Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Law Office Manager
 Get Our Weekly eNewsletter, Law Office Manager Bulletin,
    and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives

Worried about a data breach? Here’s why you should be

Your greatest asset, your employees, can represent your greatest threat—a data breach— according to computer security experts John Simek and Michael Maschke.

“If you are worried about a data breach, you should be,” says Simek, who is vice-president of Sensei Enterprises Inc., a Fairfax, VA-based digital forensics, IT and cybersecurity company. “If somebody really wants to get into your systems, they are going to be able to do it, no matter what.”

Many breaches and lapses of security stem from employees, according to Maschke, who is CEO of Sensei Enterprises Inc.

Simek and Maschke say the greatest misconception among employees is known as the IT shepherd, which is the belief that technology will protect them from themselves.

Your law firm workers probably don’t believe they need to be trained and knowledgeable about security, because the ‘IT guy’ and security software will take care of things. Nothing could be farther from the truth, according to Simek and Maschke.

A 1,200-employee study commissioned by the Computer Technology Industry Association (CompTIA) found that 63 percent use work-owned mobile devices for personal activities.

Of those, nearly 80 percent use those devices to check work emails and 60 percent do so to access work documents.

Frighteningly, 45 percent of the employees surveyed had never had any cybersecurity training, and worse, 23 percent of employees were found to have opened phishing messages, with 11 percent clicking on attachments or links.

Once an employee clicks on a malicious attachment or link containing malware, your office is in big trouble. That’s why you need to arm your staff with key information to protect your office against a data breach.

Tips for holding successful cybersecurity training

  • If you don’t have personnel capable of handling the training in-house, consider hiring a third-party professional cybersecurity company to provide it.
  • Conduct training sessions in the morning, when employees are more alert.
  • Have coffee and food available.
  • Make attendance mandatory. Take attendance.
  • Engage your employees. Make it interactive. Give out prizes.
  • Show your workers some very short Sophos videos on YouTube, which talk about cybersecurity in a humorous way. Examples include and
  • Use real-life scenarios to show how breaches occur.

If you plan to test your employees following training sessions, make sure people who don’t pass are re-trained and re-tested. Sometimes, one-on-one training may be necessary.

Simek says training should be provided once per year at a minimum and preferably more often, because technology is changing so rapidly. It’s important that staff receive training before any incident occurs.

“After you are finished with your training, then test your employees, but maybe not right away. Give them a couple of weeks and see what kind of retention they have got. Shoot some bogus messages at them and see if they are going to bite,” says Simek.

He says he regularly sends out emails about new scams that can compromise businesses and clients.

Implement an incident response plan

It is also important to have an incident response plan in place in case a breach occurs, and to give your staff at least a basic understanding of what the response plan includes.

Maschke says the belief that your IT department will be able to fix the situation does not constitute an acceptable incident response plan.

Simek and Maschke recommend involving some of your workers in periodic exercises in which they run through some possible scenarios and talk about what might happen if a serious security breach occurred.

“What if Melissa clicked on some link and we’ve got ransomware and all of a sudden we can’t get access to our client files on the server? What are we going to do?” asks Simek.

Employee policies are essential

Maschke says law firms need to have employee policies in place, including background checks for everyone who will be dealing with sensitive or confidential information. Ideally, he says all employees should undergo background checks.

You also need to have a policy in place outlining what your employees may and may not do regarding their use of the Internet and email.

Simek and Maschke advocate having a BYOD (bring your own device), BYON (bring your own network) and BYOC (bring your own cloud) policy.

Law offices also need a physical security policy to protect their offices and equipment.

“Does the door always remain locked and only accessible by authorized individuals?” asks Maschke.

Another vital policy is a disaster recovery plan to deal with natural disasters such as earthquakes, tornadoes or floods, as well as fires, power outages and other problems that could put your business’s survival at serious risk.

Maschke says you need to have a step-by-step plan in place to help your firm recover and get up and running as quickly as possible.

Other policies recommended by Simek and Maschke include:

  • Encryption policies to protect confidential data, medical information and personnel information. “Encryption is your friend,” says Maschke “It’s cheap, it’s easy, it’s fast and in most cases it’s seamless.”
  • A strong password protection policy.
  • Policies governing how your employees can access your systems and email remotely.
  • A social media policy dictating what your employees can post or access when they are at work. What can they say on social media? Should they be able to friend clients?
  • A policy that monitors what your employees do while using your firm’s business equipment, and enforcement actions should unauthorized activities occur.
  • A policy to ensure that strangers are not wandering around your premises. Is the cleaning crew really the cleaning crew?
  • A requirement for your employees to report any coworkers who are engaging in insecure behavior that could result in a security breach.

The importance of updating and upgrading

The two most common cybersecurity failings seen at law offices by Maschke and Simek are failure to apply security patches and other critical updates, and reliance on outdated software for budgetary reasons or out of sheer fear of upgrading and having modern, new software.

 “It’s not a question of whether or not you’ll be breached,” says Simek. “You will be breached. It’s just a matter of when.”

Editor’s picks:

A dozen cybersecurity tips for mobile device users

Surveys find employees are shopping at work on Cyber Monday, but most will try to hide it

How secure is your password? Are you sure?









Try Premium Membership