By Karl Bickmore, CEO Snap Tech IT
Snap Tech IT has been selected by law firms as a managed service provider (MSP) since 2000. Since then, technology has gone through many changes. Sadly, we have noticed that many law firms are not readily embracing the risk profile needed for doing business in an internet-connected world. By not adopting new defenses that are available to prevent new types of attacks, they are putting their client data at risk. But how do you best implement law firm data protection?
If you own a law firm, I encourage you to carefully consider the importance of protecting your client data. As a lawyer, you probably grasp the liability a client data breach could incur. Additionally, fixing a breach can mean many hours of downtime. Most importantly, the damage to your firm’s reputation would likely be catastrophic.
As Stephen Covey once said, “Business is done at the speed of trust.” A breach, no matter how well handled, will be viewed as a breach of trust. Your firm’s reputation is the reason your clients are with you, and why new clients come to you. If this data is breached, your reputation and your business will suffer.
How can a law firm properly protect its data? Here are some of the best defenses available to you:
Select the Right Outsourced IT Provider
The first thing to look for in law firm data protection is an IT provider that invests in its own security. Did you know that many MSPs do not perform independent, internal security audits? These firms cannot provide data security unless their business itself is secure.
The Department of Homeland Security and the US-Cert Organization began issuing warnings this year about how cybercriminals have realized that they just need to compromise a company’s IT service provider or MSP to access client data and backups.
While IT service providers or MSPs may carry credentials such as CompTia Security Trustmark, these are often weak or outdated. Rarely will you find an MSP that is PCI, ISO, or SOC-accredited. All these credentials require an in-person audit of internal security controls. While few can actually claim to have secure practices, all MSPs run software that controls your law firm’s servers, workstations, and access to data, as well as manage your backups.
Protecting your client data begins with performing due diligence on your outsourced IT provider to make sure it is independently audited. This means, requesting reports to see if any weaknesses were found in an independent audit of its security.
Begin Your Own Internal Audit Process
Many consultants can help your law firm through an internal audit, and some IT service providers offer it as a standard practice. The internal audit process should include regular vulnerability scans (both internal and external), as well as a review of active usernames, password expiration, file system permissions, active email accounts, computer patch levels, etc. These activities should be offered proactively and often by your IT service provider. If not, then request them. Develop a regular schedule for these reports and ensure that your provider is being upfront and honest about them. If they are all always perfect, then that is a red flag warning.
End-User Security Awareness Training
Offering end-user training is almost unheard of at law firms because for years, attorneys didn’t see the value. With all the cybersecurity risks out there, this is no longer a responsible attitude. All end users need to understand how to differentiate between real email and a phishing attack, how to avoid giving access to hackers, and how to protect your client data.
The good news is that there are now simple and effective training solutions available that are automated and help raise awareness. Participation only takes 15 minutes a month and requires periodically reading a few emails. If you haven’t got an automated end-user awareness training program going for your firm, it’s time to engage.
Install a Business-Class Firewall and License the Security Features
It’s important to understand that not all firewalls are the same. There is a big difference between the protection offered on residential-class firewall and a true business-class firewall. The firewall is your number-one perimeter defense.
Of all the risk assessments we have performed on law firms that have firewalls installed, we find that 90% of them do not have the significant security features turned on or configured correctly. Sometimes the content filtering is set up, sometimes it’s not. Rarely is the intrusion detection service enabled, and even more rarely are access restrictions and geo-IP restrictions configured.
Ask your IT provider to explain about these configurations in non-technical terms. When you’re looking for an IT provider, ask them to show you how they configure your firewall. It should be easy to explain so a lay person can understand. This is why contracting an experienced IT provider makes a big difference.
Use A Reliable Brand of Endpoint Protection That is Centrally Managed
Many internal IT staff or outsourced IT providers adopt solutions that are cheap or easy to manage. This will not do in law firm data protection. Those outsource providers that are purely profit-motivated choose cheap solutions and pocket the difference. Even worse, some just recommend the built-in Windows Defender, which has no central management at all.
Pay attention to which endpoint protection is in place in your firm. You can review the most effective ones available here. Ask your provider pointed questions if yours is not among the independently rated most effective.
At Snap Tech IT, we endorse Sophos endpoint protection. Our motivation for this is not because it’s the least expensive, or because it improved our profits. We recommend it in the best interest of our clients, because it is independently rated the most effective of all available endpoint protection products. Our list of disreputable endpoint protection software includes Webroot, AVG, Vipre, and Avast. Stay away from all of these, especially Webroot.
Treat these items as the beginning steps you need to take towards improved IT systems. By holding your IT staff or outsource provider accountable for these processes, you are making meaningful improvements to minimizing your law firm’s cybersecurity risk. This will help you protect your client data and ultimately, your reputation.