry-at-serious-risk/
http://www.abajournal.com/magazine/article/managing_cybersecurity_risk
https://www.americanbar.org/publications/law_practice_magazine/2013/july-august/cybersecurity-law-firms.html
https://www.dhs.gov/national-cyber-security-awareness-month
https://www.forbes.com/sites/centurylink/2017/02/16/the-cyber-security-to-do-list-for-law-firms-in-2017/#2170cda87ba6
http://www.insidecounsel.com/2017/07/13/how-can-law-firms-strengthen-their-cybersecurity-w
http://www.law.com/sites/almstaff/2017/07/18/outside-counsel-guidelines-lack-cyber-requirements-does-it-matter/?slreturn=20170830134613
https://www.forbes.com/sites/eycybersecurity/2017/03/20/why-cybersecurity-should-be-a-no-1-business-priority-for-2017/#7b5645761719 

ransomware attacks on law firms