Oct. 2, 2019 – October is National Cybersecurity Awareness Month, so it’s a good time for law firms to revisit their cybersecurity practices to determine if they have the necessary defenses in place. But legal technology experts say law firms are behind.

Attorneys Dennis Kennedy and Tom Mighell recently discussed law firm cybersecurity on their podcast, the Kennedy-Mighell Report. Despite constant news about data breaches and law firms as targets, many solo and small firms still don’t do enough.

Mighell said he has spoken to many lawyers who don’t upgrade their systems and keep running programs that are unsupported, such as the Microsoft Windows 7 operating system. But unsupported programs are unlocked doors for lurking data thieves.

“Part of the problem is there continues to be brand new ways that bad people can get to us, and keeping up with it all is overwhelming,” said Mighell, chair of the American Bar Association’s Law Practice Management Section.

Christopher Shattuck, who manages the State Bar of Wisconsin’s Law Practice Assistance Program (Practice 411^™), says cybersecurity is a practice management issue that Wisconsin lawyers must address since ethics rules (SCR 20:1.1, Comment 8) require lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

“Many calls that come through the Practice 411 program are related to cybersecurity and what firms should be doing,” Shattuck said. “The solutions will vary by practice, but we can help lawyers and law firms develop plans that are most appropriate for them.”

Keep the Doors Locked

Implementing security protocols doesn’t have to be overwhelming. Consider simple steps like upgrading outdated programs or devices, using strong passwords, and embracing two-factor authentication, which would have prevented the following breach:

A small firm is using Office 365, a cloud-based subscription service that provides a suite of applications for individuals and businesses, such as Word, Excel and Outlook. There are built-in security systems that can help law firms stay secure, but what happens?

Hackers are able to access a user’s Office 365 account because the user’s password is very weak. Then the hackers send emails, impersonating the user (the payroll manager), and gets two payroll checks diverted to a different bank. That money is gone.

“There were two opportunities to stop that hacker dead in its tracks,” Mighell said. “The first would be to set a strong password that would be much more difficult to break.”

According to one cybersecurity expert, an eight-character password can take minutes to crack, whereas a 20-character passwords can take months. Secure password managers can help law firms and lawyers maintain longer, unique passwords.

“Even if the password could have been broken, two-factor authentication would have stopped it. If it’s done right, it’s 99 percent effective,” Mighell said.

With two-factor identification, a user who logs into an online program could choose to receive a text with a numeric code that is required for login. Applications like Authy provides a two-factor identification solution to protect online accounts.

Don’t Use Outdated Software

One of the biggest cybersecurity problems is running outdated systems. When operating systems and programs reach “end-of-life,” they are no longer supported by developers. That includes an end to security updates and patches.

A 2016 lawsuit against a Chicago-based law firm illustrates the potential harm that can occur if law firms use outdated programs. A client sued the firm for running outdated programs that allowed attorneys to remotely access the firm’s network via the internet, including time entry software, a virtual network system, and the firm’s email system.

For instance, attorneys could access a time-tracking program with a user name and password. But the client-plaintiff alleged the law firm “improperly configured the service and left it running out of date software” that was more than a decade old.

The client-plaintiff also alleged the firm’s virtual private network (VPN), which allowed attorneys to access the firm’s files and documents off-site, was not implemented properly and left the whole network open to “Man in the Middle” attacks.

Such attacks allow hackers to eavesdrop on communications and steal confidential information, especially when the faulty VPN, supporting insecure renegotiation, is accessed on public connections at conference centers, cafes, or other public networks.

The client’s lawsuit, which ultimately entered arbitration under the firm’s engagement letter, alleged breach of contract and fiduciary duty, and negligent legal malpractice.

Law firms don’t have to go it alone. Solo and smaller firms that don’t have in-house technical expertise can outsource IT services to Managed Service Providers (MSPs). Given the ethical duty to protect client data, this may be a necessary expense.

According to an article by the Florida Justice Technology Center, using MSPs “is an incredibly effective method of preventing cybersecurity breaches as the IT systems are managed by a third-party who are experts in securing systems. The MSP is contractually obliged to patch the operating systems, patch the applications, and update the firmware and microcode on the associated hardware,” the article states.

Simple Solutions

Cybersecurity experts Sharon Nelson and John Simek of Sensei Enterprises recently addressed common cybersecurity questions in the June 2019 Wisconsin Lawyer^™. The article highlights simple things law firms can do to shore up their law firm security.

Do a Security Assessment. “The assessment is usually done using software tools and involves a thorough review of your network. The result is generally a report identifying critical, medium-level, and low-level vulnerabilities. A security assessment tends to come with a proposal for (at least) remediating the critical vulnerabilities along with the estimated cost. We believe it is wise to do these assessments, using a certified third-party cybersecurity company, annually.”

Train Employees. “There is no getting around the absolute need for annual employee cybersecurity training. It is generally somewhat inexpensive and covers the basics of current threats and how to avoid such things as clicking on suspicious links and attachments, going to sketchy websites, giving information over the phone (duped by social engineering), and many other easy-to-make mistakes. A solid hour of good training each year is a small price to pay for educating your employees and creating a culture of cybersecurity.”

Use Password Managers. “Beyond a doubt, the most important security tip is do notreuse passwords! The bad guys are now using computer bots to force attacks using passwords revealed from past data breaches. If you continue to reuse passwords, there is a high probability that the password will be used against other systems. This is another great reason to use password managers; doing so makes it easier to have unique passwords for every system.”

Move Law Firm Data to the Cloud. “Virtually all cybersecurity experts now agree that the cloud will protect your data better than you will. Is the cloud absolutely secure? Of course not. But do law firms, especially solo practices and small firms, tend to be woefully insecure? Yes, they do.”

Try to Keep Up with Technology. Resources such as Attorney at Work, Bob Ambrogi’s LawSites blog, and of course, Wisconsin Lawyer, help attorneys stay on top of new developments in the areas of technology and cybersecurity. “Don’t forget continuing legal education – and ask your colleagues for recommendations regarding speakers who both inform and entertain,” Nelson and Simek wrote.” The 2019 Wisconsin Solo and Small Firm Conference has an entire tracks of CLE programming dedicated to technology and practice management, including cybersecurity.

Don’t Click on Suspicious Links in Emails. A common cybersecurity threat involves “phishing,” where third parties will impersonate someone in your network with genuine-looking emails that contain links to unleash malware or other viruses. Examine emails carefully before clicking on links or call the purported sender to confirm.