It shouldn’t come as a surprise that in an online world, cybercrime is on the rise. Not a week goes by without some cybercrime event in the headlines. So, we thought it would be a good idea to have some articles on cybersecurity. In this article, we will focus on cyberattacks, and more specifically on security breaches. Criminal security breaches typically happen for one of two purposes: hackers break into your system to either steal (and sell) your data, or to hold them for ransom by encrypting them with keys only they have.
Lawyers are not exempt from this risk, on the contrary. Because of all the sensitive data they store, law firms are appealing targets for hackers. A survey in the US taught that 80% of law firms have already been hacked at some stage. (The reporter writing the article suggested that the other 20% was either unaware, or lying about it).
Lawyers keep a lot of sensitive information on their clients. Because of the attorney-client privilege, they have an obligation to secure and protect that privileged information and data breaches erode the foundation of that attorney-client privilege. Data breaches can lead to fines, to law suits for malpractice and/or other damages, and to a loss of clientele. It is therefore important to take appropriate measures.
Now, typically, storing your information in the cloud is considered more secure and cheaper, as a) the hosting company will have all the know-how in-house, and b) the cost of security is shared, as it is spread over the different customers. But one must keep in mind that with a cloud solution, because it is always accessible, from anywhere, by anyone, at any time, that each additional user and each additional device increase the risk of a data breach. Most security breaches in the cloud are due, not to poor security on the host’s side, but to insecure devices or insecure behaviour by the users.
A recent example comes to mind. A firm in the US asked a security expert to test their security. It took him only 20 minutes to gain access to their data, with administrator privileges. How did he do it? He first looked for staff members on professional social media. Then he checked whether any of their accounts on social media or with other online service providers had ever been hacked. (You may remember the Yahoo or LinkedIn hacks, e.g., where data of millions of users were put online). Within minutes he found that an account of an administrator had been hacked, and that his login credentials were available online. When he tried to use the same credentials (user-id and password) to gain access to the law firm’s data, his attempt was successful. The weak link in the otherwise fairly secure setup was that a user was still using a password he had used before in an online account that had been hacked.
One of the most common cause of data breaches is the use of insecure devices. Laptops, tablets and phones are prime targets for thieves. Yet, many lawyers still store unencrypted client data on a laptop or on a mobile device.
So, is your firm secure? What can you do to increase security? Here are some suggestions:
- Install intrusion detection and prevention systems, and enterprise-grade firewalls, not just on your servers but also on desktops and laptops. After all, gaining access to one device is enough to gain access to the information.
- Enable encryption on all devices, including on mobile devices like phones, tablets and laptops.
- Encryption should also be used for all communications between the devices.
- Separate professional and private accounts. Don’t keep client data, e.g., on a private email account.
- Only use secure servers. Can your server limit access to your data from everyone but yourself?
- Continuously back up your data to secure servers. You may also consider using a trusted third-party to keep backups of your data.
- Finally, make sure you have a response team in case of a breach, and enable a data loss / theft protocol, so everybody knows what steps must be taken when and by whom.