Protecting Your Law Firm: Experts Discuss Website and Data Security

An excerpt from a Q&A interview that originally appeared in Peer to Peer ILTA

It is one thing to understand the importance of law firm cybersecurity but another entirely to thwart increasingly sophisticated cyberattacks. Such attacks can harm a law firm’s digital presence and integrity and result in issues ranging from blocked website traffic to exposed confidential client information. We recently sat down with Michael Kolb, chief information and security officer at Dickinson Wright, and Zachary Peer, technology director at digital agency One North, to discuss how to keep websites and data secure

How has digital security evolved with technology?

Michael Kolb: As more data becomes available online, so do the risks associated with hosting it. Law firms have a duty to keep data secure. Fortunately, they can use processes and technologies to keep their websites and client data safe.

What drives law firms’ motivation to keep their sites secure?

Michael: A website is often the first place an attacker begins looking for information to exploit, so it is important to keep it secure. When Dickinson Wright began to receive security questionnaire requests from clients, we decided to pursue ISO 27001 certification to assure our clients that we protect their data. Clients expect a certain level of security and if a law firm cannot deliver, it may lose trust, then business.

What digital security issues remain top-of-mind for law firms, and how do you address them?

Michael: Data protection is the most important aspect of security, but not all data are created equal. Data should be sorted into four tiers: confidential data, internal firm data, user data and public data. Information security management systems classify the data. Depending on the classification, law firms can apply different levels of security to the dataset. For example, everyone can access public data, but only a certain level of employees can access other data. Additionally, many threats originate from socially engineered phishing scams. While implementing technology is important, employee training is essential to block many cyberattacks. After the Equifax breach, for example, I sent a phishing email that requested employees enter their credentials to ensure they were unaffected. This test helped them understand the need to exhibit caution when they were asked for their information.

What advice do you provide your employees on digital security?

Michael: All law firms should train employees on how to keep data secure and never take any knowledge for granted. At Dickinson Wright, we provide seminars for new and veteran employees. As part of our ISO certification, we conduct annual security meetings and quarterly phishing tests.

How will law firms’ investment in digital security change?

Michael: Investment in digital security will keep increasing. As long as law firms hold important client data, bad guys will keep trying to steal it.

Fortunately, 95 percent of security can be achieved through basic, inexpensive initiatives such as password policies. This allows law firms to allocate their security budget to the remaining five percent to thwart the most malicious hacking schemes.

What are the biggest digital security threats that law firms face?

Michael: Social engineering attacks are also becoming more prevalent. Hackers learn or capture the identity and a few unique characteristics – like favorite sports teams – of a law firm’s legitimate client and start phishing. They can then create and send emails from an extremely similar address, making it nearly impossible for the recipient to catch the difference.

What does the future hold for digital security?

Michael: Dickinson Wright is implementing biometric authentication. We now use fingerprint scanners, which employees use to log into their computers. This relatively new concept comes with limitations; for example, some computers are not yet compatible with the scanners.