Cybersecurity Tips for Law Firms

Photo: Shutterstock

In March of 2017, the ABA Journal ran an article about the importance of managing cybersecurity risks. This was just a couple of months before the PetrWrap/NotPetya ransomware attacked mega-firm DLA Piper, locking down all networks and phone lines and leaving the firm to conduct business by cell phone and text message.

It’s still unclear as of this writing what the long-term damage caused by the ransomware attack on DLA Piper will be. But it certainly makes clear that law firms need to take cybersecurity seriously. Here are some tips for managing your firm’s—and your—cyber-risk.

Know that there’s no silver bullet. You’ll need multiple layers of protection in order to prevent viruses and malware from affecting your systems.

Make backups. Back up all of your data regularly. Those backups should be encrypted with a user-defined encryption key. If you’re an individual or a small firm, the most practical backup solution is an external hard disk drive—just don’t forget to unplug the drive after the backups have been completed.

Develop a password policy. Use a password length of at least eight characters, and consider choosing a passphrase rather than a password. Don’t use dictionary words because those are easy to hack. Make sure to lock your screen when you leave your desk and ensure that a password is required to get into your machine. Require users to change their passwords regularly—once every 90 days is a good start—and insist that they not use passwords they use for other online functions. A password manager like LastPass can help ensure security of passwords.

Run your security updates. Keep your hardware and software as current as possible. Once software becomes unsupported, like older versions of the Microsoft Office suite, for example, it is not ethical to use that software. Apply updates and patches as soon as they are available.

Use encryption. Lost and stolen laptops are one of the most common causes of data breaches. Most newer laptops have built-in encryption, but it’s important to enable that function. Employees working remotely should only log into company networks via a VPN, MiFi, smartphone hot spot, or some other type of encrypted connection. The same goes for cell phones: Use your phone’s password or PIN protection to prevent bad actors from accessing your data, and turn off Bluetooth when you’re not using it.

Train everybody in security procedures. One of the most overlooked ways to minimize cyber-risk is ensuring that everyone who uses your firm’s systems understand not only the importance of using cybersecurity protocol but how to use it.

What have you or your firm done to mitigate the risk of a cyber-attack? Please share your ideas in the comments.