Lessons Learned From The 2018 Clio Conference In New Orleans

What Do The Best Legal IT Security Experts Advise That You Do To Protect Your Confidential Data? 8 Critical Things

I recently attended the Clio Cloud Conference in New Orleans, and I came away with a wealth of information for law practices that want to use the Cloud securely. Clio’s Director of Information Security, who formerly worked at Apple (among other companies), mentioned some critical steps that legal firms must take to protect their businesses and their clients.

First, let’s look at the legal environment in regards to cybersecurity. Here are five facts that you need to know:

Most breaches aren’t discovered right away. The LinkedIn breach was found a full two years after it happened. The same happened with Yahoo’s breaches.
Only .8% of Clio users are using 2FA! (What is 2FA?
We’ll tell you below.*)
30% of firms from 2-99 lawyers were breached last
year.
The majority of hacking uses stolen credentials, usually through phishing – not from someone breaking into a computer or server through brute force or a virus. (What can you do to prevent being victimized by phishing? We’ll tell you below.**)
Most hackers are amateurs and limited in resources. They go for the easiest
targets.

What are the eight critical steps that Clio’s Director of Information Security recommends you take to protect your law practice?

Define your risk. Are you using cloud applications that might expose your confidential data? What would the result of a data breach be for you? Is everyone in your firm using secure passwords? (What are secure passwords? We’ll tell you below.***)
Always use 2FA whenever available.
(See below*)
Use a password manager (Parkway Tech provides this to our clients, but LastPass is a good option, as well.)
Be aware of timely phishing attempts (e.g., IRS around tax season and W-2 scams around the first of the year).
Invest in education. (Ask about our Security Awareness Training for your
employees.****)
Be skeptical.
Let others in your firm know about phishing emails. (Security Awareness Training takes care of this.)
For workstations: Get security updates, use strong computer passwords, enable full disk encryption, and make a cloud backup. (Parkway Tech can help with all of these requirements.)

*What Is 2FA?

Two-Factor Authentication (2FA) protects your identity by requiring a second layer of security. It makes it more difficult for cybercriminals to log in to your accounts.

Your credentials must be submitted in two or more different forms. For example, you need your login ID and passcode for authentication to be classified as 2FA.

This prevents criminals from taking over your identity on the platforms you use. Even social media platforms like Facebook have an option where a code is texted to your mobile phone, or generated in your Facebook account that you use before signing in.

Clio advises that you use 2FA wherever it’s provided. Make sure your employees do the same.

** What Is Phishing?

Phishing is the practice of stealing user ID/email addresses and password combinations by masquerading as a reputable or known entity or person in an email, instant message, or another communication channel. Attackers then use the victim’s credentials to carry out attacks on a secondary target.

They enter the credentials into as many websites as possible using automated scripts, often called credential stuffing, or enter the stolen credentials directly into corporate resources gaining unfettered access to your network and data.

How do you protect your law practice from phishing? The best way is through Security Awareness Training**** for your employees.

*** What Are Secure Passwords?

Creating a strong password is an essential step in protecting yourself online. Using long and complex passwords is one of the easiest ways to defend yourself from cybercrime. No law firm is immune to cyber risk, but there are steps you can take to minimize your chances of an incident.

Here are eight things that the Department of Homeland Security suggests you and your employees do when creating passwords:

1. Create passwords with eight characters or more and a combination of letters, numbers, and symbols.

2. Use a passphrase such as a news headline or even the title of the last book you read. Then add in some punctuation and capitalization.

3. Don’t make passwords easy to guess. Don’t include personal information in your passwords such as your name or pets’ names. This information is often accessible to find on social media, making it easier for cybercriminals to hack your accounts.

4. Avoid using common words in your password. Instead, substitute letters with numbers and punctuation marks or symbols. For example, @ can replace the letter “A” and an exclamation point (!) can replace the letters “I” or “L.”

5. Get creative. Use phonetic replacements, such as “PH” instead of “F.” Or make deliberate, but obvious misspellings, such as “enjin” instead of “engine.”

6. Never share your password. Don’t tell anyone your passwords, and watch for attackers trying to trick you into revealing your passwords through email or calls.

7. Use different passwords for different accounts and devices so that if attackers do guess one password, they won’t have access to all of your accounts.

8. Use stronger authentication. Always opt to enable stronger authentication when available, especially for accounts with sensitive information including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account. For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username. Visit www.lockdownyourlogin.com for more information on stronger authentication.

****What Is Security Awareness Training?

Security Awareness Training for your employees educates them to be aware of phishing and other IT threats. Services often provide user training videos, send fake phishing attempts to test their knowledge, send automated memo emails on the latest threats, and allow admins to run various reports to monitor your employees’ scoring, and progress.

Cybercrime is a real and present danger to law firms of every size. You can’t afford to risk your confidential data. Contact our IT Security team in Winston Salem NC for help protecting your practice.

In the meantime, check out these and other articles in our Law Blog to stay up-to-date on the latest news and information in IT:

Does My Law Firm In North Carolina Need A Business Continuity Strategy?

Some extreme events can disrupt the regular operations of a legal firm. Natural and man-made disasters such as hurricanes, floods, power failures, earthquakes, arson, robbery, death of a critical law partner, pipe leaks, roof collapse, public unrest, and other unexpected problems can destroy offices, records, or access roads, jeopardize relationships with major clients, or make travel to the law office impossible for employees. Having a Business Continuity Plan for North Carolina Law Firms can prevent significant loss of revenues and clients due to prolonged disruption of law office operations.

Experts Predict Cybercrime Will Climb To An Astonishing $7 Trillion Problem For Business Owners

While you’re busy running and growing your business, working hard to make money, cybercriminals are finding new and more sophisticated ways to steal it. They want to breach your IT system to steal your confidential data so they can hold your data for ransom, or get passwords and IDs to take cash directly from your bank accounts.

Although many long for the simplicity of yesterday, advancements in technology are quickly taking over every industry. This includes the legal field. Technology provides an ability to streamline resources and improve efficiency. Of course, people are required to manage it.