IT Security of the Law Office
“We’re small, nobody will want to hack us.”
The reality is, one in five small businesses fall victim to cybercrime each year and fully half of all cyberattacks are aimed at small to medium-sized businesses.1 Many small businesses are seen by Internet criminals as low-hanging fruit as they typically have loose security controls in place. Reporting of these attacks is low, as many businesses don’t know they have been breached or they don’t report it for reputational reasons. Who wants to tell their clients, “So all of your attorney-client confidential data I have has been compromised and may be available to anyone, including your competitors”?
The State Bar California has taken a black and white stance on the subject. The duty of confidentiality is phrased in the strongest terms, which appears in a statute imposing an obligation on each lawyer “[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.” The California Rule of Professional Conduct establishing the duty of confidentiality refers to this statute. “A member shall not reveal information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1) without the informed consent of the client,” except to prevent a criminal act resulting in death or substantial bodily harm.2
The fact is that 82,000 new malware threats are being released per day.3 A simple firewall and anti-virus is not enough these days. The following is a review of the four systems, as a starting point for good security, that every firm should have in place.
Security System #1: Complex Password Policy
Many firms have no password policy at all, thinking it is a pain to introduce/manage and will hinder their partners and staff. Without strong passwords that change on a regular basis, it is not a matter of if, but when, your system will be compromised. Having a complex password policy is the first line of defense when it comes to protecting your firm network, and most importantly, your client data. Here are a few guidelines when constructing a password policy:
- Use long passwords. You should have passwords that are at least eight characters in length. Longer passwords help combat random password cracking tools in use by hackers.
- Use “complex” passwords. Use a combination of three out of the four following character sets: uppercase letters, lowercase letters, numbers and symbols (!, #, $, etc.). These add complexity and make passwords much more difficult to guess or crack.
- Change passwords every 90 days so. This helps lessen the effectiveness of some password attacks.
- Do not use the same password for all of your websites, computers, phones, etc. This prevents one password compromise from opening up all of your other systems and accounts.
- Enable account lockout after a certain number of bad passwords. This stops “brute force” password guessing software.
One of the best ways to manage the multitude of passwords is to use a password manager such as LastPass (free) or 1Password (purchase) to manage many passwords to multiple websites with only one master password.
Security System #2: Automatic Whole System Backup
Having a rock-solid backup helps mitigate many security problems as well as several other IT issues. They are often not set up properly, not monitored, not the right type of backup and not tested to make sure you can restore from them if need be. Here are some key points to remember when evaluating your current/future backup solution:
- Choose a solution that takes a “snapshot” of the entire system, not just some of the files and folders. This is important and will greatly decrease the time it takes to recover a server or a PC. Also, some solutions will not automatically add new folders that you create, so you could be missing data that should be backed up.
- Have a 100 percent automated solution. Many backup solutions rely on the user to change out a tape or external hard drive, insert a USB key or DVD. Anything that relies on people to perform some of the activities has a much higher level of failure.
- Keep a copy of your data both locally as well as in the cloud. A local copy of the data is key for fast data recovery and a copy in the cloud is important to combat against machine failure, theft, loss and disaster.
- Have alerts sent to you or your IT team/provider to warn you or them when backups fail.
- Test your backups. This is critical and should be done at least quarterly. This will make sure that the backup system is actually working and your data is recoverable.
Security System #3: Patch Management Program
Most people have heard of computer patches and understand that patching needs to be done. Turning on automatic patching and leaving it there is not enough. You should require your IT team/provider to manage the patching of your firm network including all of its servers, PCs and laptops. This should include Macintosh computers as well. A recent study indicates that up to 85 percent of targeted attacks are preventable.4 A good patch management program includes:
- The ability to manually approve patches by the IT team/provider. Setting software patches to “automatically install” can really come back to haunt you during the three to four times per year Microsoft releases a patch that breaks something else or locks you out of your system.
- Patching more than just Windows and Apple OS. It should patch other major applications such as Adobe Acrobat/Reader, Flash, Java and Internet browsers such as Firefox and Chrome.
- The ability to report on the efficacy of the patching system. You should look for 90 percent or more in your ability to keep your systems up to date.
Security System #4: User Security Awareness Training
“Companies looking to protect themselves from cyberattacks need to look at the weakest link in the chain: employees. Humans are trusting in nature and that lends itself to exploitation from malicious agents. Employee training is key to plugging the weakest gap in security. Education around secure passwords, safe web use, and social engineering/phishing prevention are a great place to start.”5
Security awareness training is designed to help people become aware of common threats facing the firm as well as to be aware of and adhere to its security polices. This type of training is one of the most important steps in preventing security incidents and compromises. The training should cover:
- How to be safe on the Internet while browsing.
- How to detect and avoid fraudulent or malicious email.
- Safe remote access to firm data from public locations.
- Appropriate social media use.
- The firm’s acceptable use policy.
- Safe wireless use outside of the office.
- How to prevent social engineering.
Effective security is multilayered in its approach. There are other controls not mentioned above that should also be in place. You are now armed with information to begin a conversation with your IT team/provider today to start on the road to becoming more secure.
 BUS. & PROF. CODE § 6068(e)(1) and Cal. Rules of Prof. Conduct. 3-100(A).
 Jordan, David (October 2015). You Can’t Get Unhacked. Fast Company Magazine.