10 Best practices for protecting your firm’s data
1. Create and implement a data security policy at your firm
A surprising majority of security issues begin with simple user error—not tech failures.
- Make a clear, easy-to-follow plan for data security and share it with everyone at your firm.
- Educate employees and enforce procedures such as using two-factor authentication for logins, only using apps vetted by the firm, or a Bring Your Own Device (BYOD) policy for employees using their own devices.
2. Continuously train staff on mitigating data risk
Don’t assume that everyone knows how to spot and avoid a phishing email—open a dialogue and continue to train employees to avoid accidental user errors and promote firm data security best practices. Require training to be taken upon hire and periodically (usually once a year) thereafter.
3. Use strong passwords
Always. Is your password simple and guessable, like your daughter’s birthday or—please, no—“123456”? Do you use the same password for every login? If so, you could be setting yourself up as an easy target for hackers.
- Create better passwords: For increased password security, go for something complex and long. Use a password management tool to help ensure passwords remain secure and make management simpler (no more having to memorize or write them down).
- Enforce strong password rules that keep your passwords in line by requiring strong passwords.
4. Encrypt, encrypt, encrypt
Never overlook this relatively simple and highly effective measure. Encryption translates your data—whether it’s stored in an email, a local hard drive, an internet browser, or a cloud application—into a secret code, which then requires a key or password to access it.
5. Secure your communications
One of the primary ways for hackers to intercept your data is in your communications. As part of your firm’s data security plan, review any vulnerabilities across your communication channels and look to mitigate them (for example, encrypt your firm’s emails).
6. Consider access control
Everyone on your staff doesn’t need to know everything. Be intentional when considering granting permission to viewing specific matters. Be sure to enforce the Principles of Least Privilege and Need to Know.
7. Conduct regular reviews
It’s easy to overlook weaknesses in your firm data security if you don’t take the time to review it. Conduct regular audits (you could build this schedule into your firm’s data security policy) to identify and address risks—things like ensuring former employees no longer have access to legal files or ensuring controls such as anti-virus software and firewalls are operating effectively.
8. Vet vendors carefully
While data security ultimately falls under the ethical responsibility of lawyers, legal technology can definitely help make this easier (or harder). To ensure your provider will do you more good than harm with your data, carefully vet potential vendors.
9. Plan for the worst
As much as you hope to avoid (and actively mitigate the risk of) data breaches, you need to know what you’ll do if it does happen—before it happens.
- Create a plan for what to do in the event of a data breach: The plan should detail what needs to be done immediately in terms of communication, changing passwords, and reporting (to impacted individuals or regulatory authorities) if there is unauthorized access to your data. It should also specify your firm’s plan for what to do if a malpractice claim is filed. Also consider including any guidance provided by the your respective professional body ( ICPAK, LSK) with respect to your ethical obligations.
- Test the plan: Data breaches shouldn’t be left up to theoretical in the event of an issue.
Another scenario you should prepare for is what to do in the event of a disaster to ensure your firm can continue to operate effectively.
- Create a disaster recovery/business continuity plan: Your plan should include considerations for items such as defining critical systems and equipment, identifying appropriate tools/procedures (i.e. backups, remote sites, cloud providers, etc.), and developing communication plans.
- Test the plan: Find out what works (and what doesn’t)!
10. Bump up your firm’s mobile security
With more and more work done remotely, there’s increasingly a need for mobile firm data security. Making use of secure mobile apps takes a lot of the heavy-lifting out of the process , but your smartphone and laptop, in general, might also need a security makeover. Secure your phone, laptop, and other mobile devices, with steps like:
Enable encryption
While having a lock-screen password on your laptops and mobile devices is a first (essential) security measure, it won’t protect your data if someone gets a hold of your password. Enable encryption on your mobile devices to scramble sensitive data for unauthorized users, and enhance security. Here’s how to encrypt your iPhone or your Android device.
Set up two-factor authentication
No matter how strong your password is, it can still be hacked. Adding two-factor authentication—which requires your password (the first factor) and a temporary code sent to another device (the second factor)—makes it that much more difficult for someone to access your device. In practice, two-factor authentication usually requires the person logging in to verify their identity through the use of their mobile.
Backup firm data to secure servers
Whether you lose your device or you’re the target of a ransomware attack, it’s smart to regularly back up your firm data to a secure, encrypted location so you’ll still be able to access most of your data.
Keep professional and private accounts separate
Don’t risk mixing confidential professional communications with your personal ones. By using dedicated apps for your professional work, you can keep these two worlds apart.
Have a plan for lost or stolen mobile devices
If you lose (or someone steals) your smartphone, what’s the first thing you’ll do? From having a way to locate a missing device (like Find My iPhone or Google’s Find My Phone), to knowing how to suspend service or disable your device remotely, it’s important to make an action plan before you need it. Make sure you have full disc encryption on your laptop as well so you can know your data won’t be compromised if your laptop is stolen or lost.