The answer should be: very worried. Even if you are involved in a small company or small law firm, you can be a target. Everyone needs to take appropriate precautions.
Even though we seem to be hearing nonstop horror stories about servers being held for ransom or personal information stolen from websites, there are things that you can do to minimize the chances that you or your company will be the next victim.
You need to establish a set of security rules that will apply to everyone in the firm – and they should be rigorously enforced. The biggest exposure does not come from hardware or software, but from your humans. Everyone on the staff should be trained in how to compute safely. They should never open an email – even if is from someone they know — if it seems suspicious in any way. Never click on a link in an email unless you are sure that it is taking you someplace safe. At worst, you’ll delete an email that was legitimate, but if it is important the sender will try to contact you again. Users should not be able to add new programs to the network.
In order to access your network (whether you are in the cloud or have a server in the office), you should utilize two-factor authentication. In addition to a complex and frequently changed password, the user should be required to input an additional set of numbers that are texted to a smart phone or a different email address. These systems are not foolproof, but they reduce the chances that a someone who gets a password will be able to get into the network. The system should automatically lock-out IDs after a certain number (3? 5?) of unsuccessful attempts to log-in. If it is really an authorized user who keeps screwing up his or her password, they will call the system operator to straighten it out eventually.
You should make sure that each workstation has modern anti-virus/anti-malware software installed, and it is updated regularly. The defensive programs should be installed on any device that it attached to your network, including mobile devices. If you use Windows, you should be on the latest version. Every time an operating system update is released, it should be installed, as much of the updating is to plug security holes.
You should have a back-up system for all of your data, both at the server and workstation level. If you use a cloud service such as those provided by Microsoft, Amazon, or other big providers, they have a built-in back-up protocol. If you use a different vendor, check to see what their back-up protocol is. Often, it will be a replication to a different server farm. Back-up drives attached to each workstation, if configured properly, will protect against loss of data due to mechanical problems at the workstation. But they may not protect again a ransomware attack, since the back-up drive may be similarly infected. Therefore, it is somewhat more secure to use an on-line back-up system be employed since most malware attack software won’t “see” the online connection as an attached drive, and won’t be able to encrypt it.
Any device that stores business or client information should be encrypted. For office workstations this means a program like Bitlocker. For mobile devices, the default encryption and password may suffice, but you should supplement this with a remote ability to locate and or wipe the device. Many of the instances of unauthorized access have been due to loss of a mobile phone or theft of a laptop. Make sure that if this happens, the finder will be unable to do anything with the data on the device.
If your business or law firm network is going to be accessed by others, make sure that there is strong firewall protections between the various segments of the network. The greatest vulnerability may come from access to a contractor’s system that has full access to your system. Before allowing anyone remote access to your system, make sure that they have adequate security.
Lawyers should be aware that there are ethical rules that obligate you to make certain that you have taken “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Model Rule of Professional Conduct 1.6(c). The rules also note that competent representation requires that an attorney, “to maintain the requisite knowledge and skill, . . . keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . . “ Comment 8, Rule 1.1
In spite of all of your protections, some bad guy may still be able to penetrate your system and steal or encrypt your data. Your protection package should include cybersecurity insurance that will cover the expected costs of investigation, remediation, notification, fines, credit monitoring, litigation defense, an damages flowing from business interruption. Yes, these premiums will add costs to your overhead, but, like every other type of insurance you are buying peace of mind with the hope that you will never need to use it.
One final note for federal contractors: there are a few formal hoops that you must just through, as defined by the National Institute of Standards and Technology (NIST). Read more on that subject here.
About the Author
Theodore Banks, Partner at Scharf, Banks, Marmor LLC, concentrates his practice on antitrust, compliance, food law, and other corporate matters. Mr. Banks has extensive experience with corporate litigation, including responsibility for contested mergers, environmental contamination, advertising, insurance coverage, products liability, employment law, consumer protection, and packaging and recycling. He has a national reputation for work in corporate compliance and antitrust, and was an early proponent of corporate opt-out suits as plaintiff in antitrust litigation, such as Vitamin, Carbon Dioxide, Corrugated Container, Folding Carton, and Citric Acid Antitrust Litigation, recovering more than $100 million. Through his experience in all aspects of the food industry, Mr. Banks has deep familiarity with the regulatory frameworks and state and federal laws governing food manufacture, distribution, sales, and safety.