You’re a lawyer, so why would you need to know cybersecurity terms? Cybersecurity is your IT provider’s problem, right?
Well, yeah, mostly.
But even the best provider can’t defend against wanton neglect, especially since so many threats inadvertently manifest themselves through mistakes made within an organization.
So, while you may not need a doctorate in computer science to track security at your firm, there are a few terms every attorney should have in their lexicon.
Knowing these terms will help you communicate better with your IT provider and others in your firm. Improved communication can lead to more productivity, better security, and even greater profits.
Let’s get started.
Phishing (and more phishing)
Just like actual fishing, there are tons of variants for this cybersecurity threat.
The bad news is that they can come in the form of email, voice mail (vishing), and SMS messages (smishing).
They can target anyone within a firm, but their favorite targets are leaders (whaling) and system administrators (spearfishing).
Those attempts can be frequent and pervasive, and it only takes one, like in the case of Levitan Capital. Though this example wasn’t about a law firm, it could have easily been used against one.
The good news is several filters can be used to stop these attacks before they start. Good employee training can handle the rest.
Now, let’s talk about disguising your data.
Encryption
This is the tech world’s answer to the Navajo Code Talkers of World War II fame. It takes your data, like an email message, and turns it into a code so it cannot be read without the appropriate key.
It isn’t foolproof.
Keys can be swiped by man-in-the-middle attacks and other nefarious means. But practicing good key discipline can alleviate this problem.
Encryption gets a bad rap in the legal community as cumbersome, but we explain here how that problem is disappearing as technology improves.
It can be pricey, but considering how much security it adds to your data, it is worth a look.
The next one is practically free, but it does take a little patience.
Multi-Factor Authentication
MFA is almost second nature now. Just about everyone has experienced signing in to a website only to be assigned another code they have to enter to gain access.
While many people find it annoying, it’s still one of the best (and least expensive) ways to add extra security in an age when people tend to use the same passwords for multiple sites.
So, if your firm uses password protection for any of its data, consider making MFA part of the sign-in process. It’s a little extra work, but the returns on investment are huge.
Speaking of computer sign-ins, let’s move on to endpoints.
Endpoint Security
Endpoints are any device that is the entry and exit point of data for the user, such as desktops, laptops, and other mobile devices.
Now that the technical name is defined, it’s probably setting off lots of familiar security ideas, some of which may be wrong. So don’t fall for some of the most common misconceptions.
What misconceptions? We thought you’d never ask.
First, endpoint security is not all about antivirus software. Yes, it plays a big role, but it isn’t enough.
If your software is good, but firewalls, patch management, and the overall security strategy are weak, you’re in trouble.
It’s like the team that goes out and puts everything into getting a star player, neglecting the support players who make the difference in their success.
The next misconception is that it is only about laptops, desktops, and smartphones. Not true.
Any device hooked to your network that transmits data is a potential portal for a hacker. Tablets, printers, scanners, and even cameras can be compromised. So, you can’t be too careful with endpoint protection.
Finally, there’s the idea that endpoint security is the sole responsibility of the IT department. It is their job to provide training and oversee a security strategy.
Ultimately, the end user is responsible for recognizing phishing attempts, practicing good security procedures, and avoiding daily problems.
The next term also requires some help from end users.
Patch Management
Software isn’t perfect, at least not for long. It gets dated and develops vulnerabilities that can hurt efficiency and compromise networks.
Those vulnerabilities are like holes in a sail, so they must be patched. Honestly, most end users will never have to deal with the details of patch management.
However, it is still a good term to know because every end user has to do a little something to ensure good patch management.
So, get with your IT provider to ensure every end user in the firm is doing their part.
Remember, little holes in a sail can turn into a huge tear, and those little holes start and end with the end user.
Speaking of end users and little holes, let’s look at the next topic.
Cybersecurity Awareness Training
Cybercriminals send an estimated 3.4 billion emails a day. Yes, that’s billion with a ‘B’.
They know that untrained humans are vulnerable to their efforts no matter how good your other network security is.
The good news is most of the emails are filtered out by software. Even if they aren’t, many are so ham-fisted a child could detect them.
The bad news is that it only takes one effective phishing email (or one distracted employee) to create irrevocable damage to your firm.
The answer, of course, is to train employees to avoid phishing attempts. This can be done relatively painlessly, often incorporating training into the employees’ daily email workflow.
Short practice emails can build and sustain employee awareness.
The trick is to practice regularly so old lessons are ingrained and awareness is raised about new, more sophisticated phishing attempts.
A little time spent training can have a huge return on investment for your firm since the trend in phishing attempts is only growing.
But there’s a more nefarious hacking trend that may require deeper training.
Social Engineering
You may have heard this term before. You may even associate it with phishing, but it’s different.
Phishing is usually a broad-based, surface-level trick, such as one email with a nefarious link sent to thousands of end users.
The phisher may have little knowledge of law firm workflows and may not be targeting them specifically.
Social engineering runs deeper. The perpetrator uses psychology and manipulation to build trust before executing their fraud.
Perpetrators are often familiar with how law firms conduct business, so they know where vulnerabilities to try and exploit.
Here’s one type of scenario, but there are dozens.
An attacker calls a law firm with a fake legal problem and claims they are looking for representation. This establishes trust because a human voice makes a connection on the other end.
The attacker claims to have a document that proves their case and provides a reasonable premise for the lawyer to open it.
The document seems benign, even real, but it contains a malicious payload like a Remote Access Tool (RAT), which can lurk silently in the background.
The RAT provides a whole variety of options for the attacker.
With it, they can steal confidential client data and hold it for ransom.
They can review email communications and use spoofing techniques to trick clients into transferring money into fraudulent accounts.
The possibilities are endless.
Preventing them comes down to a couple of factors: good training and a good IT provider.
Good training allows the lawyer to recognize even subtle red flags so they can call their IT provider for advice and insight before making a mistake.
At this point, you may think cybersecurity is just a patchwork of tactics that needs to be weaved into a model to be effective.
That is true, and there’s no better security blanket to stitch together than the next one.
Zero-Trust Architecture
Zero-trust architecture, or ZTA, is a security model that starts with the premise that your firm has been breached. That means your users, devices, applications, all of it.
So, they have to be validated before being granted access to any network.
Essentially, every application, user, and device becomes a castle with a moat surrounding it.
Now, this may sound like overkill, but hackers have adopted a looting mindset when it comes to data.
They will steal anything, even encrypted data, and sift through it later, looking for potential value. And even theft of encrypted data can have far-reaching ethical consequences.
There are equipment and training costs involved in establishing a ZTA architecture, but it still might be your firm’s answer to abiding by rules like ABA Rule 1.6 on confidentiality.
And the initial costs incurred are better than a data breach’s financial and ethical repercussions.
Putting it all together
Law firms today have to be up to speed on tech threats that can hurt them and tech models that can help them. So, knowing the language is a start to helping you know how to better communicate with your IT provider to give your firm the best advantage possible in an increasingly dangerous technological environment.
The EDC Way
At EDC, we’re constantly evolving our approach to new challenges. That’s how we prevent problems from happening before they start. Our dedicated team of IT professionals is here to help you.
From strategizing a plan to providing multiple lines of defense against hackers, we will ensure your data and private information is safe behind a vanguard of security measures.
To learn more about EDC visit EDCNOW.com, or to schedule a free consultation on how we can help with your IT needs, call us at: 337.235.7741 in Lafayette or 504.322.3622 in New Orleans.
