More than 80% of the 100 largest U.S. law firms have been hacked since 2011. And trends show that even small law firms are at risk. Cybercriminals have figured out that law firms possess huge volumes of personal information and confidential business and financial documents that are not protected as well as other, more tightly regulated industries, like financial services. In fact, it can take as little as one employee’s compromised account or un-updated software to allow a hacker to infiltrate the entire system.
The silver lining of this increasing number of attacks on law firms is that there’s more awareness of the threat. But what steps should law firms take to strengthen their security posture? First, it’s time to upgrade your security technology, including strong user authentication, if you haven’t already. Beyond technology, it’s also critical to implement and enforce employee policies around storing and accessing sensitive data. Also, carrying out regular risk assessments will ensure policies are being met and you’re staying ahead of new developments in cybercrime.
Here are some specific steps you can take to protect your firm from data breach:
- Review your budget: You’ll likely need to increase your IT budget and hire dedicated employees to manage your cybersecurity. Look at it as a smart investment that will save you money over time. As an example of the wreckage a hack can cause, the 2015 breach of 11.5 million documents from Mossack Fonseca resulted in at least 150 investigations in 79 countries and the closure of the firm.
- Educate yourselves: Become familiar with recommended security measures and standards such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).
- Make it a top-down priority: Designate a partner to take responsibility for establishing best-practice data governance and cybersecurity policies, ensuring enforcement and review to keep them up to date.
- Implement strong authentication: Ensure appropriate and secure employee access to systems, including contract and remote workers. An effective way to do this is with multi-factor or biometrics-based authentication technology to protect access via all end-points (e.g., computers, smartphones, tablets) and applications.
- Encrypt your data: It’s critical to store all data in an encryption format, providing a secondary layer of protection if you are hacked.
- Vet your partners: You’re likely not the only ones touching your clients’ data. Ensure your vendors and partners also have implemented best-practice data security.
- Put processes in place: To keep up-to-date, create processes for training, compliance monitoring, and active detection and response. Also develop a process for creating and maintaining an incident response plan, and hire experts to regularly assess risks and perform audits.
- Consider cyber insurance: Major insurance companies are now providing cyber insurance policies to provide coverage for law firms as well as their clients in case of a data breach.
Data security is critical to a law firm’s business – your clients trust that their information is safe from prying eyes. Data breach can cause irreparable damage to a firm’s reputation or finances, due to lawsuits, penalties and media investigations. As cybercriminals become more sophisticated in their attacks, law firms must follow suit and consider using advanced technology such as artificial intelligence (AI) and prediction models, and more user-friendly strong user authentication like biometrics to promote compliance among employees and partners.