6 Cybersecurity Tools Every NYC Law Firm Should Have
The modern age has made business easier to conduct for lawyers in a lot of ways. The use of new software and hardware tools can help firms save time, improve safety, increase quality, and keep more accurate track of their accounts payable and receivable. However, IT tools have created new challenges as well—challenges that require new cybersecurity tools.
Aside from having to balance the IT resources they use, ensure everything is properly integrated, and manage their costs, law firms have to deal with the threat of cybercrime. Technology has created new ways for thieves, fraudsters, and saboteurs of all stripes and motivations to target your law firm—so it’s important for you to have a well-prepared cybersecurity infrastructure in place to protect your firm from cybercriminals.
Let’s go over some of the top cybersecurity risks modern lawyers face, how they can impact a legal practice, and a list of some of the most basic security tools for businesses that can help curtail common cyber threats to your firm.
Top Cybersecurity Risks Modern Law Firms Face
There are innumerable cyber threats that can target a law firm. If you were to count every variation of every threat, they would easily number in the millions. However, most IT security threats can be broken down into a few broad categories such as:
- Phishing Attacks. This is when a cybercriminal sends fake messages to people within an organization to trick them into doing something that will benefit the crook. For example, they could send fake invoices to trick a company into paying them, put malware in emails for the victim to download, or steal user account credentials by posing as IT support and asking for access to fix some random issue.
- Malware Installations. Malware is a common tool in many other cyberattack schemes. The function of malware can change dramatically from one example to the next depending on how the malware was made and what the attacker’s goals are. For example, one type of malware might forcibly encrypt all of the data on the target’s hard drive as part of a ransomware attack. Another piece of malware might stealthily copy data and send it to a remote server elsewhere for a cybercriminal to retrieve later.
- DDoS Attacks. Distributed Denial of Service (DDoS) attacks seek to overload a targeted system so that it cannot be used for its intended purpose by its intended users. Attack methods can vary, but the classic example is the use of massive botnets (networks of malware-compromised devices controlled by the attacker) to constantly ping an internet-connected IT resource. The constant pings keep the resource from being able to process other requests—rendering it unusable until the attack ends.
- Man in the Middle (MITM) Attacks. This is an attack type where the cybercriminal attempts to intercept their target’s signals as they try to communicate with other resources on the internet. The specific methodology varies, but one example is when an attacker creates a fake Wi-Fi access point using a laptop—which then connects to the real router. When the victim connects to the fake access point, the laptop captures all of the information as it passes it through to the real network router. This allows the attacker to capture all kinds of sensitive data and files.
- Vulnerability Exploits and Zero Day Attacks. Some attackers may try to take advantage of security flaws that exist in certain programs and systems. In many cases, these cybersecurity vulnerabilities are well-known to the software manufacturer and have security patches available to fix them. Other vulnerabilities have yet to be detected by the manufacturer and its users—so there is no remedy available. When an attacker leverages a security vulnerability that others don’t know about, it’s often referred to as a “Zero Day” attack.
These are just a few of the different threats that law firms in New York and beyond have to contend with—and attackers may employ multiple schemes at once in an effort to breach your firm’s data security.
For example, a DDoS attack might be used as a distraction to keep you occupied while the attacker installs malware or downloads sensitive financial or legal documents.
How Cybersecurity Breaches Affect Your Legal Practice
So, what’s the risk for your firm? How can a cybersecurity breach impact your practice? The truth is that no two breaches are completely identical and the impacts can vary depending on the nature of the breach, the size of your law firm, and what steps you’ve taken beforehand to minimize the impact of an IT security breach.
Some common business impacts of a major cybersecurity breach include:
- A Loss of Reputation. A good reputation is crucial for any legal practice. If clients do not trust an attorney, they will simply hire a different one. So, one of the biggest impacts of a security breach is that it can erode a firm’s public reputation—especially if the firm failed to properly execute on an incident response plan (IRP) that would protect its clients. This can drive away future business and hurt the law firm’s prospects. AON Attorneys Advantage shared an example of a law firm that actually closed its doors following a breach: “Mossack Fonesca announced that it was shutting down due to the ‘reputational deterioration’ that was caused by the numerous scandals and public disdain resulting from the April 2016 data breach.”
- Potential Lawsuits. Clients who have had their confidential data compromised due to a cybersecurity breach may try to sue the law firm to recover any damages they suffered from the breach—such as identity theft or a loss of reputation caused by leaked documents. While not always successful, this can be a drain on a firm’s resources and time. Plus, protracted legal battles with former clients can further damage the firm’s reputation.
- Penalties Under New York Law. All businesses operating in New York are subject to the NYS Information Security Breach and Notification Act—this includes legal offices operating in the state. The SHIELD Act, which modifies the Information Breach and Security Act, further specifies penalties for failure to comply with data breach notification and security measure requirements. “For failure to provide timely notification, the court may impose a civil penalty of up to $20 per instance of failed notification not to exceed $250,000. For failure to maintain reasonable safeguards, the court may impose a civil penalty of up to $5,000 per violation.” While the fines are far from being excessively burdensome for some law offices, simply being found to have failed to meet these obligations can be extremely harmful to the firm’s reputation.
- Direct Remediation Costs. Following a security breach, a law firm may have to undergo extensive restructuring of its IT and security infrastructure, pay for clients to receive identity theft protection, and invest a lot of labor into retraining its staff (both lawyers and non-lawyers) to be cognizant of security issues and requirements. This may cost the firm a lot of money while limiting its productivity until the changes and retraining are complete.
The old saying “an ounce of prevention is worth a pound of cure” might require some modification here. The ounce of prevention isn’t worth a pound of cure—it’s worth a few metric tons of cure!
If you could keep a data breach from happening in the first place—or at least minimize the scope and impact of the breach while promptly taking steps to respond to the incident—you could help your law firm avoid a significant amount of scandal and retain the trust of your clients.
At the end of the day, trust is the most valuable resource a law firm has. It takes years to build, but only seconds to lose completely.
6 Cybersecurity Tools Every NYC Lawyer Should Have
So, what constitutes “reasonable safeguards” for data security under the SHIELD Act and similar legislation? The language “reasonable” is somewhat vague as it could mean almost anything so long as it has a measurable impact on the safety and security of the law firm’s IT resources.
Here are a few basic security tools for businesses that can help with data theft prevention and minimizing the impact of a security incident:
1. Data Encryption
Encrypting data-at-rest (data stored on your firm’s computers) and data-in-flight (data that is being transmitted to others) is one of the most basic things any business can do to guard against a data breach.
By encrypting data, you can render it unreadable to a hacker who manages to steal it—preventing them from being able to use it for their schemes. However, a hacker may eventually be able to break the encryption. So, this is often better thought of as a way to buy time in the event of data theft.
While the attacker is occupied with trying to break the encryption, your firm has more time to verify what data was compromised, who that data pertained to, and notify the affected parties so they can take measures to protect themselves before the attacker can put the stolen data to use.
2. Antivirus/Antimalware Software
Every device used within a law firm should have some form of antivirus/antimalware software installed. Devices that cannot support such software (such as certain IoT devices) should be removed from the law office until they can be provided with similar levels of protection.
Malware is virtually everywhere on the internet and can be used to enact a variety of schemes. Having the ability to detect and remove malware before it can cause damage or compromise sensitive data is a must for modern law firms. Antivirus/antimalware solutions help with this.
Of course, antimalware isn’t perfect. Cybercriminals are constantly creating new malware threats (or modifying existing ones) to get around anti malware solutions. However, even a basic malware detection tool can go a long way towards protecting your firm from cybercrime.
3. Virtual Private Network (VPN) Services
Virtual private networks, or VPNs, are services that allow users to hide their IP address from others online by routing traffic through the VPN provider’s servers first. Many VPNs offer additional services, such as data encryption, to help further protect the privacy of internet users.
Why would a law firm need a VPN? Using a VPN for business helps to protect the firm’s employees from having their web traffic and data intercepted by malicious actors online. The encryption services offered by some VPNs further help to protect sensitive data-in-flight from being misused by cybercriminals.
Although useful, it should be noted that a VPN isn’t a perfect defense against man-in-the-middle attacks. For example, if the MITM attack leverages a fake router physically located near your office that your employees connect to, the attacker could still collect some data before the user connects to the VPN service.
Additionally, a VPN alone won’t necessarily prevent users from making basic mistakes like visiting the wrong website and downloading malware or falling for a phishing scam.
4. Incident Response Plans (IRPs)
Rather than a specific cybersecurity tool, an incident response plan is an internal business document that outlines the roles and responsibilities of everyone in the law firm in case of a data breach. This document should detail who is responsible for notifying key stakeholders, clients, and the authorities of a data breach, the timeline for responding to a breach, and a general strategy for remediating the breach.
Without a set plan in place, a firm’s incident response often becomes an ad hoc process—which can lead to numerous mistakes. Imagine trying to argue a major case in court where your professional reputation is on the line, but you haven’t even gotten a brief of what the case is about!
Setting an IRP ahead of time and clearly delineating roles and responsibilities helps to prevent confusion and keep the firm to a set incident recovery timeline that minimizes disruption to your firm.
5. Data Backup and Disaster Recovery Solutions
Having consistent access to legal documents and other data is critical for any legal practice. Modern legal document management systems and e-documents have made it easier than ever to carry a library’s worth of documents and track down relevant legal precedents and decisions favorable to your cases.
Remote data backup and disaster recovery solutions can be a vital tool for ensuring consistent access to important documents in case of a major IT failure or another disastrous event.
For example, say a cybercriminal manages to sneak a ransomware program onto your law firm’s systems. The ransomware encrypts all of your firm’s data—rendering your e-documents unusable. With a remote data backup, instead of having to give in to the criminal’s demands for payment to get the encryption key, you can simply reformat the local drives, remove the malware, and re-download your important files from the remote backup.
A business continuity solution would take this a step further—providing a remote environment with all the data you need that you could use to access your most important files immediately instead of having to wait for the local hardware to be reformatted so you can download the backups.
6. Multi-Factor Authentication (MFA)
Multi-factor authentication—sometimes rendered as multifactor authentication or MFA—refers to a specific process for handling user logins that requires the user to provide several different identification factors when logging into resources.
Normally, single-step authentication simply requires the user to provide a username and password. MFA adds more authentication tools to verify the user’s identity. There are three general types of authentication factors:
- Knowledge-Based Factors. These are factors that leverage something that the user knows to verify their identity—such as a password or the answer to a secret question.
- Biometrics-Based Factors. These are factors that leverage biometric data—such as thumbprints, retinal patterns, etc.—to verify the user’s identity. These checks are typically reserved for on-site access verification.
- Possession-Based Factors. These verifications rely on the user having a token that proves their identity—such as an RFID tag, a USB security drive, or some other physical object.
The three factors are also described as “something you know, something you are, and something you have” in some cybersecurity discussions. By combining different types of factors, organizations such as law firms can make it significantly more difficult for a malicious actor to steal someone’s user credentials and commit fraud.
For example, say a paralegal in the firm gets an email asking them to share their username and password so the IT team can fix some account settings causing an error. However, the email was from a phony posing as a member of the IT team—it was really a phishing email, and the scammer now has the paralegal’s username and password.
If the law firm was using a single-factor authentication setup, then the scammer could easily access any system the paralegal had access to. However, if the firm used a multifactor authentication requiring a token or for the use of a specific device to access the firm’s systems, the scammer would not be able to access protected systems so easily.
Start Protecting Your Law Firm Now
The above tools are just a few of the more common ones that law firms can use to protect themselves from bad actors online. There are countless others, such as firewalls, monitoring solutions, email & web monitoring, and more. If you need help securing your firm’s IT from illicit access, reach out to Converged Technology Group to get started!