Software solutions for your law practice: keeping your guard up
I will assume that you already know that cybersecurity matters. If not, google cybersecurity breach statistics and ponder that your industry is notorious for being behind the tech curve. Failing that, you should hang your hat on ABA Model Rule 1.1, Comment 8.
I will assume that you already know that cybersecurity matters. If not, google cybersecurity breach statistics and ponder that your industry is notorious for being behind the tech curve. Failing that, you should hang your hat on ABA Model Rule 1.1, Comment 8. If you are still not convinced, you are not the target audience for this post, and, weirdly, you are still reading.
This is for lawyers who know they need to do something about cybersecurity but do not know how to start.
We all know that cybersecurity breaches could have several consequences, including:
- The loss or theft of sensitive data
- Disruption to business operations
- The exposure of trade secrets or other confidential information
- Loss of customer confidence
- Regulatory action
- Reputational damage
- Licensure ramifications
Law firm cybersecurity starts with you.
Unfortunately, good cybersecurity often means doing all those little things you probably find annoying, the things you have heard a million times:
- Keep your software up to date. This includes your operating system, web browser, and apps. Outdated software can have security vulnerabilities that can be exploited by hackers.
- Use a strong password. A strong password is at least 8 characters long and includes a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessed words like your name or birthdate.
- Be cautious about what you click on. Hackers can use malicious links and attachments to infect your computer with malware. Only click on links from trusted sources, and scan any attachments with antivirus software before opening them.
- Back up your data regularly. Regularly backing up your data helps to ensure that you can recover it if your computer is hacked or infected with malware.
- Use security software. Security software, such as antivirus and firewall software, can help to protect your computer from malware and hackers. Be sure to keep your security software up to date.
What may or may not be obvious is that this is not likely to be enough for you to competently and adequately protect your firm and client data. Cybersecurity is an ongoing process, and you have to revisit these things regularly — kind of like how you need to keep yourself updated on the state of the law.
The tips and resources below will help you take your first steps, but I encourage you to educate yourself as you implement them. Over time, you will know enough to ask the right questions.
Keep your software up to date.
Keeping your software updated is probably the least difficult habit to implement. You have to pay attention to updates of software installed on your computer.
It is easy to get in the habit of clicking "Remind Me Later" if you jump from one urgent moment to the next. Therefore, you should focus your energy on updating when you are not in a rush. If you have an app open and have a spare minute, force yourself to check for updates. If you are going home for the weekend or shutting down your laptop for the night, check for updates at that point and let them run.
If you are having trouble finding the update button, there are places you can check. If it is an app in the system tray (along the bottom of the screen), try right-clicking on its icon. If you have the app open, sometimes the update button will be under the File menu and sometimes under the Help menu. If you do not see the update button, you might have to do more digging, but you will find it there nine out of ten times.
If you make updating during downtime your habit, you will keep your software relatively up-to-date, and it will feel like less of a chore than trying to update everything once every couple of months.
Use a strong password.
Did you know that every time you randomly shuffle a deck of cards, you are holding them in an order that has never been seen and will never be seen again? That is because of the math. 52 possible cards can be the card on top, 51 possible cards for the second card, etc. The math on this is incredible — check out this visualization of the numbers:
Math is central to the strength of passwords. Computer attackers can try between 10,000 and 1,000,000,000 password combinations per second, so the length of the password is critical.
A password has around 95 possible characters to choose from for each character. Additionally, passwords can repeat characters where a deck of cards cannot, so if you assume a password has eight characters, there are 6.5 quadrillion possible passwords.
That is nearly uncrackable. But that is only true if the characters are chosen at random. Many people try to remember their passwords and use inventive combinations of words, punctuation, and numbers. Attackers know this, so they start with dictionary attacks rather than try passwords at random. A dictionary attack first tries combinations of words, names, and variations with punctuation and numbers intermingled. If your password is made up of words (or w0rd5) found in a dictionary, cracking your password is trivial by comparison. And there is a good chance any cracked password is getting added to a database of usernames and passwords to improve the quality of their future dictionary attacks.
So, how are you supposed to have completely random passwords, which are different for each website, without constantly getting locked out of your accounts? Password managers.
A password manager is a type of application that manages the creation and storage of passwords for you. You can create passwords over 100 characters long that are completely randomized, and the process is painless once you get the hang of it.
You can install phone and mobile apps, desktop and laptop apps, and browser extensions to unify the experience. You can get your password manager to autofill login information, generate logins for new websites, and store and autofill two-factor authentication credentials. It takes less time to log in with big complicated passwords than with those you commit to memory when you get your software streamlined.
You have some options when it comes to password managers:
I use Bitwarden. I have used LastPass in the past, but you probably will not go wrong with any of these choices.
Be cautious about what you click on.
Phishing attacks are online scams where criminals send out emails or messages that look like messages from a legitimate organization. They often include a link that takes you to a fake website that looks real. They may also ask you for personal information, like your credit card number or social security number. Criminals use phishing attacks to steal your personal information so they can commit fraud.
There are a few things you can do to protect yourself from phishing attacks:
- Be suspicious of any email or message that asks for personal information or includes a link. Do not click on links or reply to messages you are not expecting.
- If you are not sure if an email is legitimate, contact the organization it is supposedly from using a phone number or email address you know is real. Do not use the contact information in the email.
- Do not open attachments sent by people you do not know. These can contain viruses that can infect your computer.
- Keep your antivirus software up to date. This will help protect your computer from viruses that can be spread through phishing emails.
- Be careful about what you post online. Do not share too much personal information on social media or other websites. Hackers can use this information to create fake websites and emails that look like ones you trust.
You have probably seen phishing attempts before, and you may be used to being able to spot them easily. However, that will not be the case if your industry, firm, or office is being targeted or one of your service providers suffers a breach. You can use this phishing quiz to see how sophisticated some attacks can get. Some services will create tests for your firm and get very specific, accurate, and scary! The point of these tests and quizzes is to keep yourself and your team on guard against attacks.
Back up your data
Data backups ensure that you can continue to work if something otherwise disrupts access to your records. If you get hit with malware, such as ransomware, you need to be able to get up and running again as fast as possible. Your workflow can be set back for weeks if you do not have any backups; you'd be facing the choice of dealing with malware or starting from scratch.
The most secure option is to create backups on a hard drive and keep them in a secure location, such as a safe location other than where your data is created. However, this is cumbersome, and it is a useless strategy if you do not regularly make the backups and keep them safe.
An alternative is to use cloud storage solutions to make the backups and keep them secure. Cloud storage providers are in the business of keeping your data secured. The best ones store your data in multiple locations around the globe and implement various security measures. While cloud storage can have its own problems, it is a valid and viable option.
Many services have apps you can install on your desktop that "stream" or "mirror" files from specified folders to the cloud, creating up-to-date backups. If you want to have a backup to your backup - that's totally possible!
You can set up multiple backup services to run on one desktop. You can sync each service to the same folder on your desktop and have up-to-date copies of your data on each service. The big thing you will want to watch for here is their privacy practices. You obviously don't want to expose your clients' data to a service that mines your confidential data. However, this concern stands with whatever technology you use, so it should be on your radar anyway.
Some services you can use include:
It is important to remember that free tiers are often without privacy guarantees, while paid ones often have them. It is your responsibility to ensure you are using the correct versions of the technology.
Use security software.
Security software includes antivirus software, firewalls, VPNs, and other security hardening services. These software obfuscate your data from bad actors, protect you from direct attacks, and verify the integrity of the files you have installed on your device. It is good to have basic protections for your device, regardless of what operating system or device you use.
Many devices have some basic protections preinstalled, but it is wise to fortify those or replace them with alternative software. There are plenty of free and open-source options that can help you get started, and there are paid services if open source isn't your jam.
Some software you might like includes:
Wrapping up for now.
These steps should get you off to a good start in tightening your security. Once you get a handle on your own security, you can start taking steps into cybersecurity for your whole firm. Do not forget the most important part — keep learning!
Make sure to subscribe to get updates and further tips.