It’s bordering on an outright epidemic: In the past few weeks alone, five law firms in the US have been reportedly hit by ransomware. And for each of these law firms, the breach happened in the worst way possible:
In many of these cases, the attackers (literally) held the firms for ransom, and in some cases deliberately exposed the firm’s privileged client information online. This is the stuff that lawyer nightmares are made of.
And these are just the cases that make headlines. Almost every month, here at Uptime Legal, we’re privately contacted by a law firm that’s recently been hit by a ransomware attack (hoping we can provide a more secure platform moving forward). Oftentimes all of their data, from documents to their practice management database, was affected and held hostage. A disturbingly high number of these cases lacked prudent preventive IT care, and/or a reliable backup to restore from.
Our job is to help these firms, and not judge… but I can’t help but notice a trend that unites the firms that contact us post-disaster. They often took a lackadaisical approach to proper IT management (including, but often not limited to cybersecurity). They may have been laissez-faire about implementing real cybersecurity policies. They may have been a little too tight with the budget when it comes to proactive IT management. Many firms we spoke to only had an IT professional out to manage their network “as needed, when things break.”
We often have conversations with law firms where we’ll preach the gospel of properly managing your IT, whether that’s on-premise or in the cloud, and the importance of proactive IT care regardless of a firm’s size. Sometimes, when we politely suggest that the firm seems to be under-managing their IT, the response we get is: “We’ll, we’ve gotten this far without a problem.” (I like to call this the “Aw, shucks,” defense.)
And don’t think that ransomware is only a BigLaw problem. While it’s mostly larger law firms that make headlines when a breach occurs, the majority of the firms that call us after being struck with ransomware are firms with 10 or less attorneys.
Even software companies, some of which have launched their own cloud hosting offering, have been taken down by ransomware attacks, as we recently saw with the attack against TrialWorks, who’s clients were without access to their data for days.
Simply put, every law firm needs to make cybersecurity, especially the threat of ransomware, a top priority in 2020.
Here’s what to do to avoid being the next law firm ransomware headline
Consider the following an imperative checklist, the things your law firm must have in place to avoid ransomware attacks and other cybersecurity threats. Anything less, candidly, and in my humble opinion, borders on negligence.
1. Antivirus + Anti-Ransomware
Sure, you have virus-protection software (who doesn’t?) But general-purpose, “vanilla” antivirus software usually doesn’t adequately protect against ransomware. Ransomware is unique and ever-changing, which makes it particularly difficult for regular antivirus to detect. It’s important that you, or your chosen private cloud provider, has specific anti-ransomware systems in place; systems that can detect the unique signatures of ransomware and stop them before they get to your data.
What’s more, your virus protection strategy should have multiple layers. Most ransomware attacks, like viruses, come in via email. Your firm should have virus protection and checking systems:
- At the Exchange/Email level,
- Again at the Perimeter/Firewall level, and
- Again at the Desktop (computer) level
This means that every bit of data that is about to enter your law firm’s network is checked three times, by three independent systems, before being released to your users.
2. Enterprise-Grade Firewalls
Firewalls (the devices that connect your office to the Internet, and that provide some measure of protection from the scary things on the Internet) come in a vast spectrum of capabilities. They range from the $600 firewall you buy at Best Buy or OfficeMax (no offence meant to OfficeMax, it’s a wonderful store); to $10,000 firewalls that have AI-like capabilities when it comes to preventing cybersecurity threats. While your small law firm may not require the latter, it probably would benefit from something in the middle of that range.
Moreover, it’s important that your firewall not fall into set-it-and-forget-it. Your firewall, like antivirus software, must be routinely monitored and updated to protect against the latest threats.
3. 24 x 7 Security Monitoring
Cybersecurity systems are only as good as the processes and people that are monitoring them. Firewalls and virus protection are almost useless if a professional isn’t regularly checking in on and testing those systems. Your cybersecurity systems should be being regularly reviewed; things like failed login attempts should be spotted and stopped, immediately. Known security vulnerabilities should be patched with haste. Known attack patterns should be blocked and, where applicable, remediated.
4. Two-Factor Authentication
Two-Factor Authentication (TFA), also known as Multi-Factor Authentication (MFA) is low-hanging fruit when it comes to keeping your data secure. The number one way that data breaches occur (including hackers) is a password being compromised.
Two-Factor Authentication, if you’re not familiar, is a second factor that must be authenticated before any user can log into a particular system. What this looks like in practice, for most systems, is:
- The user logs into a system (software, virtual desktop, or cloud platform) with their username and password
- The user is then prompted, on their smart phone, to confirm the login (IE: to validate that it is in fact them trying to log in)
- The user accepts this prompt (the so-called second factor), and the user is logged in.
With this simple but effective system, even if a bad actor compromises your password, they still cannot log in as you or impersonate you.
Two-Factor authentication is available for many cloud-based applications as well as reputable private cloud platforms.
5. Data Encryption
It’s also important to keep your data, ranging from your files/folders to your practice management software and database, encrypted (by you), and thereby out of the hands of unauthorized users. For this, we recommend that your data be encrypted in-transit, and at-rest.
This applies to using cloud-based software (such as cloud-based billing or case management software) as well as hosted IT platforms and private cloud solutions. Data encryption in-transit means that all data travelling between your computer and the cloud service you’re working from is encrypted, so that if intercepted or stolen, it’s unreadable and unusable to anyone other than you and your firm.
Data encryption at-rest means that your data, while stored on a server hard drive (where it ultimately lives), is also encrypted, and (similarly) unusable to anyone outside of your firm and the people that you grant access.
Both forms of data encryption are vital when it comes to keeping your firm data and your privileged client information secure.
While any law firm can certainly put these practices into place with their own on-premise infrastructure, many small and midsize law firms find that moving to a secure, private cloud is the proverbial easy-button to ensure their data is secure.
There are no shortcuts in technology or life, but a ready-made, turn-key private cloud might be the next best thing. With the right private cloud provider, you’ll have the server infrastructure you need and hosting for your legal applications with all of the aforementioned security requirements built-in, out-of-the-box.
With the right law firm cloud provider (extra-emphasis added on ‘right’), your firm doesn’t have to reinvent the wheel when it comes to data encryption, two-factor authentication, and ransomware prevention. It’s part of the service, and a major part of the value of moving to such a platform.
- Learn more about Uptime Practice, our secure, private-cloud made just for law firms
- Or: Read our whitepaper, 25 Things To Ask Your Legal Private Cloud Provider