I speak to students at NCCU School of Law every semester about cybersecurity for their practices. I start with the supposition that they will be starting a solo practice. They will be using a new or relatively new computer and new law practice management software. I also assume they don’t know a lot about cybersecurity.
I tell law students that just because you are a solo working from an office at home doesn’t mean you are immune to hackers. Hackers look for cracks in systems of any size, and the “small guys” are sometimes favored as launching pads in “island hopping” and supply chain attacks. A security breach can be the death knell of firms of all sizes, including solos working from home.
Law students ask me about the cyber threat from working in public places like coffee shops. I recommend they use a VPN to encrypt and tunnel their connection to the Internet, encrypted email, encrypted messaging, keystroke encryption, and encrypted data storage.
Most likely you will connect to a home network that may have everything on it from a washer/dryer to the thermostat. Home networks are places where cyber threats may be lurking. People buy something and immediately attach it to the network, which puts them at risk. It may be the network you get from AT&T, Spectrum or one that is being used by your family. Either way, IoT (Internet of Things) devices add vulnerabilities to your network.
I suggest that you create a new and separate network for your practice’s information system.
If you are working from home or working remotely, you need to have a computer system that is current and that is supported by the manufacturer so that you can get downloads and updates from the manufacturer to keep it secure. You’ll need to go down the list of other software packages that they have on that system, such as a Mac or Windows or Linux, and maintain all of the software packages with regular updates.
Don’t use a home router. You should have a dedicated system and your own network with cybersecurity protections in place.
The level of cybersecurity you need will depend on your practice’s area of expertise. A lot of attorneys with new practices will take on a variety of cases. If you are going to be handling personal injury claims, you are likely to have a client’s medical records, so you are subject to HIPAA regulations which come with their own cybersecurity requirements. Even if you have something as basic as a client’s credit card, you hold their Personal Identifiable Information and are required to protect it from hackers.
I suggest you begin with the help of a cybersecurity professional to get you started on the right foot and create the architecture for a healthy and sustainable system.
There is an endless amount of information online about setting up your own cybersecurity for your firm.
Can you try to do it yourself? Absolutely, but there is a high probability you won’t do everything correctly or efficiently, and this numbers the days as to how quickly you could get hacked. You’ll spend a lot more money doing things wrong, because you’ll have a lot of clean-ups to constantly do of the resulting fallout. You’ll make it easier for a hacker, and you won’t know you’ve been breached until after the cyberattack has already occurred. Did you know that one computer can include 60,000 ports? These can be access points for bad actors.
The first step I suggest is online education about cybersecurity. Companies like ours offer online security awareness core training that includes security awareness training and testing. The training looks at current scams, vulnerabilities, phishing campaigns, social engineering efforts, and emerging malware threats. Knowledge is the front line of defense against hackers and cybersecurity attacks, as most often they are completely preventable.