A 5 Item List to Check Twice- Getting Your Firm’s Security Plan Off the Naughty List

It’s beginning to feel a lot like Christmas- but your law firm’s security plan may be on the naughty list. If you’re like most lawyers, you probably have some security in place, but you’re not entirely sure what it does, how it works, or why you really need it. Despite the fact that security systems are frequently ignored in law firms, the reliability, or un-reliability, of your information security system can cause you to loose time, data and money.

According to the 2014 Legal Technology Survey Report from the ABA, nearly half of the firms surveyed were infected with malware, viruses, or spyware. Yet less than 20% of those firms employed encryption software. This isn’t a new trend among lawyers. According to the ABA Tech Report 2013, most lawyers surveyed didn’t know if their firm had experienced any type of data breach. Taken as a whole, we see that lawyers in firms, large and small, take for granted that their information is secure, and they are not, as a group, proactive about security. In this context, it’s easy to see why law firms are considered the soft underbelly of data security.

As you move into 2015, I urge you to consider where your risks lay, and what you can do to prevent a breach.  Many of you know that you need to update your security policies as a matter of good business practice, but also as a matter of necessity. If you handle real property matters, you should review the ALTA Best Practices Document. http://www.alta.org/bestpractices/ The ALTA page should be at the top of your list for resources for improving your security policies. While many of the best practices listed require major changes to your office’s procedures, here are 5 steps you can implement this week to improve your security.

1. Antivirus Protection. You likely have antivirus protection, but it’s important to reiterate how important this first line of defense is to your firm. Take just a few moments to review what your antivirus does, and what, if any, important features it is missing. Your antivirus program should include protection from viruses (also worms, trojan horses, rootkits, phishing attacks and any other malware by creative names the techies invent in 2015), and spyware. Your protection should run routine and on-demand scans, and it should identify suspicions behavior.  If you don’t have scans set to run at regular intervals, take a moment to run an on-demand scan now and set up your protection to scan your computer regularly. In addition to scanning for virus and spyware, you should also receive real-time protection from any malicious code hidden in email attachments, or lurking on websites. To reiterate- you should have protection from viruses and spyware, and have real-time protection.
2. System Updates. The programs that run on your computer will sometimes require updating. You’ll see pop ups that prompt you to either download an update, or require you to restart to finish installing a backup. It’s entirely probable that you will be in the middle of something very important when you get that message. I encourage you to keep all of your programs up-to-date. If you can’t run the update immediately, put a note on your calendar to run it either at the end of the day, or first thing in the morning. Updates improve a variety of metrics including performance, responsiveness, compatibility, and of course security.
3. Password Protection. You know that passwords matter. They make getting into your computer, phone or network more difficult, and provide a lot of security with very little work on your part. You should have a password for every computer you use in your professional life.  This includes your tablet, phone, and laptop. On your mobile devices you should have a 4-digit passcode, at least. It’s strongly recommended that you have an actual password. Passwords matter for your applications, too.  Because so much of what you do is stored on a third party server, (email, banking, document storage) strong passwords are an essential part of your security plan. Try not to replicate passwords. Use words or phrases in conjunction with symbols. If, however, you’re like most people and don’t have the capacity to remember 30 different complex passwords, consider a service like LastPass. LastPass and other password services will generate strong passwords for you, auto-populate password fields, and they will do those things while requiring you to remember only one master password.
4. Backups. There are myriad ways to back up your data. If you’re storing documents on a third party server, there’s a good chance that your vendor has server redundancy- meaning there are multiple backups across the country. The data you store locally, however, is likely less secure. It’s important to back up your data for that worst-case scenario of a natural disaster or hacking. You can make a copy of your machine onto a terabyte hard disk that sits on your desk, or you can store that same information offsite with companies like Carbonite or SpiderOak. Both of these companies will help you recover your lost data quickly and easily.  The advantages to storing locally on your back up hard drive are that it is cheaper, and you retain full control of the data. The advantages to backing up remotely are that your data is stored in a very secure way, and that if a natural disaster hits, your information will be out of harm’s way.
5. Limited Access. Limiting network access does not have to be complicated. We already know how many security pitfalls there are, and we would hate for one of your employees to inadvertently trip over one. You can change user permissions to help mitigate the risk that someone downloads malicious code onto your network, or you can require administrative passwords for downloads. Additionally, making a formal change to policy can be very helpful. Announce that no employee should download anything without first getting permission from an identified, knowledgeable decision maker. Doing so will be cause for disciplinary action. Implementing that 2 line policy can go tremendously far in identifying threats to your firm’s security before they can inflict damage. 

Improving your security doesn’t have to be a complicated, opaque process. You can control who has permission to access your firm’s computers, and you have the power to stop most cyber attacks. Take the 5 steps above to get 2015 off to the right start, and if you have any questions about how to protect yourself, contact Lawyers Mutual or the NCBA.

If you’d like to join a mentoring program, please contact Joyce at 919-657-1566 or jbrafford@ncbar.org. Or you can begin the application process at ncbar.org/mentoring.