Data Security for Lawyers: What is Multi-Factor Authentication?

Data security is a major concern for any business—especially law firms operating out of New York. Clients rely on their attorneys to protect their data privacy while providing active and engaged representation on legal issues.

However, law offices are a common target for data thieves and other malicious actors.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), there were 3,566 data breach incidents affecting professional service businesses in 2021, with 681 of them confirmed to have resulted in data disclosure. The vast majority (90%) of these attacks were financially motivated according to the 2022 DBIR. 89% of these attacks used system intrusion, basic web application attacks, and social engineering (aka “phishing”) strategies to gain access to sensitive systems and data.

The New York Times even reported on an incident where a hacker was able to breach New York City’s law department systems and bring operations to a grinding halt.

The question is, what can law firms do to keep cybercrooks from accessing sensitive data? If a major court system is susceptible to network infiltration, what can a single lawyer or law firm do to stop malicious actors from illicitly accessing data? Actually, there are a lot of things that you and your law firm can do to significantly reduce the risk of illicit data access by unauthorized individuals.

One vital tool for protecting your firm’s data is multi-factor authentication.

What Is Multi-Factor Authentication?

Multi-factor authentication (also rendered as multifactor authentication or MFA) is a secure access control method that leverages multiple forms of identity verification before allowing someone to access a given IT system or resource.

Many access control setups for common IT systems only require one type of authentication factor before allowing access to a given resource: the traditional username and password. However, multi-factor authentication requires at least two different kinds of identity verification factors before allowing access.

About Authentication Factors:

So, what are the different authentication factors that an MFA access control setup can use? There are three different kinds of factors in common usage:

• Knowledge-Based Factors. Also referred to as “something you know,” knowledge-based authentication factors include things like passwords, user names, PIN numbers, and security question answers.
• Token-Based Factors. AKA “something you have,” token-based authentication factors require the possession of a specific object such as a keycard, USB drive, smartphone, or other specific device to enable access.
• Biometrics-Based Factors. Sometimes referred to as “something you are,” biometric factors use things like fingerprints, facial scans, or other properties inherent to a particular person to enable access.

When an access control system requires several types of authentication factors, that’s when it becomes multi-factor authentication. If only two authentication factors are used, it is sometimes called two-factor authentication (2FA).

Why Multifactor Authentication Is Important for Law Firms

Remember what the top three attack strategies that cybercriminals used to target professional services companies were? One of them was “social engineering,” also known as “phishing attacks.” A common element of phishing attacks is that the person behind the attack will try to steal a target’s user access credentials (i.e., their login information).

For example, a cybercriminal might pose as a member of your IT staff or an IT vendor that your firm is working with. In the email they send (often using a spoofed email domain so it looks legitimate), the hacker will say something like: “We’ve detected unusual activity on your account. Send us your username and password so we can verify the activity now. Failure to comply will result in a written warning and possible termination of employment.”

In this kind of phishing email, the goal is to make the recipient panic and give up the information the “phisher” wants (login details, in this case). If your access controls rely purely on knowledge-based authentication factors like a name and password, it’s possible for the hacker to hijack a legitimate user account with just this info.

By leveraging multiple authentication factors before allowing access, the hacker won’t be able to usurp the unwitting target’s access privileges with just their name and password. This can help prevent a devastating data breach by keeping the hacker out of your sensitive systems.

Are There Any Cons to Multi-Factor Authentication?

The pros of MFA—namely, potentially avoiding a data breach—more than outweigh any potential cons of making your internal users carry an authentication token or verify their identity with biometric factors.

The major potential downside is that it can create some friction during login processes. For example, a legitimate user might misplace their authentication token. This could keep these users from being able to access important systems when they need to.

Or, logging into the system might take a few seconds longer than normal—making the login experience slightly more irritating for users. This could cause some users to try to create ad hoc workarounds or outright refuse to use the systems that require MFA.

Some secure access control solutions work around this by using device data as the secondary authentication factor. As long as the user is on a registered device, they’ll be able to log in with just their password.

Other Secure Access Controls and Security Measures to Consider

MFA isn’t the only tool that a law firm can (or should) use to ensure secure access to its data and prevent malicious actors from illicitly accessing data. Other secure access controls and cybersecurity tools that law firms should consider include:

• Email Security Tools. Email security tools can help law firms identify phishing emails and malware-laden files in email attachments. This makes it easier to prevent the accidental downloading of malware and helps keep employees safe from phishing attempts.
• Network Firewalls. Firewalls are a basic cybersecurity tool that help filter out illegitimate traffic at the network perimeter so hackers can’t simply access your database directly. Every business network should have a perimeter firewall.
• Cybersecurity Training. Even the best cybersecurity setup can’t prevent data breaches if the users of a system don’t practice basic IT security hygiene. Cybersecurity training is often crucial for ensuring that everyone in the firm know security best practices and follow them.
• Intrusion Detection and Response Solutions. Managed intrusion detection and response services can help a firm rapidly identify a data breach in progress and take the appropriate measures to remediate it—potentially limiting the impact of a data breach by ejecting intruders before they can steal too much data.

These are just a few of the different cybersecurity tools that can help law firms keep their systems secure from illicit access. For more suggestions, it might help to consult with your IT service provider.

Get Started with Converged Technology Group!

Are you ready to protect your firm from cybercriminal activity while improving your user experience for everyone in your practice? Reach out to Converged Technology Group today to get started!