Most observers believe that the legal profession is rapidly moving toward so-called “hybrid workplaces,” a term office managers use to describe a mixed-work environment that spans brick-and-mortar law offices, home offices, and myriad places in between.
Cybersecurity experts have another word for the hybrid workplace: Nightmare. The hybrid workplace, they say, is fertile ground for would-be hackers and other malicious actors.
According to a recent Wall Street Journal article, workers who transition from one network to another during the work week create unprecedented security challenges. Workers who use their laptops on a public network risk bringing malware back to the office network the next day.
Conversely, files loaded onto a laptop at the office are vulnerable to unauthorized access or loss whenever workers connect to a public network or home network. IT personnel also believe that remote workers may lapse into bad cybersecurity habits when they’re in a more relaxed environment.
Looking to the legal profession specifically, there is a widespread expectation that working outside the office — a practice broadly disfavored prior to the COVID-19 pandemic — will and should continue as an increasingly vaccinated population begins transitioning back to a semblance of normal work routines this year and next. Many attorneys enjoyed working from home during COVID-19 and ultimately demonstrated that client matters could be competently handled remotely, greatly reducing the stigma associated with virtual lawyering.
In fact, a 2021 survey published by the American Bar Association’s Coordinating Group on Practice Forward found that 66% of lawyers surveyed said it is likely they will continue working mostly or entirely remotely in 2021 and 2022. Less than 23% expressed a preference for a traditional five-day work week, according to the group’s Practicing Law in the Pandemic and Moving Forward report. Beyond that, 36% of respondents said they wanted the flexibility to set their own schedules.
Law office leaders are responding to the growing demand for remote work opportunities by creating next-generation offices with open designs, shared workstations, and “hoteling,” which allows lawyers to reserve office space in advance. These nontraditional law office designs have a smaller physical footprint that lowers real estate expenses. Beyond that, investments in videoconferencing technology create an improved virtual “presence” for lawyers and clients not physically in the office.
Rising Computer Crime Magnifies Risks
Unfortunately, lawyers’ determination to use technology to serve clients remotely put the profession in the crosshairs of another trend. Computer crime is on the rise, and lawyers make good targets for cyber-exploits. According to the FBI’s 2020 Internet Crime Report, ransomware victims paid out more than $29 million in ransom to hackers in 2020. Because this figure covers only reported incidents and does not include amounts attributable to lost business, lost intellectual property and proprietary information, or the costs of remediating compromised computer networks, the true monetary damage from ransomware attacks is far, far higher. Purplesec reports that the total cost of ransomware in 2020 reached $20 billion worldwide.
The incidence of phishing, spoofing, and identity theft offenses in 2020 all rose steeply over prior years, according to the FBI.
In April, the Illinois Attorney General’s Office was hit with a crippling ransomware and data theft attack that exposed vast amounts of personal information on Illinois citizens. News accounts indicated that the attack came eight weeks after state auditors warned of vulnerabilities in the AG’s computer systems. The cost of the attack is $2.5 million and rising.
Staying Safe Outside the Office
What can be done to protect client confidential information in the new hybrid work environment? According to cybersecurity experts, lawyers already have the tools to prevent the most common intrusions. Recommendations include:
- Use a virtual private network (VPN). Whether connecting from home or at some other remote location, VPNs are the first line of defense against the interception of data during transmission. VPNs excel at masking the user’s IP address and encrypting communications so they will be unreadable by prying eyes. VPNs should be used with multi-factor authentication (see below) and should not allow “split-tunnel” access to local networks.
- Avoid public Wi-Fi networks. Yes, VPNs will protect data transmissions across public Wi-Fi networks, but the protection ends there. Instead of connecting to a public Wi-Fi network, lawyers should use their smartphone’s Wi-Fi hotspot capability — a far safer alternative. For occasions when a public Wi-Fi network must be used, law firms should adopt policies that spell out which types of activities are deemed safe and which types of information can be transmitted over insecure networks then implement controls that enforce those policies.
- Security Awareness Training. The best cybersecurity protections are only as good as their weakest link – users. Lawyers should be required to complete mandatory security training at regular intervals so that they understand emerging threats and how to effectively guard against them. Lawyers should be trained to recognize common phishing exploits and should know how to report suspicious communications to IT staff. They should know how to identify and properly handle suspicious links in email or on websites — no matter how tantalizing. Training should be updated regularly to reflect the ever-changing threat landscape and the efficacy of training should be tested periodically with internally simulated phishing campaigns.
- Use multi-factor authentication. Hard-to-guess passwords are not enough – access to systems must be protected by multiple factors of authentication, not just a password. Requiring a code from a remote token or a text message to the lawyer’s cell phone makes it much harder for malicious actors to access a system, even if it has a relatively weak password.
- Use the most current versions of antivirus software. Security threats change all the time. Out-of-date software will not prevent attacks by recently discovered viruses, malware, and spyware. Also, the ability to disable antivirus software should be restricted to administrators and should only be allowed briefly for diagnostic purposes.
- Choose technology vendors wisely. Law firms should have a deep understanding of how client confidential information is transmitted across and stored on their networks. Vendors supplying services that handle client data should be reputable and held to a high standard of reliability and security.
- Encrypt, encrypt, encrypt. Just as VPN technology can secure data in transit, strong encryption of data at rest makes it practically impossible for hackers to access your data. Encrypted email messages, laptops using whole disk encryption (WDE), and encrypted data stored on computer file systems are rendered effectively inaccessible to malicious actors.
- Don’t forget physical security. In the new world of remote work at home and office work in a shared space, physical security measures go hand-in-hand with cybersecurity protections. Office visitor policies must be reconsidered to account for increased opportunities to view clients and client confidential information. At home, remote lawyers should adopt measures to create a private work environment where client communications can’t be heard or seen on a computer screen.
- Ask for expert assistance. The stakes are high when it comes to cybersecurity. Lawyers who lack confidence in their ability to worth through these questions should reach out for assistance.
As a result of the legal profession’s experience coping with the COVID-19 pandemic, the cybersecurity issues raised by hybrid workspaces are familiar to most lawyers. With a proper focus on implementing these basic protections, the coming transition to hybrid workspaces for lawyers will ultimately be considerably easier and more secure than the transition to remote work was during the advent of the pandemic.