Have you given your estate planning law firm’s office manager, paralegals or associates complete and total access to all of your firm’s digital assets? You might have, without knowing it. In a world where law firms are increasingly being targeted by hackers because of the wealth of financial information that lives in their systems, giving access to everyone in the firm could make you vulnerable to cybersecurity issues.
Not every hack comes from the outside. If your office uses PCs with USB ports, anyone—an employee, visitor or delivery person—could load your entire system onto a thumb drive (also known as a memory stick) and walk it right out the door. There are firms that deliberately do not have USB ports on their computers to prevent this from taking place. It is a very easy hack.
Do all employees have/need equal access? Your system should have different levels of access, depending on the need of employees. The paralegal needs client documents, but does he need the same documents that a partner needs? This depends on your practice and asset levels of clients. Your receptionist may not need access to your accounting system, but if she is responsible for time billing, there may be some interface between the systems.
We’re not of interest to anyone. Inserting your cyber-head in the sand is no way to practice law. Law firms, CPA firms and financial advisors are all targets, whether they are solo practices or global firms. You’ve got client data, Social Security numbers, EINs and asset lists. What more could a hacker ask for than a law firm with little or no data security?
We can’t afford cybersecurity. Short answer: you can’t afford not to. Longer answer: if you have an IT company that handles your office systems, including computers, servers, laptops and backup systems, they should be able to test your security and provide solutions. You may not need the same level of protection as a firm that must meet Sarbanes-Oxley requirements, but you might want cyber protection. If your IT vendor does not provide this service, you may want to find one that does. Also: ask your IT department about security issues for wireless devices in the office. We have heard of wireless devices brought in by people who love gadgets but weren’t aware of how vulnerable they made the entire firm’s data center.
Do your employees need cybersecurity training? Even the most sophisticated users can be “phished.” Emails that appear to come from the managing partner and use a terse tone makes attorneys feel compelled to answer immediately, and they click on a link as directed. In a nanosecond, hackers are able to make landfall into your system. The system can be secure, but the keyboard users are not always infallible.
Firm policies with regard to cybersecurity and computer use. Unless you are also a labor and employment lawyer, please don’t do this yourself. We know it’s another investment, but if you have a policy in place, you will be able to enforce it with far less hassle (read: employee litigation) than if you do not.
What should those policies include? We’re not employment attorneys either. Common sense dictates a firm policy regarding practices of protecting passwords that secure documents, the use of computers during work hours for personal matters, use of personal phones during business hours and expectations of privacy using office email. Ask your labor and employment lawyer about language concerning theft of any client files in digital or paper format, through email, copying, shared files, etc. They will be able to tailor a policy suitable for your practice.