In August 2020, Kapersky announced that it discovered the name of a digital mercenary group that spent the previous ten years targeting European law firms: Deceptikons APT. Regardless of where your location, it highlights the importance of cybersecurity for law firms. According to ZDNet, the group’s most recent attacks in 2019 used PowerShell scripts to infect hosts. Kapersky described them as “clever” as opposed to being “technically advanced.”

This particular group primarily relied on law firms engaging in phishing behavior and clicking on malicious files to deploy the PowerShell (a trojan virus) that allowed the group to gain access to the law firm. The group generally focused on stealing business and financial information.

While the cybersecurity threats faced by law firms continue to evolve, it’s important to recognize that securing data starts with you and your team. By embracing what most of us have come to know as basic cybersecurity best practices (and making sure they are used across the board by everyone who works with your law firm), you can lessen the likelihood of a law firm data breach.

So, let’s talk about the everyday basics of cybersecurity for law firms!

Understand That Phishing Is Alive and Well as a Cybersecurity Threat for Law Firms

Because of how quickly technology changes, there are people who think that either their email catches every phishing attempt or that scammers and data thieves have moved on to more sophisticated plans. They are counting on that belief. Email phishing is alive and well. In fact, it may now also include quite convincing (yet fake) invoices in addition to the standard phishing attempts. There’s also smishing, the text (SMS) version of phishing. It could be a request to reset your password, make a payment, or any number of things.

It’s important to recognize, and to train everyone who works with your law firm, that phishing and smishing is alive and well. Suspicious links should not be clicked. Unexpected files should not be downloaded, let alone executed (that’s exactly how the PowerShell was deployed by Deceptikons APT; it wasn’t technically advanced. It didn’t need to be.).

Related: What Law Firms Should Know about Phishing and Smishing

Use a VPN, Especially If You Work Remotely

If you work remotely or if you find that you need to access client information, case information, or law firm email from your cell phone and you’re not on a secured internet connection (such as in your home or office), make sure that you have a VPN installed on your laptop and your phone.

A VPN are easy to install and use as well as affordable. On a laptop and phone, from a reputable provider, they install with just a few clicks. It’s important to note that if your bank tracks your IP when you log-in, you may need to turn your VPN off since a VPN hides your IP address in an effort to help you protect your location and your data. To learn more about VPNs, check out this easy to understand article published on Attorney at Work.

Ensure All Employees Rely on Provided Legal Technology

While it can be convenient to save documents to the hard drive of a local computer, it isn’t secure. All employees, regardless of where they are located, should use all provided legal technology. This includes relying on the adopted online storage methods, secure chat, intake methodology, and any other law firm methods.

One of the best ways to ensure that all employees use the technology is to make sure that the employees have all of the training necessary. This may include webinars, on-demand videos, scheduled online meetings, and an open-door policy for questions. It is also helpful for employees to understand why using these adopted methodologies are important.

Establish a Cybersecurity Policy for Your Law Firm

The policies your law firm may need depends on how your law firm operates. If you’re working remotely either temporarily or permanently with your team, you’ll need to consider how to enforce the cybersecurity policy from a distance. However, this also highlights the importance of law firm employees using the established legal technology.

Other policies may include:

• BYOD policy. This determines whether law firm employees can Bring Your Own Device or, rather, use their own device when fulfilling their duties.
• Usernames and passwords. While usernames are generally set once, it is important that passwords are changed on a regular basis. Passwords should also be secure in nature. Programs like LastPass and 1Password can make it easier to create and store secure passwords.
• Work from home policies. Of course, working from home has become the new normal with COVID-19. It’s also brought the use of both legal technology and law firm cybersecurity into the limelight. It’s important to establish security policies for working from home.

Keep Virus and Malware Protection Updated

Don’t forget to update the virus and malware protection on your personal laptop as well as law firm computers. This is one of the easiest and most cost-effective ways to protect law firm data. There are many virus and malware protection options available.

Get Expert Guidance

As a lawyer, you don’t have to be a cybersecurity expert. You do need to understand cybersecurity basics. Be vigilant. To best protect your law firm against malware, ransomware, and data breaches, get expert guidance.