Opening a New Law Firm

When developing a strategy to protecting yourself from external threats, think of the types of data that you have, where it is stored, how you will access it, the security measures you have in place and where there may be gaps that expose your firm to risks. Consider the following: 

• Who is authorized to access to your computer systems?  
• How do you manage user access controls and permissions to ensure that only authorized personnel have access to sensitive information? 
• Do you know if there have been any unauthorized attempts to access your office systems? 
• How can you prevent unauthorized access to your office systems over the internet?  
• How do you plan to facilitate information sharing with people inside and outside your office (clients, opposing parties/counsel, experts, etc.)? 
• If you have employees, are they trained to recognize phishing and other social engineering attacks? 
• Do you know what your employees are doing with your systems? 
• Do you promptly cancel an employee’s access to your computers and email system when they leave your organization? Are you able to lock, wipe and GPS monitor your tablets, phones and other devices? 
• Do you have a policy in place for regular software updates and patches to protect against known vulnerabilities?  
• Who is responsible for software updates? 
• Do you have anyone using software to remotely monitor your system’s health - from servers, to desktops, tablets and mobile devices? 
• Do you have a virtual private network (VPN) in place for remote access to your network to ensure secure connections? 
• Are there encryption protocols in use for sensitive data both, especially when in transit? 
• How do you monitor and log network activity to detect unusual or unauthorized behavior? 
• Do you understand the risks of using public computers and how vulnerable public wi-fi connections are in coffee shops, airports and hotels?  
• Do you know how to harden your own wireless and Bluetooth connections? 
• Are your backup solutions tested regularly to ensure data can be successfully restored in an emergency? 
• Do you have an incident response plan in place to address potential security breaches promptly and effectively? 
• How do you handle the disposal of old computers and storage devices to ensure that no sensitive data can be recovered from them? 

The rest of this section will cover some of the security tools you should consider when developing your own cybersecurity strategy. 

Passwords 

Passwords are critical for protecting electronic information. But if you do use password protection – and you really must – have you ever considered how strong your password actually is?  

 A weak password is not much better than having no password at all. Unfortunately, the most common passwords, as tracked the password management company NordPass, are very easy to guess or crack. These include passwords such as 123456, password, 111111, qwerty, abc123 and various similar iterations.  

You need to make sure that the passwords you and your employees use are more secure. A good tip for developing a strong password is to use pass phrases that have meaning to you instead of long, complicated passwords. A password like “ILoveToGoToTheMountains” is complex and hard to guess but would be easy for you to remember.  Adding a number and/or special character (for example, “ILove2Go2TheMountains!”), adds a high level of security and is even more difficult to crack. You should also be aware that if you reuse past passwords, you make it significantly easier for bad actors to break in and steal your data.  

If you have concerns about the strength of your passwords, or you just want to test your security measures, you can check using this free tool: How Secure Is My Password? | Password Strength Checker | Security.org 

But passwords are just the beginning. Password manager applications, passkeys and the use of two-step verification can be coupled with the use of passwords to enhance your cybersecurity: 

• Password manager applications securely store and manage your passwords in an encrypted vault, allowing you to use strong, unique passwords for all your accounts without the need to remember each one. They can also generate complex passwords for you and autofill login forms, making the process both secure and convenient. 
• Passkeys are a modern authentication method that replaces traditional passwords with a cryptographic key pair. When you set up a passkey, a private key is stored on your device and a public key is registered with the service you are accessing. To log in, you simply use your device to confirm your identity, often with a biometric factor like a fingerprint or facial recognition. This method significantly reduces the risk of phishing and other attacks, as there is no password to steal. 
• Two-step verification, also known as two-factor authentication (2FA), adds an extra layer of security to your accounts by requiring not only your password but also a second form of verification. This second factor is typically on another electronic device, like a smartphone, which can receive a code via text message or an authentication app. This ensures that even if your password is compromised, an attacker would still need access to your second verification method to gain entry.  

Strong passwords are the first line of defence for your law firm’s computer and network security. But you should bolster your security by using additional tools such as password manager applications, passkeys and 2FA. This will help prevent unauthorized access to your confidential data and other sensitive information.  

Encryption 

Encryption is the process of encoding information so that the content, if accessed by unauthorized users, is in a form that cannot be understood. Encryption is different than passwords, as passwords control access to your data, while encryption secures the data by making it difficult to read, understand and use. If you are sending data out of your office electronically, it must be encrypted. 

There are both hardware and software-based encryption methods and it is important to think about encrypting any devices that you use to store data – not just desktop computers, but laptops, external hard drives and mobile devices. Enabling encryption can be as simple as enabling the password feature on any device – or enabling password protection on an individual document.  

For information on considerations for dealing with encryption in the context of cloud technologies refer to the Law Society of British Columbia’s Practice Resource Cloud computing due diligence guidelines. 

Antispam 

The use of antispam filters helps you catch unwanted and unsolicited emails and prevent these from reaching your email inbox. These filters use various techniques to identify spam, including keyword analysis, blacklists of known spam senders and machine learning algorithms that learn to recognize patterns typical of spam messages.  

By automatically sifting through these irrelevant and sometimes malicious emails, antispam filters save you time while also protecting you from potential security threats. Many spam emails contain phishing attempts, malware and other harmful content designed to compromise your personal information or infiltrate your computer system. By filtering out these emails, antispam tools reduce the risk of falling victim to these attacks and help maintain the overall integrity of your email communications. 

However, no tool is perfect: using a filter is important, but spam and phishing messages will almost certainly continue to get through to your inbox. Accordingly, you need to make sure that you and others in your office are able to identify suspicious messages. Computer security training is important, and you can supplement this training with a phishing email simulator application. These programs are designed to send emails that simulate different social engineering techniques, providing a practical and effective way of educating and preparing you for such threats. These tools can help identify weak spots in your law firm, such as which messages are most effective, and which employees are most vulnerable to different types of attacks. 

See www.fightspam.gc.ca for more information about Canada’s anti-spam legislation. 

Anti-virus/anti-malware/anti-spyware 

Malware – short for malicious software – refers to any programs designed to gain access to computers, compromise or interrupt regular computer operations, or gather sensitive information such as passwords or valuable account information. These threats pose significant risks to the integrity, confidentiality and availability of data and systems, and if they breach your security, they can seriously disrupt your law firm.  

There are a number of types of malware, including:  

• Viruses: harmful programs that, once executed, replicate themselves by modifying other computer programs and inserting their own code. This can cause significant damage to data and can disrupt the functionality of computer systems. 
• Spyware: secretly gathers information about a person or organization without their knowledge, often capturing data such as internet usage, passwords and other sensitive information. This data can then be used for malicious purposes, including identity theft and unauthorized access to private accounts. 
• Ransomware: another type of malware that encrypts a user's files and demands payment for the decryption key, effectively holding the data hostage.  

To safeguard against these threats, it is essential that you use comprehensive anti-virus, anti-malware and anti-spyware software. These applications typically offer real-time protection by scanning and identifying malicious activities, blocking threats before they can do harm and removing malware if it is detected. They also provide tools for regular system scans, ensuring that any dormant or non-active threats are identified and neutralized. 

The use of protective software is crucial for law firms. Breaches in cybersecurity can lead to severe consequences, including the loss of client trust, legal repercussions and significant financial losses. Ensuring that robust cybersecurity measures are in place is fundamental to maintaining the integrity and confidentiality of your law firm, protecting both the firm's reputation and your clients' information. 

By taking computer and network threats seriously, you can prevent successful attacks and foster a culture of security within your law firm. 

Firewall 

The “firewall” is the gatekeeper on your internet connection – screening the incoming and outgoing communications from your computer. Information goes in and out of your computer through access points or ports. These ports are open and accessible to any other computers on the internet. The firewall watches these openings and prevents and warns you about unauthorized access.   

Firewalls can be categorized into two main types: hardware firewalls and software firewalls. 

• Hardware Firewalls: Physical devices placed between your network and the internet. They serve as a first line of defense, filtering traffic at the network's perimeter before it reaches internal systems. Hardware firewalls are particularly beneficial for protecting large networks because they can handle a high volume of traffic and provide robust security features. They are often integrated into routers and network switches, providing security to everyone operating on a network. 
• Software Firewalls: Applications installed on individual computers that monitor and control incoming and outgoing traffic based on predetermined security rules. They provide a more granular level of control over network traffic, allowing you to set specific policies for different applications and services. Software firewalls are essential for personal computers and smaller networks, offering a customizable layer of protection that can be adjusted to meet the specific needs of the user.  

Both types of firewalls work together to provide a comprehensive security solution. In addition to blocking unauthorized access, firewalls can also alert you to suspicious activity, which allows you to respond swiftly to potential threats. They play a crucial role in preventing unauthorized access, data breaches and cyber-attacks, making them an indispensable element of any cybersecurity strategy. 

Back-up, back-up, back-up!  

In addition to specific computer and network security tools and applications, you need to build redundancy into your system. This will prevent data loss and limit business interruptions in the event of loss, damage, theft or security breach.  

Building redundancy into your system means backing up your data. You have a number of options for storing your data. At the most basic level, the decision you need to make is whether to manage the physical storage of data yourself or whether you want to outsource this function.  

If you want to manage your own data storage, you will need to perform full system back-ups on a regular basis using rotating external hard drives or multiple servers. If you are backing up your data on external hard drives, make sure they are stored separately off-site and are secure from damage including theft, fire, flooding, etc. This is important because if your data is stored on devices located in your office, it could be lost, along with everything else, in the event of a catastrophic event.  

You should also keep multiple copies of your off-site back-ups and you need to perform periodic tests. Media can be degraded over time and is subject to environmental issues (heat, magnetic devices) so you’ll need to test your back-ups to ensure they are functioning reliably.  

Cloud back-up is increasingly common and generally provides the most ease of use. However, cloud services are not a panacea: if bad actors are able to access your systems, they are likely also able to access, exploit and compromise your cloud storage. 

When considering different storage providers, ask: 

• How does the provider secure my data (do they back up their servers and where are those servers located)? 

• How long has this particular company been around, and are they likely to still be in existence if I need to access my data? 

• If the company fails, how can I recover my data? 

• What is the method of encryption used, and does anyone other than me have the access key? 

Consider a company that is reliable and preferably uses only Canadian servers to store data. Before storing client data abroad, Canadian privacy legislation may require you to obtain your clients’ consent. When your data is stored using servers located outside of Canada, legislation in other countries may give foreign governments the right to examine or intercept confidential and privileged client data. Of course, that same legislation may give them even greater authority to monitor and intercept data located beyond their own borders, such as locations in Canada. The decision and the responsibility are up to you and your level of comfort with risk. Know the risks and benefits each option presents.  

The Law Society of British Columbia has produced good information on the risks of Cloud computing with Cloud Computing Due Diligence Guidelines.  

Other Tools  

This module largely focuses on technological solutions to cybersecurity threats. But don’t forget about more basic equipment required to protect your electronic devices and computer network, such as:  

• Surge Protection Devices: Helps protects your equipment against power surges or spikes. 

• Uninterruptible Power Supplies: These devices provide uninterrupted power supply to continue providing backup power in the event of a power outage. 

• Alarm System: Alarm systems are essential to your law firm. Alarm systems will help protect you, your employees and your property from theft – and also lower the risk of theft or vandalism in the first instance.  

Security Protocols 

Once you’ve developed a computer and network security system, it’s important to create a security protocol. Office security protocols for online activities set out policies and training for safely using the internet. You should consider developing the following policies for your law firm: 

• Gen AI use policy – the free versions of applications are powerful and widely popular tools but come with risks to the confidentiality of any information included in ‘prompts’ a user may enter. It is essential for staff and lawyers to understand the guidelines for the use of these platforms. Your organization should look to the paid versions of these tools which offer much greater security and accuracy and consider Gen AI tools specifically designed for use by legal professionals.  

• Internet use policy – develop a policy that sets out guidelines for dealing with online transactions, restrictions on website visits, file sharing sites, download or installation of software, apps or browser add-ons etc. 

• Email use policy – dealing with recommended procedures for dealing with various activities such as forwarding sensitive emails, identification of suspicious communications, the use of “reply all”, or how email communications should be stored. 

• Social media policy – set out guidelines for use of such social media sites as Facebook, Twitter, Instagram, and LinkedIn, how these sites can be accessed, and what information is appropriate to share. 

You should also consider policies and procedures relating to third-party risks. If you are using a third-party IT service, and it gets breached, your data may be exposed. At minimum, you should understand the terms of your contract with your IT service provider, especially terms relating to notification and reporting requirements in the event of a data breach. And you should ensure you are able to disable third-party access in the event of a breach.  

You should also ensure that you understand your IT service provider’s security standards, such as their security certifications or compliance with standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). When selecting an IT service, you can also ask questions about how they perform regular documented risk assessments, as well as questions about the company’s security systems, like whether they use 2FA. 

Finally, as your firm grows, you may want to consider additional policies and procedures. For example, you may want to consider implementing periodic penetration testing – although this is likely prohibitively expensive for newer or smaller firms. However, threats are constantly changing and you need to make sure your security is appropriate for current threats.  

Security policies promote a culture of security awareness among you and your employees. This can help protect sensitive data from unauthorized access and protect confidentiality, while facilitating access to information stored on your network. Regular training and clear procedures empower staff to recognize and avoid risky behaviors, reducing the likelihood of human error compromising the system. Policies also help mitigate the risks associated with cyber threats, such as malware, phishing attacks, and data breaches.  

By establishing clear guidelines on how to handle these incidents, you can respond to threats swiftly and effectively, minimizing potential damage, maintaining productivity and safeguarding your firm's reputation. 

System Maintenance 

Once you have a solution in place, it is not enough to simply set up the system and forget about it. The best system in the world will not work if it isn’t used properly: ongoing maintenance and monitoring are essential.  

Maintenance must not be overlooked, and you need to make sure that you: 

• Always install software updates (operating systems, hardware, applications and software); 
• Conduct regular system back-ups and store these back-ups in a location other than a computer that is hooked up to the internet or a network; 
• Periodically test your back-ups to ensure they actually work and that you are able to recover data if necessary; 
• Use a firewall/security suite to stop people from remotely accessing a computer or network; and 
• Implement and update policies on generative AI, internet, email and social media use and develop internal controls and training to ensure that everyone is following the correct procedures.