5 Ways Employees Accidentally Threaten Data Security

What do you think is the biggest threat to your IT security system? A hacker getting past your firewall? Unencrypted emails? Lack of consistent back-ups? Those may be serious concerns, but the biggest threat to security for a law firm is actually its employees.

That’s right: The very people who keep your organization running are the same people who might be putting your data at risk. Here are the top five ways in which employees jeopardize security.

1. Opening email virus attachments5 ways employees threaten

An attorney receives an email with an attachment called myresume.zip. He or she opens the attachment, and—just like that—a CryptoLocker Ransomware virus is running rampant through your network.

CryptoLocker Ransomware viruses install a program on the infected computer that systematically accesses and locks all of the data files—including network files. To regain access to the files, money (usually hundreds of dollars) must be sent to the hacker. This type of virus can be increasingly aggressive and quite lucrative for the hacker. And, there’s no guarantee that the hacker will honor his side of the deal and unlock the files.

This is one of many viruses that an employee could unleash into your law firm’s network by simply clicking the wrong link or opening an unsafe email attachment. To halt this type of attack, educate employees not to click on anything unknown. Make sure that your antivirus programs are regularly updated and can sufficiently block malware file types and are capable of removing infected files.

2. Weak user IDs and passwords

As the number of usernames and passwords needed by the average person increases, some employees take the following shortcuts to remember their information.
• use the same ID and password across multiple accounts
• use common words or phrases
• use personal information, like a spouse’s name or birthday

Weak user IDs and passwords account for a significant portion of data breaches. A 2015 security analysis states that along with weak remote access security 94% of breaches were because of weak passwords. Often, news stories about famous people being “hacked” are actually about people or automated programs gaining access to celebrities’ information because they’ve been able to guess their usernames and passwords.

Educate users about what constitutes a strong password and put systems in place that require frequent password changes.
• use passwords of 10-charcter length or more with complexity
• randomly insert symbols and numbers mixing lowercase and uppercase letters
• use multiple security questions

3. Phone scams to access a computer

An employee might receive a telephone call from someone claiming to be from Microsoft support. The caller might say that the attorney’s computer has been compromised and is sending out critical personal information. In order to correct the problem, they must allow the caller remote access to his/her computer or give other identifying account information.

Of course, the caller isn’t really a Microsoft support representative. It’s a very sophisticated hacker. Warn employees about phone scams. Callers might claim that they’re following up on open service tickets or investigating virus infections. Employees should never allow unknown callers remote access to their computers.

4. Unrestricted administration rights

If every attorney and staff member has permission to install programs or applications at the firm, it forms a security loophole. These security risks create vulnerabilities on the computer that can be exploited by hackers to gain access to the network. Many employees are tech-savvy and aware of current security threats, but some may inadvertently download a virus or malicious application.

To prevent these weaknesses and diminish the risk of downloading malware, tighten administrative rights so that an individual—someone in a supervisory position or an IT legal professional—manages program and application installation. .

5. BYOD security risks

Bring Your Own Device (BYOD) opens security holes in a couple of different ways: through home computers and various other devices.

When employees use home computers, a Virtual Private Network (VPN) connects them to the company network for remote access. But, the company doesn’t have any control over the home computer’s security. Is there robust antivirus software installed on that computer? Are there others at home using the computer unknowingly downloading viruses? Is it updated regularly? All of these threats, if not regulated could place the entire law firm’s data and security at risk.

Tablets, Smartphones, and other devices can also complicate the process of securing a network. One potential issue has to do with applications installed on Smartphones or tablets. Permissions for those applications might allow a third party access to data, such as images or contacts, on that device. Access to images on one of these devices could leak sensitive confidential information that compromises your client or law firm.

How to protect employees from themselves

Provide a work station use policy, which outlines do’s and don’ts for employees. Training helps employees understand the reasons behind the policies and reinforces appropriate actions.

Legal Workspace is a cloud service for law firms that provides IT training for its clients and employees. We work with clients to implement a number of security policies and procedures to protect data against security threats. And, because Legal Workspace’s cloud-based solution is designed in such a way that remote devices can only access the environment through an encrypted channel, BYOD issues get eliminated.

Employees’ mistakes could have serious consequences to your business. Take the necessary steps to protect your system today and increase your data security for the future.

Data Breaches Cost More Than You Think

Recently 11.5 million documents containing confidential data were stolen from Mossack Fonseca, the world’s fourth-largest offshore law firm, and published online. Hackers gained access to one of the firm’s servers which allowed the hackers to steal valuable data and emails. All law firms collect and store a myriad of client and financial data making them attractive targets for cyber attackers.

High-value data including trade secrets, acquisitions and mergers and personal health information (PHI) can be leaked to the public or used maliciously. For example, a large law firm handling a merger might be targeted by someone who wants insider information in order to buy or sell stock. Not all cyber attacks target complex data — even basic client data can be targeted. For example, a small law firm might be handling a divorce and the other party works in IT and has the skills to discover what the representing attorney has planned.

While the hacking motives vary the consequences are consistently catastrophic for law firms. Data breaches erode the foundation of attorney-client privilege by exposing sensitive data solely entrusted to law firms. Therefore, securing and protecting privileged information is of the utmost importance.

How can you prevent a data breach?

Intrusion prevention and protection systems

Your network should have an intrusion prevention and detection system in place to monitor unusual server traffic. This system helps to identify and shut down hackers, who constantly search IP addresses looking for weaknesses. Two-factor authentication provides an extra layer of intrusion protection by requiring users to enter two forms of identification during the login process. This approach eliminates the chances that a hacker or computer program can log into a system remotely and randomly create passwords.


Law firms should look for enterprise grade firewalls to protect against malicious software and hackers. Some law firms use multiple firewalls to ensure that if one firewall fails, a backup is already in place.

Email Encryption

Hackers don’t observe attorney-client privilege, and the highest value target is a law firm’s email. Email is the easiest way for clients to send crucial documents and even medical records to attorneys. Email encryption protects data so only the sender and recipient can view email contents.

Internal and External Security Scans

Hackers are constantly evolving their techniques to circumnavigate existing security protocols to find vulnerabilities. Routine security scans are required to ensure data is constantly protected. Law firms that require ultra-security, for HIPAA or governmental compliance, must conduct internal and external security scans on an annual basis.

Data Backups

Off-site data storage is crucial in case all of the other security techniques fail or a natural disaster, theft or fire occurs. Data from ransomware attacks can be fully recovered using backup records, without paying a ransom fee to recover encrypted data.

Encryption, secure data centers, authentication protocols, intrusion monitoring: Complex IT considerations can make your head spin. Even if you have an IT department or person dedicated to managing those issues, it’s tough to stay on top of the latest threats when you’re focused on building your practice. Thankfully, you have options. Legal Workspace has extensive experience securing law firms from physical and cyber threats. We worry about security. You worry about practicing law.