
Law Firm Information Security Policy: 5 Tips to Keep Firms Safe
As a law firm, you operate in the realm of sensitive personal information, trade secrets, and intellectual property. Your clients trust your discretion, sharing intimate, personal details with you under the umbrella of attorney-client privilege. But there is a break in this pipeline. Chances are, you keep private documents in folders on your laptop or in the nooks-and-crannies of your cloud architecture.
What would happen if a hacker gained access to your data ecosystem?
Unfortunately, this is an increasingly common issue for law firms. According to the ABA, 29% of lawyers reported security breaches at their firms in 2020—that’s one in three! This is a sharp increase from a mere 14% back in 2016.
The average cost of a data breach (across all industries and company sizes) is over $8 million. For law firms, breaches are scary. Many firms don’t survive. As the cybersecurity landscape grows alongside threat actor ingenuity, firms can no longer hope a breach doesn’t happen. They must focus on their security posture.
Here are five cybersecurity tips to prepare your firm for 2021, starting with well-defined law firm information security policy.
5 Ways to Improve Your Law Firm’s Security Posture
1. Create A Law Firm Information Security Policy
Information security policies (i.e. infosec policies) are guidelines that help your firm react to, prevent, and understand security threats. Sounds basic but, alarmingly, according to the ABA 2020 Cybersecurity Tech Report:
- only 34% of law firms maintain an incident response plan
- only 36% invest in cybersecurity insurance of tools, and
- less than half adopt basic cybersecurity software and tools.
To be fair, creating an infosec policy is notoriously time-consuming, and it involves plenty of strategic layers that may be confusing and technically-complex for law firms without a fully-staffed in-house security team.
Infosec policies should contain details like:
- Data classification
- Data hardening procedures
- Encryption policies
- A comprehensive list of programs, systems, facilities, and technologies
- Staff training
- Access control
- Non-compliance penalties
- Physical IT structure
- Authorization policies
- Remote work policies
- Data movements and security standards
- Security responsibilities
- References and supporting documents
- Compliance needs
- Intrusion detection
- Incident response plans
- Technical guidelines
In other words, your infosec policy is the glue that holds your entire security infrastructure together. It guides every security-forward action, and it prevents breaches and leaks from happening at any node in your firm. This is a must-have document. If you don’t have one, you need one.
2. Understand the Risks of BYOD
At least 50 percent of law firms went remote during the height of COVID-19, and experts predict that telecommuting and remote work will become de facto staples of the legal sector. But remote brings its challenges. Employees are no longer tethered to their desks or anchored within office walls. But that also means they’re free from your internal network security and devices. Many law firms have made the unfortunate mistake of allowing employees to use their own devices. That is a security issue.
Bring Your Own Device (BYOD) plans may save you initial capital, but they also significantly widen your cybersecurity threat margin, opening your firm up to a number of risk vectors.
Employees who blend personal and work devices are at significant risk for malware and viruses. Device theft becomes less controlled (i.e., they’re bringing their devices outside of a specific location), and existing outside of your network policies opens employees to risk—especially since personal devices may already have malware installed before logging in to your network.
The solution is to provide hardware to employees instead of allowing them to use their personal devices. It will help you shed less cybersecurity sweat.
3. A.B.M (Always Be Monitoring)
Your law firm shuts down every day. Hackers don’t. The majority of ransomware attacks take place after hours or over the weekend. Threat actors often attempt to breach your security infrastructure when you’re offguard.
You need 24/7 around-the-clock security monitoring to keep your assets safe while you sleep. Unfortunately, most small to mid-sized law firms lack a robust, 24/7 security team. Instead of throwing in the towel, consider hiring an outsourced security agency to monitor your systems. Malware, viruses, and ransomware don’t sleep. Your security infrastructure shouldn’t either.
4. Keep Your Eye on Other Firms
What are your peers doing? It’s easy to read statistics and find terrifying news stories. But these only reveal half-truths. Look beyond the covers and see how your peers react to security issues. Large firms are the first place you should look. What are they doing? What types of security teams do they have? How much time and energy do they invest in cybersecurity? Copy what they are doing. And pay attention to how they react when they get hit with a breach. While many lawyers are still new to this space, some of the larger firms are implementing incredible security-forward solutions like monitoring, encryption, and company-owned hardware distribution.
The capital-soaked Goliaths in your area likely have significant cybersecurity infrastructures. As a smaller firm, you may be uneasy about the liquidity commitment of a security policy, but outsourcing IT brings large-firm resources to small firms in one cost-effective package.
5. Keep Security Front-of-Mind
This is the most important tip. Cybersecurity isn’t a back-of-mind issue that you can push off until a breach hits your front door. Prevention is the best cure. Cybersecurity should be a top-level issue for your firm, and it should consume a decent chunk of your tech budget. The sad truth is: many law firms are complacent about cybersecurity. They assume it won’t happen to them. But it will. Threat actors are increasing their pace, skills, and attack methodologies each year, and firms that lack a solid security backbone will inevitably get hit with a breach. If you’re lucky, the violation will only cost you some money and time. But leaked client details often haunt firms for years.
Don’t think it can happen to you? Let’s look at a few of the security breaches that occurred in January 2021:
- A massive cybersecurity breach hit Jones Day due to a third-party vendor vulnerability.
- Goodwin Proctor experienced a similar breach.
- The Charles J. Hilton & Associates P.C. breach lost sensitive client information.
- DLA Piper was hit by a breach and a GDPR fine.
These are all massive, multi-billion-dollar firms. The number of small firms is hit is harder to calculate. But you don’t want to land on that list. Work on prevention today to save years of hard work from being lost in a single day.
Vertex is Your Information Security Policy Partner
Small and mid-market firms should invest in full-scale IT to guard against disaster. Thousands of small firms watch as other law firms break headlines. We can put measures in place to prevent that from happening. At Vertex, we provide end-to-end cybersecurity and IT services catered toward law smaller firms. Our boutique business model keeps us agile, focused, and client-driven. We stay ahead of modern law’s unique challenges.
Since 2008, Vertex has been the trusted IT partner for Toronto law firms, providing industry-best specialized information technology support for lawyers. Vertex protects law firms with secure, reliable cloud solutions at one fixed price so you can focus on growing your law practice while our team of dedicated IT professionals right here in Toronto protects the items outlined in your information security policy.
Ask us about Vertex Cloud Desktop for Law firms (legal software in the Cloud), Managed IT solutions for law firms (a suite of services, from strategic planning to unlimited support directly from our Toronto office), and our custom solutions that support your firm’s practice management software, workflow, and culture.
Are you ready to stop worrying about data breaches? Let us handle your security needs so you can focus on what matters—growing your firm. Contact us to learn more.