MyCase, makers of legal practice management software asked me if I would guest speak on a webinar about themes and information that affect law firm security. Of course I was too happy to participate.
Aly Schilperoort, Marketing Specialist at MyCase was the host and she presented really important questions. I have boiled them out and listed them here for you with my response, edited for readability.
What are the most prominent cyber security threats facing law firms at the moment?
Aly didn’t waste any time getting right to the good stuff. I tried explaining to her here that in my view, the biggest threat facing law firms today is people. Computers can be protected by antivirus, firewalls, and other software protections and if left untouched, they are more or less inert but when you put a human in front of a computer, the security of the system is only as good as the operator.
Antivirus and firewalls are only so effective at keeping a system and data secure. If the operator acts counter to security for long enough, the software cannot prevent avoidable security breaches. So I explain to Aly that the people operating business/firm computers are the most prominent security threat facing law firms.
I go on to say that email is the second biggest threat. Email still today is the defacto business tool because of its ubiquity and relative low cost. For these reasons, email is the main vector for hackers to target businesses and their data.
What are the most common mistakes that you see law firms making regarding data security?
This question could not be answered without being self-serving but it doesn’t make it any less true. I explained to Aly here that the most common mistakes I see law firms making is under investing in their IT. I gave Aly a story of a recent interaction I had with a partner of a firm with a dozen computers and a server. This attorney explained they recently were victims of a ransomware attack. The unfortunate thing about this story is this individual did not invest in the security solutions he needed like security awareness training, multi-factor authentication, or an active engagement with an IT vendor. What’s more unfortunate was that he still did not seem moved to hire a trusted IT resource and have the security concerns resolved.
How law firms can recognize and prevent Phishing attacks?
Aly asked me how law firms can recognize and prevent phishing attacks and I offered this: The best way law firms can identify phishing attacks is through security awareness training and software tools designed to scan and flag suspicious content. Security awareness training is the most important tool since phishing attacks are designed to target people. So to harden the security, you must train the people. More important, ALL the people must be trained and the training must be recurring and measured. The training participation and performance must then be monitored and managed ensuring that all persons are being trained and meeting knowledge standards. The software tools to use amount to email and web filtering software not unlike antivirus software that scans links and content for suspicious activity and content.
What are the most common mistakes that you see law firms making regarding data security?
Unfortunately my response to this question was not as polished as I would have liked. Let me take this time to say that the most common mistakes I see law firms making regarding data security are not using encryption to secure data in motion, and not using disk drive encryption to secure data at rest. The most common type data in motion is email. Firms still regularly send sensitive information about their firm and their clients via unencrypted email. Besides email encryption being increasingly easy to use, there are other ways to transmit data securely, like a client portal or cloud storage service like OneDrive, Sharepoint, and Dropbox. Sending data unencrypted today is just unacceptable. Other mistakes law firms make regarding their data security is not managing access to the data appropriately, like leaving old user accounts active, or not turning on multi-factor authentication. Still other mistakes include not using hard drive encryption where data is stored.
My thoughts on the MyCase webinar
So that’s basically the gist of the webinar. Aly went on to take questions from the audience, it was really engaging. I was thrilled to see almost 200 hundred guests on the registration. If you want to see the questions and answers section or just to catch the recording, please follow the link in this article.
If you have any questions about MyCase or any practice management software or your IT concerns like cybersecurity, please go to www.evernetco.com and schedule a Discovery Call with me.
Eric is a Business IT cybersecurity advisor, consultant, manager, integrator, and protector who founded EVERNET in 2007. Eric co-hosts a podcast called “Finance and Technology Insights by Brian & Eric” on YouTube. Eric is a regular contributor to the EVERNET blog, writing about the latest technology news and providing his expertise in cyber security prevention and management.
