September 1, 2021

Late Summer Cybersecurity Checkup: 6 Things Every Law Firm Should be Doing This Year

The flurry of ransomware attacks this year should be a reminder that none of us are safe and we should be doing more. While this list could be endless, here are six items to discuss at your next leadership meeting that will lead to better data security within your organization.

1. Write/Update your Written Information Security Program (WISP). 

In many states, such as Ohio (which was the first state to adopt such a law)[1], having a WISP that “reasonably conforms” to one of the national data security frameworks like NIST, ISO, IEC or FedRAMP provides organizations some protections from negligence actions in the event there is a data breach.

Just as important as providing businesses protection, having such a program and protocols in place will make everyone’s data much safer. Your WISP should address the following security areas: 

  • Designating employees responsible for the security program (a task force or committee). 
  • Identifying and assessing security risks. 
  • Developing policies for the storage, access, and transportation of personal information. 
  • Imposing disciplinary measures for violations of the WISP.
  • Limiting access by or to terminated employees. 
  • Overseeing the security practices of third-party vendors as well as contractors. 
  • Restricting physical and digital access to records. 
  • Monitoring and then reviewing the scope and effectiveness of the WISP. 
  • Documenting data security incidents and responses. 

2. Centralize Documents in a Secure Document Management System.

Most organizations struggled with document management before the pandemic, but when the pandemic hit, documents and data became even more scattered as individuals made copies of project or case files to work from home. This situation could be avoided or can be solved by implementing a secure cloud-based legal document management solution. For law firms and legal departments, solutions like NetDocuments, Worldox Cloud, iManage Cloud, or EPONA are industry standards. Remember, it is impossible to secure and govern documents/data if there are multiple copies scattered in different places and within different solutions.  

3. Mandatory Quarterly Training for Everyone.

Schedule mandatory education at least every quarter for everyone in your organization. Cybersecurity practices and education is not a one-time event. Your organization should be regularly revising your WISP and educating your people. Most successful cybercrimes occur because of human error. Talk to your I.T. folks about implementing a ransomware education and testing solution.  

4. Multi-Factor Authentication Solution.

Implementing two-factor (or multi-factor) authentication (also known as 2FA or MFA) is just as important today, or arguably more important than changing passwords or using unique passwords. 2FA is important because even if a cybercriminal has your username and password, without the second measure of authentication (usually using a tool like Google Authenticator, Microsoft Authenticator, or Duo, a text message notification requiring your intervention, or providing your fingerprint from your smartphone) the cybercriminal will not be able to login into an important service or account.  

5. Full-Disk Encryption on ALL Computers and Devices

I recommend full disk encryption on stationary desktop computers, in addition to laptops and mobile devices. Mobile devices like laptops and smartphones are more vulnerable than desktop computers, but desktop computers can be stolen as well. There are many choices for this type of solution, and it will likely cost you nothing or very little. For example, BitLocker is an encryption program included for free with certain versions of Windows 7, 8, 8.1, and 10. For Mac users, FileVault is included for free with OSX.

6. Use an Encrypted Password Manager

Everyone should be using encrypted password managers. Password managers do the following:

  • Secures all your passwords, credit cards, personal notes in an encrypted cloud-based vault that one can access from all your devices. 
  • Generates unique and very strong passwords. 
  • If desired and appropriate, these vaults allow sharing of certain passwords with colleagues or your spouse.  
  • Look at programs like Dashlane, LastPass, OnePassword, and Roboform. 

[1] See Ohio’s Data Security Protection Act, Ohio Revised Code §1354. 

If you’d like to learn more about improving your firm’s cybersecurity through cloud-based legal document management, feel free to request a consultation or call us at 877-676-5492.