What Your Law Firm Should be Doing About Data Security

By Luke Smits - Founder & Operations Manager
Illustration of client data security

If you’re a Law Firm, you need to take your cybersecurity very seriously.

Your clients expect confidentiality in everything you do and the results of a cybersecurity breach would be extremely serious.

If you work with a good managed IT service provider, then you’re already in a good place – you have the team you need to advise you on a regular basis as to how to maintain security and keep the threat of cyberattack to a minimum.

But what can you do to help protect your client data?

Here’s my top 5 things your law firm can do to protect client data.

#1 – Train your staff! 

Even the most intelligent of people can still be tricked by a fraudulent email if they don’t know exactly what to look for.

Training your staff helps greatly in removing the risk of human error playing a part in a data breach.

Common scams include fake Microsoft alerts telling the user that their password has expired and to “click here to reset” or something similar. If you see one of these you should check where it has come from by ensuring that the sender address hasn’t been cloaked. This simply means that while it looks like it’s from Microsoft, when you check the sender email address you discover that the email has come from an address that is clearly NOT linked to Microsoft. Instead, it’s from info@jimsfreerangechickens.com or 234efc7@gmail.com – indicating pretty clearly that it’s a scam.

But it’s not just emails. There’s also the old (and still effective!) trick of “Telstra” calling and telling your person at reception that they need access to their computer as they’ve detected a virus coming from their internet. Or that an account you pay bills into needs to have its account number updated or BSB details changed.

Cybercriminals have an endless supply of scams that involve using humans as part of the process. All it takes is one person having a bad day to miss the signs and your business is in trouble.

If you’re looking for quality training to help keep your staff up to date on their responsibility around data security, we recommend the Cyber Security Awareness Training delivered by Cyber Helper. You can find out more about their training options here*.

#2 – Implement Multifactor Authentication.

Making sure your key systems are secured with multifactor authentication (or 2-factor authentication otherwise known as 2FA) is a simple way to add a layer of protection to your operating software. 

This basically means that when you open your legal practise software such as LEAP or Smoke Ball, it will send a verification code to your mobile phone and you’ll need to input that code to gain access.

If you don’t have multifactor authentication enabled and someone gets your password then you are in big trouble.

Same goes for email. This is probably the number one avenue of attack across all industries. Someone gets the password to your email account (or performs a brute force attack until they get the password combination right), and bingo!

How many confidential matters and other “sensitive” material do they instantly have access to?

Not to mention they can pretend to be you and ask people to send money, or access the passwords or credit card numbers you have emailed to people over the years.

#3 – Use Up-to-date Security Tools and Spam Filtering. 

The old combination of good quality anti-virus software, patch management and good spam filtering should never be forgotten.

It provides an excellent solution that gives extra protection to your systems if someone does happen to click on a malicious link and can stop the malicious link from getting to staff in the first place.

But keeping it up-to-date is critical. New threats are appearing all the time. Patch management will ensure that your software stays up to date so you can avoid new vulnerability exploits form affecting you.

#4 – Backup. And Check Your Backup is Working.

It’s stating the obvious, but having a secure backup of your data in place means that if your data is stolen, held to ransom, or compromised, you’ll be able to get back up and running quickly.

You should also never assume that because you have a backup in place that it’s working, or that it protects all your data.

Review your backup with your IT partner, request regular reports about your backup and make sure that all your data is protected.

It also doesn’t hurt to run risk scenarios. Pose the question of what happens if we get hacked? Talk it through, and have a written risk management plan in place so you can take quick action to resolve a data breach if it ever does happen.

#5 – Know Your Data Breach Responsibilities.

It’s much better to know what you need to do in the event a breach should occur, than to be left scrambling to find out after the fact.

Under the Notifiable Data Breach (NDB) rules introduced by the Australian government, any business that is compromised must notify the parties concerned.

If you’re an organisation or agency covered under the Privacy Act 1988, then you “must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved”. 

A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:

  • a device with a customer’s personal information is lost or stolen
  • a database with personal information is hacked
  • personal information is mistakenly given to the wrong person

By having the first four elements of this article in place, you can at least say you were taking reasonable precautions and not burying your head in the sand when it comes to data security.

The reputational damage may not be pretty, but if you have the right systems in place, the damage will likely be minimal and the recovery not as problematic.

You protect your clients interests under law.
Make sure you’re also protecting their data. 

Training your staff, implementing multifactor authentication, using up-to-date security tools, backing up and knowing your data breach responsibilities are just the starting point to protecting your clients data within your law firm.

Speak to your trusted IT partner. They will know your business and your people and be the best resource in giving you specialised advice and answering any questions or concerns you have about data security.

And if you’re looking for an IT Partner who specialises in law firms, then get in touch with us. We’d love to help you put people at the centre of your IT solution so you can become a more efficient and secure business.

 

* Full disclosure: We’re an affiliate partner of Cyber Helper and when you use the link above to register for their training, they will pay us a commission for the referral. You can rest assured though, that we only EVER recommend partners we have 100% confidence in.



Back to News