I decided to write a quick post on security after the recent news of a hack on Apple’s iOS app store. I’ve previously written on three ways with which law firms can improve cyber security. I do have to say that the extent, in my humble opinion, to which attorneys (in general) are neglectful of security is mind-boggling. The interesting thing is that each attorney I meet thinks they’re doing a good job in this area. I just counted, on one hand, the number of lawyers I’ve met who have good policies. Here’s what that count looks like:

Hand with number zeroI’ve also recently read quite a few articles that deal with law firm security. The first problem with those articles is that they talk about “encouraging a culture of security” and provide little to no specifics. The second problem with those articles is that, at many law firms, the policies are so bad that the discussion should be about basic fixes. With all this being said, here are a few steps to make your firm more secure.

Attorneys benefit from using a password manager

One of the biggest problems plaguing law firms (and society in general for that matter) is the constant re-using of passwords for multiple sites and services. It’s imperative that passwords be random and that each site/service you use have a unique pass phrase. The best way to obtain this is to use a password manager such as LastPass. This service will generate a unique phrase for each site and, in the event one site is hacked, protect a data breach from spreading. The only password you need to remember is the one you use for LastPass itself. Make this phrase something secure and use the service’s two-factor authentication – which leads us to my next point.

Law firms will be secure by employing two-factor authentication

Do you have two-factor authentication turned on at all available services which support it? Shame on you if you don’t. If you’re unfamiliar with the tool then think of it as a second level of security. When you go to log into a service you’ll receive a security code on your phone (which is only good for a brief period of time) and you have to enter the code to complete the log in. In other words, even if someone gains access to your password then they will likely need to have your cell phone to complete a login. Two-factor authentication is supported by many major vendors. Here’s an example of a few:

  • Google (i.e. Gmail, etc.)
  • Microsoft (i.e. Outlook.com, etc.)
  • Evernote
  • Dropbox
  • LastPass
  • Twitter
  • Facebook
  • GoDaddy
  • Many major banks

And there are plenty more. You should figure out all vendors you are using, who support this feature, and get it turned on immediately.

Attorneys err by not keeping ALL software up to date

This one is simple. Keep ALL software in your office up to date. This includes your computer’s operating system as well as that on your smartphone or tablet. Many attorneys err in thinking that computer security is the only thing to worry about. Well….I hate to break it to you….but that’s not the case. The days of smartphones not being a security target are over – they are now heavily targeted by this guy:

Computer hacker wearing a white mask

Get all your software up to the newest version and make sure you’re staying up to date. I’ve dealt with attorneys who don’t run updates, or restart their machines, because they don’t want to lose the few minutes it takes to do so. Well these people are losing hours of productivity once they start having IT problems.

Are you doing all of the above (using a password manager, using two-factor authentication, and keeping your software up to date)? If so then congratulations. That means you are doing the absolute bear minimum to maintain a base level of security. Yes….I mean that….the above is only the beginning of being secure. If you want to be truly secure then ask yourself the following:

  • If you use a wireless router – when’s the last time you updated the firmware (the software on the router itself)?
  • Also as to wireless routers – do you have MAC filtering enabled and a “guest” login so that you’re not giving out the password to people who you allow to log on?
  • Have you disabled third-party cookies on your browser so that hackers will have a harder time tracking your web activity (Firefox, Chrome, and Edge all support this feature).
  • Do you have office policies in place regarding suspicious emails?

When you can answer all of the above let me know – you will then have achieved what I consider to be a “medium” level of security.

Why do you feel so many attorneys fail to pay attention to cyber security? Chime in through the comment form below.