Your firm is a target for hackers.
That’s right. They want valuable data. You’ve got it. A lot of it. And it’s nicely organized and, usually, poorly protected.
And just in case you weren’t paying attention, if they do get it, you’re probably going to have to answer to more than just your client (as if that wasn’t bad enough). Civil damages and ethics charges are two of the fabulous prizes you could earn thanks to your poor security.
Yet, there are rays of hope! No system is perfect, no security is absolute. But here are 8 Simple Cyber Security Rules You Need to Know:
1) Cyber security is complicated, so first, educate yourself
There are a lot of places you can go to get the basic information to keep yourself updated on security. Regardless which one (or more) you choose, you have to choose one. Securing your information in a tech-savvy world isn’t taught in law school, and the only thing you gain by being unaware is an increased likelihood of committing legal malpractice (and, of course, getting hacked).
You can’t be in a position to lead if you haven’t educated yourself. It won’t be the blind leading the blind. If you claim to lead without knowing what you’re talking about, everyone will be able to see it clearly.
2) Create an inclusive culture of cyber security
Contrary to popular belief, the greatest threat to your firm’s data security is your employees. Sure, if your client base manages to get the attention of China’s weapons developers, or you represent Sony pictures, you might have to focus on foreign hackers. But the most likely culprit is an employee, intentional or not.
One of the most frequently utilized tools in a hacker’s repertoire is “social engineering.” Essentially, hackers take advantage of people without ever having to “hack” into a system like you’d imagine.
Why spend hours trying to crack passwords when they can call someone in your firm and convince them that your kid really needs your password to get onto the home WiFi. It works. Way too well.
3) Every rule you bend is another weak spot in your cyber security
I’ve seen this particular issue most frequently in situations involving BYOD issues. A senior attorney doesn’t want to update to a newer phone or never updates the software because they read somewhere that it makes their games work poorly. So, in violation of the established BYOD rules, they keep their less secure device, or use an outdated software.
Senior members of your firm are already going to be targets due to their level of access and the fact that they probably represent the higher-profile clients. For that reason, IT frequently bends the rules for them. Don’t. It’s a recipe for disaster.
4) Encourage open communication and encourage reporting of suspicious behavior
If you properly train your employees about the significance of cyber security, they’ll be able to spot suspicious activity. But, just like you have to convince a jury that you’re right, then convince them to act accordingly, your employees need to be empowered to report what they see.
Guess what? There will be false alarms, mistakes, and some potentially embarrassingly bad calls by your employees. If there isn’t, then they either don’t care about the risk, or they’re afraid of being called out. Nobody should be afraid of accidentally crying wolf. Moreover, if it keeps happening, you may have deeper problems – with your training or with your employee.
5) Where practical, encourage the use of multi-factor authentication
Most companies still only require multi-factor authentication for certain functions. The IT department, or the guy who handles the diamonds. However, that’s changing, and you should be ahead of the curve.
More traditional forms of security are, overall, offering less and less protection. So you need something more secure than you did 10 years ago. Fortunately, most of the tools and software we use today allow implementation for little or no cost.
6) Require strong passwords, because they really are better
So much security and protection in this world seems illusory. So many things are designed to make you feel safer without actually providing real security. Just think about how effective airline security has been when tested. In case you don’t remember: not effective.
You’ve probably assumed that stronger passwords are one of them. You’re wrong. And I will NEVER stop harping on people to use stronger passwords.
Now, also remember that you need to have cyber security systems that get used. Don’t require a 15-digit password to be changed every week, or people will find shortcuts. There are plenty of password managers that can help, take advantage! (But make sure they’re properly secured as well – hackers may be starting to target poorly protected password managers!)
7) Encryption is mandatory. Period.
Do you encrypt your data? If the answer is no, then I’m really curious how you even found your way to this blog. If you’re reading this, you probably have some encryption in place. Increase it.
You might have encryption in your storage, but is it encrypted when you send it to the cloud? Why would you encrypt it on your computer but not in the cloud? How about in transit? If you’re not encrypting your data in transit, using your laptop at a Starbucks could be the key moment for that ethics charge for losing confidential information.
Interestingly, while Google has been talking about the importance of encryption, they have quietly backed off their promise to implement full encryption on new Android devices. Make sure yours is active! Cyber security is incomplete at best, completely damned ineffective at worst, without encryption.
8) Backup your data, in more than one place!
All the work on protecting your firm from cyber threats can only limit your vulnerability. There’s always a risk. So make sure that if the rug gets pulled out from underneath you, you’ve got a system set up to get you back on your feet quickly.
There are numerous ways to save your data, from local servers to cloud backup. Just remember, your data has to be safe from hackers, but also from more boring things. If your only backup is plugged into the same outlet as your server, will a power surge or a lighting strike kill them both? If your primary storage and your backup storage would be impacted if any one building burned down or flooded, you don’t have sufficient backups.
In the end…
As I said at the beginning, there is no perfect system. Interestingly, it’s sometimes the chase for that perfect system that creates the most serious vulnerabilities. Password requirements too strict? Employees will feel overly burdened and work around it. Information kept only to a select, elite group? Your people won’t feel included, won’t feel important, and won’t understand how important they really are.
Follow these tips, and you’ll at least be prepared for whatever comes.
Cover Photo courtesy of pat138241 at FreeDigitalPhotos.net