Cyber Security for the small legal firm – How safe is their information?

“A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount.”The New York Times

legal hammerSo far, this demand for heightened security is only affecting the kind of big firms that serve big corporations. But if you’re a small or medium-sized law firm, you need to start paying attention to this problem now.

Why? Well, let’s start with the basics. Cyber criminals target the lowest hanging fruit, and the easiest target is always going to be a small or medium enterprise. In most cases the SME does not have the resources, the finances or the technical know how to secure their business to an acceptable level. This makes them a prime target. The management of an SME often fail to take steps to fix the issue, because they have the attitude that their company is “too small to be a target,” or that “it won’t happen to us.”

With today’s cybercrime attacks, this reasoning is fallacious. The automated systems that are available to teenagers make a mockery of both these claims. A 12-year-old with access to a computer, the Internet and a little bit of alone time can become a highly respectable cybercriminal. With criminals this petty, there’s no prize too minor to be “worth it,” and even the satisfaction of hacking a website can be enough for them.

Most law firms are modestly-sized businesses, and cyber security isn’t their first concern. But to a cyber-criminal, any legal practice is a highly desirable target. A legal practice has three things that are worth stealing or gaining access to.

  • A large amount of money under trust.
  • A large amount of anecdotal information about their clients.
  • A large amount of their own intellectual property.

All three of these reasons make legal practices a better target than, say, a carpenter or plumber.

An ordinary company might have client information including names, addresses, social security number and payment information. It’s bad enough to lose that, but clients of law firms hand over much more—like documents on an upcoming merger or other corporate deal that’s supposed to remain confidential.

Many practices that are still common at law firms, like keeping information on portable flash drives or non-secure mobile devices, can endanger the information’s security. Unlike retail businesses, law firms aren’t required to disclose when they’ve been hacked, and many may not know it has happened until months or years later.

All of this makes clients understandably nervous. The New York Times reports that some banks have resorted to requiring law firms to provide proof of top-level security practices, or even fill out a 60-page security questionnaire. With the amount of money at stake, the firms have a compelling motive to comply. But if this is currently affecting big firms that deal with multinational banks, it will quickly spread. Soon all smart clients will start demanding that their legal firm takes steps to protect their data. Law firms should take those steps now, rather than risk playing catch-up later.

Want more information? Check out “A discussion on cybercrime!” on YouTube, or download your free cyber security mini guide for legal practice.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.