Column: It’s Never Too Late -- Five Cybersecurity Practices Your Firm Must Implement

Thursday, Feb. 28, 2019 By Heidi Alexander, Esq., Deputy Director, LCL
A "Tips on Law Practice and Lawyer Life" column

2018 LCL Logo CombinedAll the data suggests that law firms are not immune to cyber breaches and, in fact, are targeted due to the potentially vast amounts of sensitive data in their care. Major law firms, such as DLA Piper, Cravath and Weil, have all suffered breaches that put their practices in the spotlight. Take this trendy law firm scam involving gift cards: The hacker either spoofs or gains access to a law firm partner’s email address. The “partner” then emails a staff member with directions to buy hundreds of dollars worth of gift cards. The “partner” then instructs the staff member to transmit the serial number on the gift cards via email. The hacker can then sell these serial numbers for virtual currency or cash. Because this is a cash transaction, it is not recorded and is difficult to track, report and stop. 

Hacking attempts are increasing; nearly one in every 100 emails is reported as a hacking attempt and 90 percent of those attempts involve social engineering (i.e., impersonation with the goal to steal data or install malware in the future). Results from the 2017 American Bar Association Legal Tech Report provide that 22 percent of responding law firms had suffered a breach. Now, more than ever, it is imperative that attorneys and law firms remain vigilant. Here are five reasonable security practices that your firms should implement ASAP:

#1 Think Before You Click 

Email has become an easy tool for hackers to gain access to sensitive information or to engage in a sophisticated scamming scheme. “Spoofing” is one email trick that hackers use. Take the example below, which I received at my work email. There are a number of telltale signs that this email was not sent by someone I trust. Be wary of every email you receive: 

  • Always review email message headers and check email addresses by hovering your mouse over the address. Do the same with links before clicking them. Note that your mobile email interface might make it more difficult to assess the email source, so proceed with extra caution accordingly.
  • Be wary of any email that expresses urgency. 
  • Never provide any confidential or personal information when requested to do so via email, particularly if you were not expecting to do so.

#2 Passwords Passwords Passwords

It continues to amaze me that every year the most commonly used passwords remain unchanged and include “123456,” “password,” “qwerty” and “admin.” If you are using one of those passwords, please stop now! Passwords must be strong and unique. You can test the strength of yours at When you use the same username and password for multiple services, if one service is compromised, then all of your services may be compromised. To check whether a service you’ve used has been compromised, go to Have I Been Pwned? If so, change your passwords associated with that username and email. The best way to create unique passwords for each service you use — and to remember those passwords — is with a password manager such as 1Password or LastPass.

#3 Use Two-Factor Authentication Whenever Possible

When you store data in the cloud, you lose some control over that data. Thus, you want to take extra steps to protect that data. Using two-factor authentication provides that extra protection. A basic example of two-factor authentication is the use of your ATM card to retrieve money from an ATM. First, you must swipe your card, and then you must enter your PIN number. Two-factor authentication access requires something you know (e.g., your PIN or password), in addition to something you have in your physical possession (e.g., your ATM card or cell phone), thus creating a stronger security barrier. Popular cloud services, such as Google, Dropbox and Evernote, all provide two-factor authentication for users. Google has its own authentication app, Google Authentication, but you can also use other apps such as Authy, which aggregates two-factor codes for multiple applications. 

#4 Encrypt Your Hard Drive

Encryption is one of the best methods of protecting your electronic data. It takes the contents of a document and scrambles it such that it is rendered unreadable. According to the Massachusetts Data Privacy Laws (see M.G.L. c.93H and 93I, and implementing regulations, 201 CMR 17.00), certain personal information that travels wirelessly must be encrypted. That might include transmission of emails and documents, documents stored in the cloud, laptop hard drives and USB storage devices. In particular, if you are carrying around a laptop and you misplace it or it is stolen, those contents are easily retrievable by a third party unless you take steps to encrypt your hard drive. Both Mac and PC computers also have tools (FileVault and BitLocker, respectively) to enable full-disk encryption.

#5 Back Up Your Data, Not Once But at Least Twice

To protect against the loss of data due to some disaster, computer failure or ransomware, you should have a redundant backup system. Ideally, electronic data should be backed up regularly through a combination of physical hard drives and cloud providers. Seagate, Western Digital and Drobo are some of the top external hard drive brands. A few cloud backup providers include iDrive, Acronis True Image, SpiderOak One, SOS Online Backup, Norton Online Backup, Mozy, Carbonite, Crashplan and BackBlaze. Don’t confuse cloud storage services like Dropbox and Google Drive with a dedicated backup cloud service. Using a cloud storage service as your backup is akin to having a real estate attorney draft a special needs trust. The purpose of Dropbox and Google Drive services is to sync files across systems, not to act as a backup system. If you delete a file on one device, it will be deleted on all other devices (including in the cloud). And, you shouldn’t count on it remaining in your trash folder (e.g., Dropbox permanently deletes files in the trash after 30 days). Once you’ve secured your backups, remember that they won’t do you any good unless you test them by conducting periodic restores of non-essential data. In the event of an unexpected data loss, you should know precisely how to access and restore your data in just a few simple steps.

BONUS: Start to Build a Culture of Security

In law firms as well as other industries, the greatest security threat is the people. Firms must work to “build a culture of security” to decrease cybersecurity risks in the following ways: 1) teach people how their actions apply to and impact everyone else in the firm; 2) conduct regular awareness training and make it fun (e.g., use gamification when conducting phishing tests to identify the phishing email and win a prize); 3) use real-life examples in training, empower employees to come forward without shame and learn from mistakes made; 4) reward good behavior and adherence to security protocols; and 5) do not exempt leaders from participating in training, but rather encourage leaders to model good behavior.

The mission of Lawyers Concerned for Lawyers Inc. (LCL) is to promote well-being and resilience in the legal community, improve lives, nurture competence, and elevate the standing of the legal profession. To fulfill this mission, LCL provides free and confidential mental health resources, addiction recovery support, and practice management services.