Social engineering, phishing, and hacking pose a real danger to your practice. Family Lawyer Magazine‘s Editorial Director, Diana Shepherd, recently spoke with cybersecurity lawyer Bill Sosis about the steps family lawyers should take to protect their data – and firm.
Diana Shepherd: Let’s start with the great disruption known as COVID 19. Since March 2020, lawyers had to find ways to work from home without paper files and all the technology (potentially including access to an IT professional) associated with their brick and mortar offices. Are there specific cybersecurity threats for a lawyer working from home rather than the office?
Bill Sosis: Absolutely. When people are at home, they’re more comfortable, and there could be more distractions – such as their children also being at home. They are also away from the systems and technologies that were protecting them in a brick-and-mortar building. They are more likely to become victims of cybercrimes such as phishing which preys on their curiosity by luring them into clicking links that introduce viruses, ransomware, and other malware into their computers. The bottom line is that the best security measures still depend to a large extent on the human factor, and what someone decides to do in the spur of the moment. This is where training comes in with respect to the kind of threats that exist when somebody clicks on a bad link, or they give access to someone they shouldn’t, or they are sloppy about their passwords. So, yes, a home environment situation is definitely more dangerous than being in the office.
Is perimeter security by itself sufficient to protect client data?
No, and it probably hasn’t been for decades now since the growth of digital information. The digital data have grown so vast that practically everything is electronic. As this becomes increasingly vast, there need to be more measures for protecting client data. It’s definitely no longer adequate to just have perimeter security because that only protects the physical assets – including hard copy documents and computers. Today, everything that used to go into a physical file in on the internet.
Are data breaches inevitable in a family law practice?
They’re inevitable everywhere, and there’s nothing that can be done to 100% guarantee protection against a breach. Huge companies with state-of-the-art IT departments get hacked, the government gets hacked, but family law practices are especially prone. Nowadays it’s easy for a vindictive ex-spouse to hire a professional hacker to target a family law practice.
A 2016 survey by the American Bar Association found nearly half of the respondents had no data breach response plan in place. Are law firms doing better or worse in 2022?
According to the latest ABA study, firms are doing up to 300% worse now than last year. Working from home has introduced an opportunity for hackers to use attacks that rely on social engineering deficiencies –such as phishing. By social engineering, I mean cyber-attacks that exploit opportunities that have to do with people’s tendencies, weaknesses, and trust. It will continue to get worse until law firms have the proper, ongoing training in place to help their staff understand what social engineering is and how it can trick them.
Unfortunately, few firms have response plans in place. But a response plan alone is insufficient – firms also need to have plans for how to recover from a cyberattack.
The legal profession has been moving toward technology by becoming “paperless” through the use of various types of devices and software. What risks does this trend pose – particularly in a family law practice where financial data are at the forefront while resolving issues related to support and property division?
The growth of digitized data is astronomical. Because of the pandemic, more and more companies have switched to using the cloud, especially with people still working from home. (By the way, there’s no such thing as “the cloud” – this is just a word that means someone else’s set of computers.) While going paperless has some advantages it also introduces legal and security risks. For example, firms that store their data using “cloud” services need to understand their agreements. These agreements often compromise your data with language that exposes your data to third-party companies that are not listed in your agreement.
If a lawyer uses mobile devices for business purposes, what steps can they take to protect their data should those devices become lost or stolen?
The device should have protective measures pre-installed. It should have two-factor authentication to protect you from hackers. It should include a paid Virtual Private Network (VPN), which encrypts your data from end to end. Even if a hacker intercepts your data, they won’t be able to do anything since all they’ll get is a bunch of indecipherable gibberish. The devices should have firewall protection, which monitors the traffic and can, in some cases, alert the person about what’s happening.
It may be desirable to separate business from personal devices. I know that’s not always possible, but whenever possible. it should be done. In a home environment, somebody with a simple KVM switch [an abbreviation for Keyboard, Video, and Mouse, a KVM switch is a hardware device that allows someone to control multiple computers from a single keyboard] can actually switch between work and personal computers. You could be connected to a business network, and then, if you want to surf or do some online shopping over lunch, you can switch to your personal computer without having to change your setup.
Telling lawyers what they must do without telling them how to do tends to make them feel stressed and unsure. Bottom line: how can family lawyers protect themselves and their clients from cyber threats in 2022 and going forward?
I think the over-arching lesson here with COVID and even many years before that has been that the human factor is a critical element in cybersecurity. According to the American Bar Association, about 50% of cyber-attacks are due to phishing: a social engineering technique that encourages people to click on harmful or nuisance links.
We need to think about information governance because that’s where you implement policies and procedures that prevent people from doing the wrong things. Law firms must implement policies and procedures to prevent their team from doing the wrong things – but you have to know what the wrong thing is to avoid it. You should also have firewall protection to monitor traffic and potentially alert you to threats. Resiliency is also crucial. You may have systems to scan, detect, and prevent cyber-attacks – but when a breach happens, the firm must have the ability to bounce back quickly. If you can’t recover quickly, you could lose business or even go out of business.
Without a plan, you could lose more than data – you could lose your whole company.
Absolutely, and that has happened to many law firms – especially the small ones, which are most vulnerable because they don’t have the IT staff or the wherewithal to act.
Bill Sosis has over 25 years’ experience in information technology as a consultant, business analyst, and project manager. He has led the implementation and upgrades of numerous computer systems in North America, Europe, and Asia. www.sosislaw.com
Does Your Family Law Firm Have a Cybersecurity Strategy?
Most small family law firms don’t have in-house IT staff to oversee cybersecurity, so how can lawyers protect themselves & their clients from cyber-attacks?
Cybersecurity: What’s a Family Lawyer to Do?
Keeping access to the recent cybersecurity threats will be one ounce of prevention in protecting your information as well as that of your staff and clients.
5 Tips to Protect Your Information from Data Scraping
Just like a data breach in which a hacker breaks into secure computer systems, data scraping can expose your important data, leaving you open to password breaches and phishing attacks.