2024 isn’t over yet, and we’re already on track to have the biggest year in history for law firm data breaches. According to recent reporting by the American Lawyer, 21 firms reported breaches from January through the end of May 2024—compared to 28 law firm breach reports for 2023. A breach at one law firm led to 6,000 people stealing their names, addresses, and social security numbers.
Don’t want this to happen to your firm? Fortunately, there are some simple strategies for leveling up your firm’s cybersecurity. The right managed IT service provider can help align your firm with current cybersecurity best practices for law firms, including the Biden administration’s Shields Up directive and other regulatory frameworks like HIPAA, GDPR, and more.
At Integris, we’ve built our business on helping law firms harden their IT infrastructure. Here are our top ten cybersecurity best practices for law firms in 2024.
Cybersecurity Best Practices for Law Firms: Your Best Defense Against Data Loss
Some of the most critical decisions in firm leadership will revolve around your cybersecurity. It’s the platform on which you’ll build a successful firm. Is it complicated? Yes. Luckily, cybersecurity tools are powerful and designed to work together to create a Responsible IT Architecture for your firm.
Your managed IT service provider can collaborate with your IT staff to create the right cybersecurity protocols that can run seamlessly in the background of your operations. We recommend starting here.
#1—Develop Strong Cybersecurity Plans, Policies, and Procedures
It may seem counterintuitive to write down how your software works together on your system, but it’s a critical part of your compliance operations. Your cybersecurity plan should be integral to your overall IT plan and budget. Everything should be noted, including your patching protocols, monitoring reports, disaster recovery plan, service structures, and more.
This helps your firm in several ways. First, it provides clear instructions so that anyone working on your system understands where to go and what to do in the event of an emergency. Second, it provides proof of your secure cybersecurity operations, which you will need in the event of a regulatory review or request from clients. An MSP outfitted with a virtual Chief Information Security Officer can make light work of this large documentation job.
#2—Set Cybersecurity Expectations for Your Staff and Put Them in Writing
A written policy can help you train your staff to work safely on your systems. We recommend every firm have a “Bring-Your-Own-Device policy,” which outlines how to safely use your own phone or tablet while working on firm business.
We also strongly recommend an “AI Acceptable Use Policy,” whether your firm currently uses AI programs as part of your official business. As soon as Q3 2024, companies like Apple and Google will be integrating AI tools with AI surge capabilities in their phones and tablets. Employees may also feel a powerful urge to use free tools on the Internet, like ChatGPT, to help lighten their workload. A strong AI Acceptable Use Policy will help set rules to keep your client data from leaking onto these platforms unintentionally.
For advice on how to create a written AI policy for your firm, check out our free template.
#3—Invest in Multi-Factor Authentication
In layman’s terms, multi-factor authentication is like a bouncer standing at the doorway of your firm’s system. It demands not just a password but a secondary way of identifying yourself before access is allowed. Usually, the secondary password is entered through a special app on an employee’s phone, like Duo.
This kind of cybersecurity tool is absolutely critical, no matter your firm’s size. Yet, in a recent Bar Association member survey, an average of 33% of firms (only 33%!) said they use multi-factor authentication. It’s enough to make a cybersecurity expert hang his head and cry. Why? Because this one tool can eliminate the biggest portion of attacks coming at your company. Without it, you’re leaving your digital front door unlocked.
We also recommend you go a step further and add a Zero-Trust system, which will continuously authenticate users while they are working on your information platforms. Together, they form a reliable protection network. In our opinion, it’s a critical “cost of doing business” investment.
#4—Invest in Continuous Cybersecurity Training
If you have a small firm, structured cybersecurity training programs may seem out of reach. Fortunately, most cybersecurity awareness training programs have moved online and are available on a per-user basis that scales to the size of your business. Most programs are entertaining, based on late-breaking hack attacks, and take just a few minutes each month to complete.
Even better, they provide graded tests that allow you to track your staff’s completion and comprehension rates. This documentation comes in handy when you need to provide proof to a regulator, cyber risk insurer, or prospective client. With your monthly reports in hand, you’ll be able to prove your staff is up to date on all the latest breach prevention education.
#5—Tailor your Backup and Disaster Recovery Plan to Your Firm’s Needs
Most computer users have some kind of backup in place. But we urge you to think strategically about how much you back up, where you back up, and how fast you can retrieve your data in the event of a natural disaster, outage, or hack.
Specifically, you need to ask yourself 2 questions:
- How much time can my firm be indoors and out before the business losses become unbearable? The answer will be your Recovery Time Objective. (RTO)
- How much data can my firm afford to lose in the event of an outage? A half day’s worth? A half hour’s worth? The answer will be your Recovery Point Objective. (RPO)
A cybersecurity expert can then use this information to help craft and price out a disaster recovery plan that manages the right amount of backup storage and backup speed for your business.
We also strongly recommend doubling your backup. This means having an off-site cloud backup if most of your data is backed up on your own local servers. If you already have cloud backup, you may want to consider a secondary cloud backup solution for your most critical information.
#6—Invest in Cybersecurity Governance
In addition to your average IT spending, we strongly recommend hiring a qualified virtual chief information security officer (vCISO) or similar professional to handle your firm’s cybersecurity governance. They can work as a consultant on a retainer with your existing IT staff to ensure that monitoring, patching, and documentation are on point.
With regular reviews, they can flag cybersecurity problems at the first sign of trouble and recommend remediations immediately. They can also handle those cybersecurity administration headaches, such as applying for cyber risk insurance or filling out questionnaires from prospective clients. They can also help you vet any tools or software on your systems—a critical part of any third-party verification program.
#7—Purchase Cyber Risk Insurance for Your Firm
Every firm, no matter its size, should have cyber risk insurance. These plans help mitigate any losses you incur due to outages, disasters, or breaches. If you saw the damage created by the crowd strike outage, the need for this kind of protection should be clear. Even if your own cybersecurity setup is running perfectly, you never know when a third-party provider, vendor, or client can trigger a significant outage for your firm.
Cyber risk insurance policies can be scaled perfectly to your business. This budget-friendly tactic can also help protect your digital estate and bottom line.
#8—Ready Your Firm for Client and Regulatory Reviews
Nothing can have you running for the headache pills quicker than a client questionnaire asking for your cybersecurity documentation. It’s becoming a very common request, especially for larger firms with big clients.
In fact, in a recent report from the American Bar Association, 27% of respondents said clients had asked them for the firm’s security requirements document/guidelines. For firms over 100 lawyers, 50% were asked, with rates at 59% for 50-99 lawyers, 41% for 10-49 lawyers, and 15% for firms of 2-9 lawyers.
#9—Train Your Clients
Clients often demand that you communicate on the go. This can lead to risky behaviors like transferring sensitive documents over public platforms like Google Docs or text. If you haven’t done it already, create a safe and password-protected document vault for working with your clients. Train your clients to be careful about working with you over public Wi-Fi or any other spot that can be accessed by criminals doing man-in-the-middle attacks. Make sure they understand what your official e-mail and text communications look like and vice versa. Your clients will appreciate you looking out for the security of their data.
.
#10—Invest in a Full Suite of Cybersecurity Protections that Work Well Together
As your firm grows, you’ll probably be layering on one tool after another to keep up with the growing security demand. That’s great, but when did you last evaluate how well your cybersecurity tools work together?
At Integris, we recommend clients follow a Responsible IT Architecture framework. This includes a full array of highly specialized and interlocking cybersecurity tools. This means they work together to create a full dome of protection around your data. Monitoring, reporting, and documentation are all compatible with each other as well. This creates a harmonious and well-run cybersecurity operation that reduces headaches.
Interested in Cybersecurity Best Practices Tailored to Your Law Firm?
Integris can help. Let us do a full cybersecurity assessment and get your law firm up to speed with the industry’s best security and compliance standards. Contact us today for a free consultation.