2 Easy Ways to Tighten Security

Law firms have an obligation to keep client data secure. As hacking becomes an ever-increasing threat to businesses of all sizes—especially those that store and transmit sensitive data—two options, Two-factor Authentication and Email Encryption, can help put up barriers.

Two-factor Authentication (2FA): What is it?

2FA simply verifies a user’s identity a second time to make sure that the person making the request to enter a system is the actual user.

Often, it works in such a way that you enter your log-in credentials as usual, then the system sends a code to your cell phone that you enter to verify your identity a second time before you can access the system.

2FA is quickly becoming more prevalent in the business world. Some companies that currently use it include Google, Apple, Facebook, Twitter, Dropbox, Paypal, and Citibank. Many colleges and universities, including Penn State and the University of Chicago, are also adapting their systems to incorporate 2FA. Because these organizations understand that the data they house is precious to their users, they know that extra security is necessary to protect that data. It’s only a matter of time before 2FA becomes the standard.

What advantages does 2FA offer?

It can be frustrating to come up with a unique password for every single account—and that means that many people duplicate passwords across accounts or use simple and easy-to-remember passwords and passphrases. That may make it more convenient for the user—but it makes hacking more convenient, as well.

Even a strong password might not be enough because hackers sometimes use tools that repeatedly guess passwords. Such a tool was used to hack Apple’s iCloud in 2015 [link to: http://www.businessinsider.com/icloud-hack-idict-patched-by-apple-2015-1]; many high-profile users were affected. One way Apple responded was by improving 2FA.

Whether users employ weak log-in credentials, their information gets stolen, or they repeat passwords across accounts, 2FA adds an extra layer of protection that protects law firms’ data.

How does 2FA work?

Legal Workspace offers 2FA as one of the many security options so its clients can experience greater peace of mind around data security. When a Legal Workspace user logs in, he or she can automatically receive a one-time code on his or her Smartphone app. Then the user enters the code in the Legal Workspace environment and gains access to their workspace. The whole process takes five seconds or less.

Most users find the process painless, but if any issues arise, Legal Workspace offers complimentary technical support for assistance.

Email Encryption: What is it?

Email encryption protects content from being accessed and read by unauthorized parties. When an attorney sends a sensitive document to a client, he or she probably assumes that no one but the client will be able to see it. However, most email can easily be accessed by hackers determined to get the information, and the device where email is retrieved and stored—whether that’s a laptop or a Smartphone—is also at risk.

What advantages does Email Encryption offer?

Attorneys know it’s their duty to perform due diligence to protect client privilege. Sending unencrypted documents puts client data at risk—especially since email is one of the most vulnerable and targeted areas for anyone.

When a user opts to send encrypted email, the sent document is never stored on that user’s email server or computer. That means that the information is safe in the event of a computer or email server hack. It also protects information in case laptops or other devices are stolen or lost.

How does Email Encryption work?

Legal Workspace uses a system that works as follows: An attorney who is sending something to a client types the word “encrypt” in the subject line. Instead of the email server sending the email to the other party directly, it instead sends a link that informs the client that he or she has been sent an encrypted email. The client clicks the link, goes to the website, and can access or download the sensitive document from the website, bypassing the email system completely so the files are never stored on the recipient’s email server.

2FA and Email Encryption considerably help law firms battle ever-increasing threats to security. It’s no longer enough to cross your fingers and hope that hackers won’t attack your firm. If you store and transmit sensitive information, you are at risk. These two offerings mitigate that risk by giving you extra layers of protection.

9 Data Security Questions You Should Ask Your IT Provider

Wondering how secure your data is? Ask your Cloud, SaaS, or existing IT provider these nine questions to make sure it’s protected. Their answers could mean peace of mind—or they could mean that your future will hold a data breach, data loss, or a cumbersome recovery process after a disaster.

  1. Do you have an intrusion prevention/detection system?

An intrusion prevention or detection system senses strange traffic on your server. Hackers continually scan IP addresses, searching for vulnerabilities. An intrusion or detection system recognizes when they’re attempting to break in and cuts off their access.

Occasionally, a user can inadvertently mimic the signs that an intruder is attempting to break in. For example, someone might enter the wrong passcode into a Smartphone, and cause a glitch to occur where the phone tries repeatedly to log into the system. Does your provider have round-the-clock security staff to restore access in case something like that happens?

  1. Do you support two-factor authentication?

Two-factor authentication requires two components for an attorney to log in. This type of authentication makes it impossible for a person or an automated system to log in to a computer by remote and start guessing passwords.

Here’s one example of two-factor authentication: When a user logs in to his or her system, a mobile application confirms that the user is trying to log in. The user cannot log in to the system until the user has confirmed his/her identity on the mobile device.

  1. What government/industry security standards has your environment been tested for?

Any law firm with clients who store, transmit or access protected health information must be HIPAA-compliant. Depending on the sensitivity level of your data, your cloud, SaaS, or IT provider should maintain an environment that meets the security standards you need. It’s also necessary for any business that accepts credit card payments to be PCI-compliant.

  1. What type of firewall are you using?

The answer you should hear from your provider is: an enterprise-grade firewall that is routinely patched. An even better answer would be that the provider has more than one of those firewalls in place. That way, if one firewall fails, there’s another present to act as back-up.

  1. Are the employees who have access to my information data-certified? Do they have certification on security procedures?

This is an important question to have answered because who can access your data (and their level of experience and expertise) could mean the difference between mishandled information and security. Administrators that have access to clients’ data should have information security certifications, specialized training, and execute non-disclosure agreements.

  1. Do any third-party providers have access to your hosted environment?

Let’s say that there’s a problem with an application hosted on your environment. What protocol does your cloud, SaaS, or IT provider follow? Does it allow the application vendor onto the virtual server? If so, that gives a third party access to all of your data, which puts it at risk and violates the HIPAA standard.

  1. Does the cloud, SaaS, or IT provider support encryption of data on the server, including email?

Email is an often overlooked factor in data security. For it to be completely secure, it should be encrypted—even when it rests or is in transit. This is the most common security vulnerability because constructing the appropriate security measures is difficult for a typical IT department to do; it’s a complex process that requires a high level of expertise.

  1. Do you routinely perform internal and external security scans to seek vulnerabilities?

A provider might believe that they’ve set up a secure environment—but technology is constantly changing, which means that the ways in which intruders attack are constantly changing.

To make certain that your data is protected, your provider should be performing security scans regularly. These scans are required for both PCI and HIPAA compliance; to be HIPAA-compliant, both an internal and external security scan need to be performed at least once a year.

  1. Does your provider have a secondary site for data storage?

What happens if all of the redundancy fails and a major disaster strikes? If something, such as a theft or a fire, were to happen at your location, are your disc back-ups replicated offsite? Many organizations omit that step. And, even if you do store back-ups at a secondary location, is that location secure? Do only your provider’s employees have access to the data at that location—or can a third party access it as well?

If your data is replicated and secure, how long will it take you to get back up and running? It could be hours. It could be days.

Constant protection

Redundancy is built into every security measure at Legal Workspace. That means clients’ data is constantly being monitored and protected.

Legal Workspace’s HIPAA Compliant Edition (HCE) achieves the highest level of data security because it is both PCI- and HIPAA-compliant. Employees are all HIPAA-certified and have additional information security certifications. They’re the only people that have access to your data: third party vendors aren’t permitted to access Legal Workspace’s environment.

There’s no need for attorneys to be concerned about email vulnerability; Legal Workspace encrypts email in transit and in your inbox. And, clients’ data gets backed up to a second data center, which means that you could be back up and running within minutes in the aftermath of a disaster.

It’s very difficult for a small—or even a medium-sized—law firm to build a solution that answers all of these questions appropriately. . . working with an expert in data security and cloud services for law firms, like Legal Workspace, will give your law firm the highest level of security at a fraction of the cost to do it on-site. Keep your data secure and protected by making sure the best safeguards are in place.