How to Secure Your Law Firm

Do you work at a law firm? Do you want to feel terrified?

These dramatic examples all detail hacks on law firms. You may have heard about them! After all, they make great stories.

The problem with these examples: They’re unlikely to reflect the sort of threats your small- to medium-sized law firm will face. Most cyber attacks on law firms are much less dramatic.

In fact, most attacks on law firms fall into two major categories:

  1. A targeted attacker, who wants to get to your client.
  2. An opportunist, who’s just going fishing.

These different attackers have different strategies for inflicting pain on your law firm. They have different means of discovering your law firm, different goals, and different incidents will emerge from these attackers.

When you think about how to protect your law firm, it’s important to start from the incidents you’re concerned about. From these incidents, you can work forward in time to describe an incident response plan. You can work backward in time to discover how to protect yourself. Then you can work the incident again to see how you fare.

Let’s work through an example.

Working through an incident

We’ll start with the opportunist — someone who’s just taking what they can get. What sort of attack might the opportunist do?

The opportunist may have stolen a laptop from a public place. They may open the laptop and find it password-protected. Just in case there’s valuable data on the laptop, they may use some simple digital forensics to extract data from the harddrive.

Working forward from the incident

What can you do after your laptop’s been stolen? Unless you’ve enabled full-disk encryption (which is not the same as password-protecting your computer), you should assume that any data on your laptop has been compromised.

Now, you can think about your incident response plan. First, you’ll have to discover what was on your laptop. Second, you’ll have to figure out what you can do to clean up the mess — notifying clients, taking legal protections.

Working backward from the incident

What could you have done to make this incident less impactful?

  • You could enable full-disk encryption (see instructions for Mac or Windows).
  • You could set up remote device wipe on your company’s devices.

Working through the incident again

After enacting plans like this, you could try to work through the incident again, re-evaluating the impact until you have achieved a reasonable level of risk. If you’ve taken the steps above, and the opportunist steals your laptop, what do you need to do?

Remotely wiping the device would be prudent. Other than that, you can reasonably assume no confidential information was compromised, as the harddrive was encrypted. Now that’s a less stressful incident response plan!

Incident response plans

Incident response plans work best when you try them out.

Think about fire drills. We run fire drills before there’s a fire. That way, when there is a fire, you already know what to do. (And you’ve worked out any kinks in the plan during the drill — not during the incident).

Test your incident response before the incident happens. That way, you can work forward: see what you would have to do. Then, you can work backward: see what you could have done to reduce the incident’s impact.

That’s how you arrive at appropriate security measures: measures that are targeted to your needs, and steps usable enough that your employees will actually follow them.

Here’s an incident for you: your Dropbox credentials got phished. If you don’t have two-factor authentication enabled, someone can now access your Dropbox. What’s on there? What do you have to do now? What could you have done to make that situation easier?

I’ll leave that one as an exercise for the reader.

If you’re a law firm who could use some coaching on your security strategy, get in touch with us. We provide personalized coaching at firms of all sizes.

Nick Merrill (PhD 2018, UC Berkeley) is the founder and managing consultant of Broad Daylight.