Cyber security for small firms

The COVID-19 pandemic has opened up a Pandora’s box of cybersecurity issues for many law firms that have gone virtual, says Paul J. Unger with the legal consulting company Affinity Consulting Group in Columbus, Ohio. 

“Almost overnight, people had to go home and work. People grabbed laptops out of desk drawers at home and they cobbled together and jerry-rigged systems to be able to work. They copied documents to hard drives and to Dropbox, and they decentralized their data,” he says. “You can’t secure documents that are scattered.”

According to Statistics Canada, cyber-attacks have increased since the beginning of the pandemic, with 42% of respondents in a September survey reporting at least one online security issue — including phishing attacks, malware and cyber fraud.

Here are the steps law firms should take to protect against cybercrime.

Obtain cybersecurity insurance

The first step is for law firms to contact their insurer.

“That is going to kick off a process that will lead you down the road you need to go down because you may not be able to get the insurance until you take some necessary steps,” he says.

Usually, the insurance company will assess the law firm to determine what they are doing to prevent cyber attacks.

“They may ask: ‘Do you use two-factor authentication? Do you secure your passwords in an encrypted vault?’ And they may not issue the policy until you start doing these things,” says Unger. 

Assemble a cyber task force

“Even if there are only three people in the organization, I would assemble a cyber task force. Those individuals in the firm would figure out where the vulnerabilities are,” he says.

This can be a tough exercise for many firms, especially small ones. “You are going to get stuff like, ‘I save documents on this computer and that computer and Dropbox and over here we use Google Drive.’ You need to identify all the programs and all the different vulnerabilities because you need to figure out where your data is in order to secure it,” Unger says.

Hire a cybersecurity expert

This comes after the task force has compiled a list of potential vulnerabilities, Unger explains, and it’s important to choose someone “with more knowledge than just setting up a network. You want somebody with cyber security experience and certifications.” 

The cybersecurity expert can help you put together a written information security program — a law firm policy governing where documents are stored, how passwords are managed, how computers are encrypted and other cyber security measures.

Only keep necessary information

Jordan Furlong, a legal industry analyst and consultant based in Ottawa, says law firms should analyze the nature of the information they store. Many security incidents happen because hackers find information that should not have been there. 

“If you don’t intend to use it, don’t collect it. If you no longer need it, don’t keep it,” he recommends. “Don’t just do a spring cleaning, but a summer, fall and winter cleaning on your data to make sure there is little there that is potentially valuable or potentially harmful to your clients.” 

Educate your staff

A common cyber-attack involves hijacking a person’s email account and sending a message to the entire address book that looks authentic because it comes from a trusted source, says Unger.

“Then they click on a link and it installs a malicious script that then begins to monitor that computer user’s activity and maybe even encrypts their files and holds them to ransom,” he explains. “That’s a big deal because documents can be compromised. And as lawyers, our ethical duty is that we must take reasonable steps to protect confidentiality and the documents themselves.”

Furlong adds that “good security hygiene” is necessary for all law firm employees. 

“All you need is one person who doesn’t read their email carefully and stop to notice misspellings and a strange email address and clicks on it. They get distracted and click on a link that they shouldn’t have and then disaster,” he adds. “Make sure everyone in your firm is deeply versed in knowing what to look for in phishing expeditions, knowing what a tracked email looks like. And try to break people of the habit that if you see the link, you click on it.”

Ensure cybersecurity at home

Unger says law firms also need to ensure lawyers and staff working from home are secure.

“Your IT professional needs to be visiting employees of the firm at home to make sure that they have adequate encryption on their routers and that they are set up with security at home,” he says.

One option he recommends is moving to an encrypted cloud to store documents.

“A secure cloud-based document management system or practice management system allows people to work from home or pretty much anywhere they need, whereas servers at the office can’t secure that information,” he says. “I would encourage firms to look into those options because otherwise, they either won’t be secure or they will have to spend a lot of money to achieve that security.”

Continue to review and update your program

Cybersecurity is an ongoing process. 

“The task force doesn’t just exist for three months and then go away,” Unger says. “You have to build continuity because technology changes so much that the task force has to constantly evaluate and revise their policy as well as the technology that they use. There could be a new risk that arises tomorrow that could change everything.”

Unger suggests law firms hold regular cybersecurity education sessions on topics such as phishing, password management and common cyber attacks. “It’s important for people to know that this is never going away.”