Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
In 2017, the healthcare industry saw several major hacking attacks that affected the records of millions of Americans. Cyber thieves successfully gained unauthorized access to customer data with techniques as simple as sending a link in an email, costing the industry money and public trust. Law firms are just as susceptible, and recent studies warn that many firms are unprepared and sometimes even unaware they are being attacked.
According to Tech Republic, of 200 U.S. law firms surveyed, 95% had lapses in following their own security policies and none met their clients’ policy standard. Perhaps even more troubling, up to 40% weren’t aware their systems had been successfully compromised. Sometimes hackers can wait months or years to act on stolen data.
Law enforcement cannot possibly track all digital crimes, and since many companies do not have strong security measures in place, hacks can go unnoticed and unreported. That type of breach can do major damage to a company’s reputation, which law firms cannot afford.
Without hiring teams of IT security professionals to work in-house, the best way to combat the growing risk of data theft is to utilize a top-rated third-party document encryption and management system, and a document management or records retrieval company that provides top-tier security. Educating every employee on proper procedures is also very important so they can spot suspicious emails, websites and files to minimize hacker successes.
A few rules of thumb can drastically improve a law firm’s resistance to data theft, starting with proper password protocol and email security. Weak passwords have led to breaches at some of the world’s largest corporations. Passwords should be a minimum of 12 characters that use a combination of upper and lower case letters, numbers, and symbols, and should not have personal meaning to the employee.
Using names, dates, addresses, common phrases or other personal info in a password makes it much easier for hackers to figure out. If it’s easy to remember, it’s probably easy to hack! Also, keeping a complicated password written down in a locked desk drawer is a much better option than using a simple password that’s easy to remember.
Another major way hackers infiltrate computer systems is through email phishing scams and file downloads. Several major corporate hacks in recent years have relied on employees’ willingness to believe emails they receive, such as notices of required password updates or new programs that need to be downloaded. They can be made to look official and even appear to come from colleagues or friends.
Once an employee clicks on the link and enters their old password in order to update it, the hackers have access and can ransom or steal whatever information they choose. Several hospitals have seen their computer systems held hostage in this way. For new program downloads, the best practice is often to prohibit any and all downloads without the express consent of an IT manager, especially software sent through emails. A compromised file labeled “Adobe Flash,” for instance, can give hackers full access to a company’s computer systems.
Another vital security protocol is limiting employee’s access to sensitive folders and files. Only essential personnel should have regular access to certain files, with procedures in place for temporary access should a different employee occasionally need it. For instance, some law firms and companies have universal access that extends to all employees.
There is no need for a receptionist’s computer to have access to all the same sensitive documents as an attorney, and no need for all attorneys to have access to the firm’s entire database. By compartmentalizing access, any successful hacks have limited effect and can be quashed much more quickly.
All of these initiatives rely on the fundamental first step of using a secure file storage system, of which there are many professional options. Especially for law firms handling large volumes of documents and data, a few key topics should be considered before choosing a secure third-party data storage provider.
Perhaps the most important aspect of a file system is that it’s easy to use, so employees consistently use it in a safe manner and don’t have to resort to workarounds. The document management and records retrieval system should make it easier and faster to accomplish tasks, with features like search capabilities, mobile access, integration with other company software, scanning ability, and the latest encryption protocols.
Law firms can realize huge time savings from using digital data storage rather than paper, but as industries digitize their records and increasingly communicate electronically, nearly every company incurs increased opportunity for theft. A good information security program requires an in-depth defense approach which includes people, processes, and technology areas. By following the steps laid out above—employee education, limited file access, strong passwords and fast, easy-to-use third-party encrypted storage—law firms can successfully reduce risk, repel potential data theft attacks and protect their clients’ most sensitive data and documents.
