Top 5 Law Firm Cyber Security Quick Tips
When I first joined ALPS over 20 years ago, most of my risk management efforts were focused on proper file documentation, calendaring best practices and the like. Things are different today. Now a significant amount of my risk management efforts are focused on trying to help lawyers become as cyber secure as possible.
One common concern I continue to hear from lawyers trying to get there is frustration over not knowing the specifics of what they’re supposed to do. While our Rules of Professional Conduct and various ethics opinions mandate all kinds of things to include requiring lawyers to take steps to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client [For example, see ABA Model Rule 1.6 (c).], these rules and opinions often don’t set forth the specific steps lawyers should be taking.
In order to try and address this problem, I have put together an ALPS cyber guide entitled “Getting Started Cyber: How to Protect Yourself and Keep the Hackers at Bay.” This in-depth guide explains the cyber risk landscape, provides practical insights into how to best manage these risks, and includes a cyber security checklist that can help you identify unaddressed areas of concern.
As a teaser for this guide, here are my top five cyber security quick tips:
1) Keep hardware and software as current as possible. You don’t need to be first in line for the latest and greatest; but don’t be the last in line either. Once software becomes unsupported, it is unethical to use it because it is no longer receiving security updates and is vulnerable to hackers. Apply patches as soon as they are available to reduce vulnerability to attack or compromise.
2) Backup all data. Don’t forget to periodically conduct a test restore of the backup and make sure your backups are as impervious to ransomware as possible, which means they should be cloud-based or agent-based. Backups should also be encrypted with a user-defined encryption key, whether stored on-site, off-site or in the cloud.
3) Develop a password policy. The policy should mandate the use of strong passwords, defined as being 16 characters or more in length using uppercase and lowercase letters, numbers, and special characters. The use of a password manager can make this task quite easy.
4) Mandate that all work-related Internet sessions be encrypted. Prohibit the use of public computers and unsecured open public Wi-Fi networks. Access to the office network must always occur through the use of a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.
5) Provide mandatory social engineering and safe computing awareness training to everyone at the firm at least once a year. Technology alone cannot protect your data. The greatest vulnerability comes from the folks who use your network. Cyber attacks are successful because someone unintentionally did something stupid like clicked on a link, opened an e-mail attachment, or verified an ID and password when they shouldn’t have.
For a comprehensive guide to helping make your firm more cyber secure, download our free Getting Started Cyber Guide now.
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 550 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.