Case Study: Working from Home Puts Your Law Firm’s Information at Risk
Category
Case Study, News
This ACT post was originally published in Virginia Lawyer magazine, a publication of the Virginia State Bar, and is reprinted with permission of the Virginia State Bar. You can view the original article here.
By Alex Nette and Stephen Thompson
The recent novel coronavirus (COVID-19) pandemic has led to a global health emergency with unprecedented action being taken to combat it. This included many law firms moving to remote work for the first time. While getting accustomed to working at home may have been your biggest challenge, the security of your firm’s sensitive information may have been ignored.
Cybersecurity is one of the most pressing and prevalent business risks in the digital age; however, it often gets overlooked. The consequences of disregarding cybersecurity can include inability to conduct business, monetary loss, and reputational damage. Many firms that are moving to remote work are relying on technological solutions that work rather than solutions that work securely. Here are three major cybersecurity risks that law firms may face.
Risk One: Leaving Electronic Devices Unprotected
When we talk about electronic devices, we generally include computers (laptops and desktops), tablets, and smartphones. These devices may be owned by you or your firm and, as a result, may require different actions on your part to protect them. Regardless of ownership, you should always lock your devices when you walk away. And while you are not likely to be using public Wi-Fi during the COVID-19 pandemic, validate that your Wi-Fi at home is secured using WPA2 and a strong password.
If you are using a personal device for work, make sure no one else in your household has access to your firm’s information or digital resources, like firm files, email, cloud storage, or video conferencing tools. Not only is this critical from a cybersecurity perspective, but it also helps avoid confidentiality concerns with clients. Furthermore, confirm the device has the latest updates applied to it, and for computers, install and continuously update a malware/virus scanner. Finally, only access your firm’s information in a way that does not require it to be downloaded onto your personal device (i.e., access on the cloud or a remote desktop). If you must, upload the files to a firm file storage option when you are done and then delete the files from your device (including emptying your trash can).
Risk Two: Allowing Information Leaks
Your firm likely accesses its information through a number of digital resources, including email, remote connection options, and applications that support the firm. All of these need to be configured correctly to keep the information they process secure.
Email is unencrypted by default. This means that anything you send via email, including attachments, can be intercepted and read by someone else. If you are sending sensitive information, send it as an attachment and encrypt it with a password – sharing the password with the recipient through another method, like a text. Also, turn on two-factor authentication for your email. You have likely encountered this when you log on to your bank website and are prompted to enter a temporary numerical code provided via text message. While this may feel redundant, it is a critical step in stopping hackers from getting into your firm’s email.
There are myriad remote connection options that your firm may employ: a virtual private network (VPN) allows you to access all of your firm’s digital resources; a remote desktop application allows you to access your desk computer; or cloud-based applications, like Office 365, allow you to perform specific tasks. Each option should be provided by a trustworthy company and not just the cheapest option. The solution should also encrypt all information while it is moving to and from your devices with the latest encryption standards (i.e., AES-256 or better).
Your firm also likely relies on numerous supporting applications that help your firm operate. These can be located on a server in your office, or in the cloud, and include core business functions, like accounting software, timekeeping software, or file storage systems. These resources must be configured correctly to prevent unauthorized access, which includes using encryption. Additionally, if the resources are not appropriately maintained with updates, or are outdated and have reached “end-of-life,” they may have vulnerabilities that make them susceptible to cyberattacks.
Risk Three: Being Susceptible to Social Engineering
With most of the world’s workforce now working remotely, there has been a large uptick in social engineering cyberattacks due to the distributed nature of employees. These attacks aim to trick individuals, with the most common form being email phishing. The email subjects have often focused on the current pandemic but may also impersonate an executive and ask the recipient to redirect money transfers, gather W-2 information, or purchase gift cards.
If you are ever in doubt about the legitimacy of an email, pick up the phone and call the sender directly. Do not call any phone numbers listed in the email or reply to the email. And if you are the recipient of a suspected phishing email, know where to report it within your firm so that the rest of your colleagues can be alerted.
How Can Your Firm Be More Secure?
If this is the first time your firm is working remotely, or remotely at this scale, validate that firm devices and digital resources are configured securely. This includes checking them regularly to confirm they continue to align with the expected configurations and verifying they can handle an increased remote workload.
Second, the firm should clearly define what devices and digital resources are allowed to be used to access firm information and how to do so appropriately. This list should be regularly updated and maintained.
Finally, your firm should provide employees with steps to follow at the first sign of a cyberattack, with the goal of limiting the impact. A cyberattack could include phishing, malware, or other issues. Your firm’s response plan should also be tested regularly with exercises to validate its comprehensiveness.
Cybersecurity cannot be relegated to the bookshelf – especially during the current pandemic. While you may be focused on making technology work for you during this time, do not neglect making technology work for you securely; the consequences can be severe.
Alex Nette is president and CEO of Hive Systems and is a strategic advisor to government and private sector clients in the establishment and continuous improvement of preeminent cybersecurity programs. He has provided executive level and subject matter expertise on cybersecurity for nearly a decade and applies his work from various cybersecurity disciplines in a holistic approach that prioritizes organizations’ operations.
Stephen Thompson is an associate attorney at the law firm of BotkinRose PLC in Harrisonburg. His practice covers a wide range of transactional topics including real estate, taxation, business formation, and estate planning.