Law firms do not hold special immunity from the threat of cybercriminals. In fact, law firms should be extra vigilant, considering the breadth of sensitive client information they often possess regarding corporate acquisitions, product specifics, intellectual property, financial data, etc. Many law firms also rely on third parties to handle much of this information, thus raising their exposure to security threats.
Although some firms may feel safe because they work on matters that are of little interest to hackers, this sense of security is misguided. As with other types of businesses, employees actually present the biggest threat to information security, whether by inadvertently opening a phishing email, downloading a virus or leaving an unencrypted laptop in a cab. These considerations make it crucial for law firms to implement, explain and enforce clear information-security policies.
When adopting a policy, law firms must consider every potential threat — from employees to foreign hackers looking for information on major business deals or IP matters. Items of particular concern include the following:
Devices used for remote access and/or employees who use their personal devices to access firm information: Firms should install mobile data-management software on company devices, which will allow the firm to issue a "kill command" that erases all information on a lost device. This software also allows certain functions to be disabled when employees log on remotely; for example, a disabled print function controls the security of discarded documents. Firms can also secure remote access to data by creating strong passwords that change every 90 days.
Third-party vendors with access to client information: Last year's infamous data breach at Target stores serves as a key reminder to perform due diligence with third-party vendors: A Target vendor — not the company itself — caused the breach.
Physical security of confidential documents on attorney desks or printers: Firms should monitor every access point to the office and restrict entry with some form of identification process.
Law firms can prevent their attorneys and other employees from creating a security threat or inadvertent breach of confidentiality through the installation of software that will help manage access to and control requests for information. A more critical step is risk-awareness training that teaches employees how to best handle valuable client information.