Data security is important to law firms for obvious reasons. In wake of the “Heartbleed Bug,” I’ve received several emails asking how law firms can ensure their data is secure. It’s a good time to write an article on the subject.
The Heartbleed Bug impacted roughly 66 percent of the internet and may be the largest web security problem ever[i]. You’re likely more impacted by it than you realize. For example – do you host your email with GoDaddy? There are many attorneys who do. GoDaddy was impacted by Heartbleed. If you haven’t changed all passwords associated with your GoDaddy account and email then you are vulnerable. Cnet recently published a list of companies impacted by Heartbleed and whether it is time to change your password with each company. I suggest you read the Cnet article. Let’s look at four ways for attorneys to secure their firm’s data.
Data security has historically been a problem for attorneys
Firms have been concerned with data security for as long as there have been lawyers. If you practiced in the 1700’s you ended the day by taking off your barrister’s wig, putting away your quill pen, and locking your documents in a file drawer. That lock served as a form of data security. Today’s attorney needs to be careful of how their data is secured online. Attorneys handle sensitive and valuable information. There are plenty of people out there trying to get your data and they look like this:
The bad news is that attorneys are behind the times in regards to security. They are not only vulnerable but, in fact, are much more vulnerable than they realize. Many attorneys’ data is about as secure as this fence:
Following the steps I’m about to give will make your data more secure. In other words, when the shifty characters come-a-hackin’ they’ll feel like they’ve run into this guy:
Lawyers can make information more secure by moving it to the cloud
Many lawyers I’ve talked to few reference “security” as the reason why they don’t use more cloud services. Here’s a news flash – the cloud is MORE secure than your office’s server! In your office you have two main types of security threats. One is the risk of employees downloading viruses/malware/key loggers, etc. that will corrupt or steal your information. How many law offices do you know that claim to have had problems with viruses? I know quite a few. The second is the risk of employees giving out passwords or other sensitive information in response to phishing scams (such as when someone gets a phony email, claiming to be from a service provider, asking to reset a password and the employee enters the information). Migrating data to the cloud eliminates the first of these threats.
When you move your information onto web servers you greatly reduce the risk of local viruses corrupting or stealing your data. The system security relevant to that information is now taking place at cloud level. I use Gmail as my email provider. If I were to get a virus on my machine it can’t corrupt my Gmail data in the way it could the local data files associated with a program like Outlook. One problem solved.
I understand the logic behind many attorneys thinking “what if the cloud service gets hacked?” This is a valid point as there have been plenty of high-profile hacks the last few years. There are two flaws with this “anti-cloud” argument. First, you’re more likely to have local security issues, such as malware, than a cloud service is to be hacked. Second, the server in your office can be hacked as well and I’ll bet it’s not as secure as those run by companies like Google and Amazon. The truth is that the “cloud” is a safer place for your data. Now, here are four tricks for securing that cloud data.
Lawyers should use SpiderOak for document syncing
Replacing that virus collecting, ever crashing, money wasting server office server where you store your documents is huge. Migrating to a cloud syncing solution eliminates headaches (no more server crashes) and makes you more secure. We’re all familiar with syncing services such as Dropbox. The best option for lawyers, however, is the syncing service provided by SpiderOak. Unlike other companies, SpiderOak encrypts data from your computer before it is pulled up to the company’s server. This means that your documents are stored in encrypted form and they couldn’t be accessed even if someone hacked the company. They also can’t be accessed by SpiderOak. Furthermore, the company never saves your password so you don’t have to worry about that information ever falling into the wrong hands. Here’s a video on the company’s security guarantee.
Plus this service supports two-factor authentication (discussed below). SpiderOak and two-factor security is like chocolate and peanut butter for those who want their data secure.
Attorneys should consider a password manager such as Lastpass or Keepass
Do you use the same password repeatedly for different websites? Many people do. When that password gets compromised then the people obtaining it can access many of your services. Password managers will generate a random password for each site you login to and remember them for you. Lastpass is a great service for this. While I personally prefer Keepass, as being even more secure, it can be a bit cumbersome for non-techie attorneys. You may want to give Lastpass a go.
Enabling two-factor authentication will improve a law firm’s security
Two factor authentication means an account can’t be accessed even if someone has the password. If two-factor authentication is enabled then someone trying to access your account must have a random code that is sent to your cell phone after they enter your password. The code is only good for about 45 seconds before they would need a new one. In other words, someone cannot access an account unless they have your password AND they’ve stolen your cell phone. Services supporting this measure include Google, Lastpass, Apple, Facebook, Twitter, SpiderOak, Dropbox, Evernote, Paypal, Microsoft accounts, Yahoo, LinkedIn, WordPress, GoDaddy and quite a few more.
Following these four steps – moving to the cloud, storing documents with SpiderOak, using a keyword manager, and enabling two-factor authentication will improve your security. It will be like you’re practicing law inside of this place:
What are your thoughts on moving to the cloud? Please chime in through the comment form below.
[i]Critical Security bug “Heartbleed” hits up to 66 percent of the interent – accessed at: http://www.huffingtonpost.com/2014/04/08/heartbleed-66-percent_n_5112793.html