The 3 top security issues your firm needs to address

Despite the tools available, security breaches are still common. Some experts believe that every company has already been breached at least once; they just don’t know about it yet.

That can be terrifying for anyone trying to keep data safe, especially the kind of information found within law firms. Here are three security issues to keep in mind, no matter what kind of tech tools you’re employing:

1. Access by former employees and associates

A survey by cloud IT provider Intermedia and survey firm Osterman Research found that 89 percent of former employees retained access to company assets, including documents, email, and file-sharing apps.

“There’s a great deal of attention paid to hackers in the press, because of major data breaches, but ex-employees pose a far greater threat to a law firm’s systems,” said Dennis Dimka, CEO for Uptime Legal Systems, an Eden Prairie, Minn.-based provider of cloud services that focuses on the legal industry. “It’s not just that these former employees have the ability to get in, they actively take advantage of that to reach back into the assets of former employers.”

Dimka recommends that a firm put IT security on an offboarding checklist, so when a worker leaves, their access is removed along with their ID badge, firm equipment, and front door key card. The employee should hand over all passwords and VPN key fobs as well, and IT should securely wipe their laptops and firm-owned smartphones.

2. Using a patchwork of systems, including online free storage

Data storage and file transfer systems have grown at many firms over time, and involve multiple applications. A surprising number of firms lack a central application, Dimka says. That often leads employees and associates to transfer files and store documents in free online storage options like Dropbox or Box. But that means sensitive information is now “in the wild,” and well outside security controls.

“If a firm doesn’t have adequate backup systems, employees may be concerned that their files will get wiped out if there’s any systemwide problem,” says Dimka. “So, they’re just trying to protect their files. Or, they may be putting files into those systems so they can access them when they work from home. Either way, your firm will be at risk.”

Lock it down: A sophisticated data storage system is worth the security return. Relying on a hodgepodge of free tools and low-cost applications is a recipe for disaster, especially if former employees still have access, or if sensitive documents are shared without authorization. Consider a wholesale change to a firm’s entire system.

3. Spear phishing and ransomware

With ransomware, a hacker slips into a system, then puts encryption controls in place that locks users out. The hackers then demand money to “unlock” the data. With spear phishing, an attacker might target an entire firm, sending an email that looks legitimate. When a user clicks on the link, malware enters the system.

These strategies aren’t new, but they’ve been gaining a great deal of traction and security experts believe they’ll be more prevalent on smartphones next. Vincent Weafer, senior vice president at security firm McAfee Labs, says that ransomware variants are being developed to evade security software even in cloud-based storage systems.

Lock it down: In addition to creating a centralized system that can be upgraded with the newest security controls, it’s also crucial to make sure that employees and associates are trained in the latest security risks. This can be delivered in bite-size pieces. For example, pop a five-minute security training before meetings on other topics, or post notices in break areas.

It’s always important to stay on top of security issues because they’re always changing. Focusing on better access controls, a more efficient system, and more frequent training can go a long way toward helping your firm to stay safe.

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek, and TechNewsWorld.