The twenty-first century law firm is beginning to look like the twenty-first century. A look around the office shows maybe half of the computers are warmed by the physical presence of attorneys and staff feverishly at work, but all the computers are quietly chugging away writing motions and entering billable time. No, the other attorneys are not robots. They are working at home or across the country, accessing data remotely to accomplish their work.
This is a growing trend in the legal community. But it comes with risks that require exceptional safety habits. Law firms need to ensure their data is cloaked in the safest and most efficient of privacy protections for working remotely. Poor security habits can threaten a firm’s ability to stay ahead of the hacker curve.
It’s no secret that stolen data is sold across the dark web, the encrypted network of websites used by criminals to trade cyber-victim data. Pricing for a company’s server stolen by remote desktop hack could fetch criminals a pretty penny on the dark web depending on, among other things, the server location, the difficulty of the software installed, and the value of the data waiting on the other end.
What might the value be for remote access to a Top 200 law firm in Los Angeles with minimal software barriers, on a criminal marketplace such as Hansa or xDedic, or something similar? Is the criminal sale value of simple access to the database housing encrypted medical records, for example, any less than the sale value of the actual decrypted data?
Probably not, yet companies focus on securing the actual data with their encryption policies while often leaving their access protocols to the encrypted data largely barren. So, when a law firm begins to allow its employees to work and log in remotely without having established proper remote login security protocols, the addresses and codes associated with the remote access can appear on the web. They may be putting a lock on the cookie jar in the kitchen while leaving the house key in the front door.
Remote access truly is a powerful tool that allows lawyers unprecedented flexibility. From the perspective of associates, working remotely provides balance to often-hectic lives, with immense benefits to all involved. Billable hours can go up with less time sitting in traffic. Clients can expect faster turnaround times on tasks needed in their cases. Communication availability may increase. Emergencies may be more easily managed. The technology may even help ease mental health concerns about attorneys feeling overwhelmed, which may enhance their ability to provide professional and competent representation.
In my own experiences, working remotely has provided immense flexibility during my time as an associate—to my benefit as well as to the benefit of the clients and firm. Working remotely critically saved my hours when a family medical situation caused me to have to stay home and temporarily look after a loved one. Remote access also saved my colleagues and me when we needed to work together in a few Google Docs simultaneously to get documents for an emergency filing completed.
Lessons Learned While Remote
Working remotely has also taught me valuable lessons about the security threats. On one unforgettable occasion, while I was logged in remotely, my screen suddenly froze. As I patiently worked through the issue, I noticed the screen unfreeze and my cursor began gliding in an organized manner, akin to somebody else moving my cursor. After help from a member of our IT team, we diagnosed the problem to likely have been a hacker using corrupted access credentials possibly compromised by the hacker’s social engineering tactics, malicious software, or something similar. Nobody’s fault on our end and no harm done, but eye-opening nonetheless.
The threat was neutralized, and additional security protocols put in place on my computer. The next day, my colleague reported experiencing the same type of attack while working remotely. The scary thing was: we knew we only used our computers diligently and honestly for work, yet the hackers still got through. Working remotely has its positives as well as its learning opportunities.
The following are just some security measures that may help protect a law firm employing remote-access technology.
Ensure the Actual Remote Login Authentication Is Up to Par. Setting up computers with passwords is not enough. By using remote access, a firm is allowing its data to escape the confines of the traditional office. A hacker who successfully phishes for email, telephone, or computer login credentials will have an easy time remotely accessing the company’s information with some simple social engineering. This is something a remote login authentication system can help deter, as it provides additional layers of proof of credentialing prior to allowing access. Many free apps and websites provide this technology, and its incorporation into a firm’s systems can be relatively painless.
Employ Mobile Device Management (MDM) and Train Your Team on the Technology. MDM is software that provides means to monitor employees’ mobile devices deployed across multiple internal mobile service providers and operating systems. Often, this technology can be used for employees using their own mobile device as a mobile work device as well. Pricing and products vary by vendor and need, but they generally can provide streamlined mobile protection while also monitoring hours, expenses, usage, and suspicious activity.
Back Up Servers. Firms benefit greatly from routinely backing up data to a secure, encrypted, cloud-based platform. If a hacker ever breaches the systems due to a breach from a company device authorized for remote access, the firm should do its best to preserve encrypted, unencrypted, and decrypted data that a hacker can hold out in a ransomware attack. While the hacker may still have the means to inflict serious damage on the firm by their mere possession of the data, the company will at least have a recently preserved version of the data, including valuable clues on the data’s electronic footprint for forensic investigation.
Provide Training and Education. Many companies are dedicated to the promulgation of effective data security training and the latest hacker schemes, so a firm without an IT department should not be afraid to pick up the phone and hire outside assistance.