Law firms are just as, if not more likely, to face a cyber-attack due to the confidential nature of their business. Teaching lawyers and other staff the basics of cybersecurity will do much to protect the company, but, increasingly, automated services can automatically provide protection as a more legal business is done in the cloud.
Gone are the days (almost) of faxes and envelopes containing weighty contracts and other legal documents. Most firms require cutting-edge business efficiency with digitally signed documents winging their way around the internet in seconds to clients. These documents are increasingly created by automated services, with lawyers providing oversight and their critical knowledge as the pace of law continues to pick up.
As most law firms slowly adopt cloud services, for everything from accounting to document and case management, they are required at both compliance and business-peace-of-mind levels to ensure that data is protected at every step. The American Bar Association’s latest cloud computing survey, asks and answers the question on many law firms’ minds, “Is the cloud secure enough for law firms? With so much prominence placed on data security, cloud-based software can be a powerful way to get your firm in order.”
1 Humans are still the weakest link
As ever, security starts with people. Lawyers, legal secretaries, and all other staff must be taught from day one to be suspicious of rush requests for financial information, email attachments, even phone calls that could be from a “senior partner”, but might be part of a criminal scam.
Technology does help, with firewalls and malware scanners checking each and every email or file, but solid training during onboarding, and ensuring staff only have access to appropriate information stores will help protect the business. Also, removing all privileges when interns, paralegals, and other staff change department or leave will protect the business from insider and disgruntled leaver attacks or abuse of power.
2 Build in strong access protection
Firms should already be asking staff to use passphrases instead of passwords, and update them every few months to minimise the risk of a password-based breach. Even though we are all encouraged not to, most people still use only a few passwords. So, one breach of a shopping website that an employee used a company email address to buy office supplies can easily become a hacker’s way into the business.
Improving security through two-factor authentication (2FA) and other means will also help when lawyers are working from home or traveling, with their business mobile device providing a secondary layer of security, either through an SMS message or using apps like Authenticator.
3 Encryption across the business
Local encryption on servers is a common way of legal operations to protect documents at the file level. This allows only recipients with the key (sent separately) to read the document. However, as files increasingly move between multiple applications and services, data needs to be encrypted across networks and clouds.
To ensure compliance with local and international storage rules, law firms must increase their security, like email, VPNs, and other methods all have some weak points. Using end-to-end encryption ensures secure file storage and sharing across networks, but the firm’s IT team needs to understand the layers and levels of encryption across their clouds.
For example, “Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.” But that doesn’t mean your data is safe if it leaves Google’s cloud.
4 Load balancers are the multitool for the cloud
Larger firms have many cloud servers and services in operation. Load balancers originally shared those resources fairly among users, but have evolved to become smarter tools, providing application security features, often including, pre-authorization and single sign-on,
web application firewalls and advanced traffic management as part of the service to protect legal data.
5 Firewalls everywhere
Firewalls and antivirus or malware tools remain the stalwart of all business security efforts, but are more flexible in their cloud forms, and often a part of other solutions (see Loadbalancers). But it is easy, especially for firms without extensive IT resources to think that one firewall does it all.
However, office firewalls (be they software or hardware) only protect incoming data, deciding if it is safe or not. Methods include packet filtering, a rules-based approach or using proxy servers and application gateways to allow or block certain types of data. Cloud and web application firewalls do a similar job but protect legal documents and services outside the business, protect web apps by blocking malicious internet traffic traveling to the application, as well as preventing unauthorized data from leaving the app through policy-based tools. Increasingly automated, firewalls do an endless job protecting law firms.
6 The power of automated compliance
Compliance is a dominant mantra across legal and regulated industries, so it comes as no surprise that many cloud services offer automated compliance monitoring with firms having to do little more than select what legislation regimes they fall under, and the compliance tools checking services and documents, bringing any issues to the attention of managers.
A layered defence is the best way to protect your law firm and its legal documents or services, using most or all of the tools at your disposal.