3 Simple Security Tips to Protect Your Firm's Data

Introduction

One of the false beliefs about cybersecurity is that the responsibility falls solely on the IT department. The IT department certainly has its role to play in setting up secure networks and infrastructure for organisations, but that is not to say that all other individuals can simply take a back seat and relax.

Everyone should be involved in taking precautions to protect their firms from falling prey to cybercriminals.

This blog post will highlight three areas that firm administrators can focus on to make sure their basic security policies and procedures are as effective as possible.

---

Security Policy No. 1 — Outgoing Email

It is vital that every law firm has an outgoing email policy. Each lawyer is obligated to manage their files, documents, and client information such that you maintain your clients' confidentiality at the highest standards of your jurisdiction.

Canada's various Federal and Provincial privacy acts, as well as the Law Societies of each province, generally require lawyers to keep their clients' data in Canada. There is also an expectation that data of a very confidential nature, such as medical and financial data, will enjoy a high level of security.

The most common issue caused by outgoing email in regard to this obligation arises when client data sent by email passes through a server outside Canada and is not encrypted or secured in any way. It is analogous to writing information on the back of a postcard and sending it — anyone who handles it along the way may do whatever they wish with the information (save it, scan it, sell it).

The easiest remedy is to have a very clear email policy that governs what client data your employees are permitted to email and what must go by more secure means.

Security Policy No. 2 — Incoming Email

Incoming email presents a different danger, as the concern is not about professional obligations, but about your firm's cybersecurity in general.

Statistics Canada reported that “One-third of Canadians have experienced phishing attacks since the beginning of the pandemic,” and reported cases are on the rise in Canada. Incoming emails are oftentimes the entry point to these attacks.

Creating an incoming email policy and circulating it to help educate your staff about email security goes a long way. Consider including the following tips:

• Look for grammatical and spelling mistakes in incoming emails.
• Do not open attachments or click links in suspicious emails (you can go directly to the company's website instead, or call the sender).
• If you do not know the sender, or if you do know the sender but the content appears to be out of your usual interaction, contact the person via other means to verify their email.
• Check the sending address very carefully. Scammers often mimic an email address to make it appear as though the sender is known to you (for instance, jon.smith@domain.com instead of john.smith@domain.com).
• Pay attention to emails that require immediate actions as scammers use a sense of urgency to cause you to forget about security concerns.
• Watch out for any requests to input your credentials or credit card details. Again, best to navigate to the site in question directly.

Security Policy No. 3 — Passwords and Logins

Good password hygiene is the key to keeping your employees' logins safe and secure. According to the New York Times, “Everyone should use a password manager to generate and remember different, complex passwords for every account — this is the most important thing people can do to protect their privacy and security today.”

1Password, a Canadian company, just raised $744M to improve and expand their service and is an excellent example of a browser and app-based service that allows users to use a different, complex password on every site. These services can be difficult to set up, but once done, allow for regular browsing and logging in across the Internet and various other accounts, and are a significant increase to one's online security. Your firm can create a corporate account and manage passwords at an organisational level to make things easier.

The second strategy for increasing password and login security is to enable Multi-Factor Authentication (MFA). MFA allows you to link your phone number or a second email address to your account. You then need your password and a code sent to your email or phone in order to log into the account in question. The use of MFA blocks 99.9% of attacks on your accounts according to Microsoft. Think of it as multi-layer protection. Even if one layer is breached (i.e. your password is stolen), you can still stay safe behind the other layers. This simple action prevents data breaches and also gives you time to react if an inappropriate login is detected.

Implementing these three policies in your organisation will significantly increase your firm's security and lower the risk of a breach or attack. They will also help you stay onside of your professional obligations. The above policies can also be implemented at little to no cost in terms of time and money.

---

This article was originally published on February 15, 2022, and updated as of October 7, 2022.