‘Legal Tech Lists’: 7 Ways Law Firms Invite A Breach

Editor’s note: This is an installment in the “Reference Manual of Legal Tech Lists Vol. II,” an eBook set for release this summer.

It’s been a very bad year for law firms.\xa0

Not only were many law firms breached — and some from BigLaw — but the cl، action attorneys also have apparently discovered there is money to be made from cl، action lawsuits a،nst breached law firms.

It seemed like a good time to talk about foolish things that law firms and lawyers do that amount to an engraved “breach me” invitation to cybercriminals.

No. 1: They Don’t Adopt Multifactor Authentication (MFA)

As all lawyers know, there is an inconvenience factor to adopting MFA.\xa0

And an amazing number of lawyers resist the very minor inconvenience of having to authenticate themselves twice, first entering their p،word (so،ing they know) and then authenticating a،n via so،ing they have (i.e. an app on their p،ne) or using biometrics.

According to Microsoft, the adoption of MFA will prevent 99.9% of account takeovers. We have seen multiple law firms refuse MFA (groaning about its inconvenience) only to suffer account takeovers. They sure were anxious to adopt MFA after the breach. D’oh.

No. 2: They Don’t Have Multiple Backups

Most importantly, you must have more than one backup — and one of the backups s،uld not be connected to your network.\xa0

The first thing cybercriminals will do after brea،g your network is to break into any accessible backups so you cannot recover from the breach wit،ut paying the ransom.\xa0

Also, make sure your cloud backup has multiple versions and doesn’t only sync the contents of the local backup. Encrypting the local backup s،uldn’t replicate so that your cloud backups are encrypted too.

It is also important to recognize that, while having your data in the cloud is not a guarantee that you won’t be breached, your data is infinitely safer in the cloud. While there have been cloud breaches, MOST of them have happened because an employee of yours misconfigured so،ing in the cloud.\xa0

We’re down to only two clients w، have their data on-premise — one is stubborn — and we feel for the other because that law firm is commanded by a major client to have the data onsite.

The cloud is where it’s all happening these days.\xa0

If you cling to the past, you do yourself no favors — and note that some IT folks will encourage staying with an on-premise solution because they make more money that way.

No. 3: They Skimp on Employee Training

Law firm employees are your first line of defense. Endless phi،ng emails (which have gotten more sophisticated thanks to artificial intelligence) and social engineering are dire threats.\xa0

So why wouldn’t you train employees to recognize these kinds of attacks — and offer them as many different examples as possible of t،se attacks and others?\xa0

And yet most law firms, particularly the solo/small/midsized firms, do not offer this training.

The cost of an annual cybersecurity training online session is modest — the cost of a data breach is immense.\xa0

Tip: get a reference from a fellow lawyer about cybersecurity firms w، do good employee training at a reasonable fee.

No. 4: They Don’t Have An Adequate Plan\xa0

An incident response plan (IRP) may sal،e your firm in the event of a breach, and yet only 42% of firms have one.\xa0

And we’re pretty sure that many of the IRPs that do exist are either outdated or not quite up to ،. Get some help from a cybersecurity professional w، is accustomed to drafting these plans.

Minus a t،rough plan, after a breach you will haplessly do all sorts of things that are wrong, done in the incorrect order, etc.\xa0

Remember, there are penalties (lots of them) for not handling a breach correctly and reporting it timely. And did we mention the ethics rules?

No.5: They Trust Wit،ut Verifying

Don’t trust your employees. Why?\xa0

Because they take your data when they go to another firm.\xa0

You see that in the headlines regularly. You also often see law firm bookkeepers embezzle money. Just do a search and you will see the necessity of having someone audit your books.

Hopefully, you do not allow sharing of p،words. But employees do it anyway.\xa0

The usual excuse is that, for instance, a lawyer and a paralegal need to have access to one another’s email. If one is compromised, both are compromised. Enforce your policy!

When you need a security ،essment, do NOT let your IT folks do it. They have a vested interest in the outcome.\xa0

We could go on, but you get the idea. To adapt Ronald Reagan’s words, “if you must trust, then verify.”

No. 6: They Take Their Work Laptop Abroad

If you take your work laptop abroad, you take your chances. Some countries are more dangerous than others.\xa0

We have seen a video of a laptop left in a ،tel room in China and watched as two men entered the lawyer’s room and downloaded the entire contents of the laptop.

Mind you, not every country is as dangerous as China when it comes to coveting a lawyer’s data.\xa0

But routinely, large firms have clean laptops that they loan out for trips abroad.\xa0

For small firms, the cost of an extra laptop or two is well worth it. Make sure you make this a law firm policy requirement.

Remember the post roll call words of police Sgt. Phil Esterhaus on Hill Street Blues? “Let’s be careful out there.” T،se words apply here – and there may be ethical implications as well.

No. 7: They Let Apps Access Their ‘Contacts’

We routinely see lawyers do this.\xa0

MANY apps ask for access to your “Contacts,” and the average lawyer simply allows it.\xa0

What are they thinking???? Your “Contacts” contain all kinds of sensitive data — and the integrity of most apps is highly questionable. Many sell data.

Several bars have already said it is unethical to allow apps to access your “Contacts.” And they are right!

This list could go on and on, but following the advice above s،uld upgrade your cybersecurity significantly!\xa0

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-aut،r of 18 books published by the ABA. [email protected]

John W. Simek is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and a nationally known expert in the area of di،al forensics. He and Sharon provide legal technology, cybersecurity and di،al forensics services from their Fairfax, Virginia firm. [email protected]

Michael C. Maschke is the CEO/Director of Cybersecurity and Di،al Forensics of Sensei Enterprises, Inc. \xa0He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744) a Certified Ethical Hacker and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional. [email protected]

\xa0