5 Steps You Can Take Today, To Secure Your Clients Data

There are many articles discussing different ways to secure your clients data. But with the hundreds of law firms I work with, I’m shocked that so many of them don’t even follow the basic rules. Or worst, they’re following processes that were good over a decade ago which is light years in the technology world.

My goal from this article is to make sure you’re not on the bottom of the hacker food pyramid. This is not a comprehensive guide that will protect you from all of today’s threats. This is just a few quick measures you can take today to have at least the bare minimums set in place.

For a more personalized evaluation and longer term solution, contact me.

Let’s begin shall we?

1. Change Your Passwords (and increase the number of passwords you use)

I know you were hoping for my first bit of advice to be something a bit more complex or even sexier than a quick password change. But truth be told this is where hackers still do the most damage.

According to Verizon, about 80% of intrusions happen due to weak passwords.

The problem is when a hacker gets one of your passwords, there’s usually a domino effect that follows.

On average people use up to 6 different passwords to manage up to 24 accounts. One password being exposed means hackers can access multiple accounts.

Most people don’t realize how efficient hackers have become at quickly breaking passwords. A lot of what we used to consider a complex password 10 years ago can be hacked in minutes or even seconds today.

“Technology has progressed, hackers have progressed, our passwords have not”

WP Engine did a great study on what 10 million passwords revealed about the people who chose them.

Here’s a pretty cool visual of the 20 most common keyboard patterns;

Common Passwords

If you’re interested in the anatomy of how hackers can quickly hack through a password, feel free to check out this article: The Anatomy of a Hack


2. Activate Two Factor Authentication Where Possible

Many popular software applications like Gmail offer two factor (or as they call it two step) authentication.

As Google describes it, this works by requiring something you know and something you have to sign in.

The something you know is typically your password and the something you have is either your smartphone or a physical security key.

Dual-Factor-Authentication-Law-Firm

This way if a hacker gains access to one layer of security, they’ll still have to go through a second layer before they can access your account.

You’ll have to set this up for each of your popular accounts and realize that not every bit of software you use will have two factor authentication capabilities.

Here’s an updated list of everywhere you can setup two factor authentication: https://twofactorauth.org/

At Abacus, we provide our clients using our Abacus Private Cloud platform with two factor authentication that secures the entire remote environment, and the applications, documents and software installed within it.


3. Make Sure Everyone knows how Phishing Emails and Ransomware Work

There’s been an alarming increase in the number of law firms being affected by ransomware. CryptoLocker is the one I’ve seen firms being hit by the most.

If you don’t know what ransomware is or how it works, you’ve either been pretty lucky to not have to deal with it or you legitimately have a good system in place.

how-ransomware-works

With CryptoLocker, the victim usually receives an email from someone that you’ve seemingly been doing business with. The email includes a password protected zip file with instructions on how to open the pdf within it.

After exposing it, CryptoLocker will encrypt your important files and databases asking you to pay $100 – $300 in Bitcoin as ransom (hence the phrase ransomware).

Sometime’s the ransom can be quite a bit higher. Like what happened not too long ago with Hollywood Presbyterian Medical Center which had to pay about $17k for the recovery of their data.

Unless you have a complete backup of your data, the only real way to get your files back is by paying the ransomware through.

Even then, because all of your files have gone through an encryption process, when you do pay the ransomware there’s a chance that some of your files can become corrupt and unusable.

For our Abacus Private Cloud customers we keep the backups of the data separate from your day to day work environment. We’ve been able to have law firms back up and running within 10 – 45 minutes of getting hit by the CryptoLocker virus.

A solid IT solution goes a long way to ensuring that your business stays operational when you get hit by ransomware or other potential cyber threats.


4. Verify that a Backup Actually Exists

It’s shocking to see how many law firms don’t even have a backup in place or have backed up their data within their existing environment.

Creating a backup of your data and keeping it on the same computer it’s on is about the most useless thing you can do.

Also, if you’re still using backup tapes (believe me some people still do) you might as well shut your office down for committing malpractice.

In a perfect world you’ll have a backup of your data located on a storage facility outside of your office and even outside of the region you’re in for geographical redundancies.

What you can do today as a band-aid (but not a permanent solution) is to subscribe to a product like iDrive that allows you to backup your data into their storage facilities.

It’s like Dropbox but much more focused on data security than Dropbox is.

I had mentioned this on a different article, but if you ever read through the terms and conditions of Dropbox, it’ll give you quite the scare.

Why is iDrive a temporary fix? Because in the event of a catastrophe, you’d still need to re-install all of your software and systems before you even have a chance to load the data.

A hosted Private Cloud environment (like Abacus Private Cloud), would handle and backup your entire infrastructure.

By doing this you also have the option of putting Business Continuity systems in place so that if something tragic does happen, your business doesn’t miss a beat.


5. Update your Software, especially your Operating System (Windows)

The Operating System is the backbone of your computer/network. No matter how annoying those pesky Windows updates are, they’re critical to the security of your data.

Windows-Update-Notification

Each time Windows issues an update, it’s usually to fix a bug, or close out an opening that’s been discovered.

If you’re still on Windows XP (for some strange reason), it’s important that you immediately get off that platform. Windows XP is no longer supported and you’re basically free bait waiting in a water of sharks to be devoured.

Using old software to handle your clients data against today’s threats is like wearing a knight’s armor and running to the front lines hoping you don’t get shot at with a rifle.

This goes for all of your outdated and unsupported software as well. Especially anything you’re using to handle client data. Each program left out of date can be a potential opportunity for someone to break into and access all of your data.

Bonus 6th Step: It’s important to have anti-virus software running on your computer. A lot of anti-virus software though might not be equipped to identify Malware or Trojans located on your system.

One program I like to use that can identify and help remove a lot of malware is MalwareBytes. You can get free licenses for the home edition of the software.

As we continue to offset more tasks and responsibilities to technology, the number of complexities and threats will always grow along with it.

In my opinion we’re at a day and age where attorneys and other business owners would have to spend an inordinate amount of time educating themselves on IT related issues in order to properly protect their interests.

Finding a reputable and reliable vendor who can take all of the IT responsibilities off your plate can make a big difference in allowing you to focus on what you do best and in growing your business.

If you have any questions about some of the solutions I’ve provided law firms, you can contact me via email or my contact form on this website.