10 Important Cybersecurity Tips for Lawyers and Judges

The Bencher—January/February 2024

By Sharon D. Nelson, Esquire and John W. Simek

We could write a book on keeping your confidential data safe, but to get started, we provide these 10 tips:

  1. Policies and procedures. Develop written information security policies to protect client data and sensitive information. The policies should cover areas such as internet usage, social media, bringing your own device, email usage, etc.
  2. Cybersecurity awareness training. Conduct training for all employees at least annually. The training should include examples of current attacks to enable employees to recognize phishing emails, suspicious text messages, social engineering, business email compromise, and more. Attacks evolve constantly—more so with the use of artificial intelligence to construct attacks.
  3. Zero trust architecture. Begin to plan, budget, and implement zero trust architecture, which means you authenticate every person, device, and access to data. In addition, you need to periodically reauthenticate. With so many remote users and cloud services, the perimeter security model no longer works. Multi-factor authentication is a good first step and is typically free.
  4. Updates. Apply updates and patches to operating systems and applications as soon as practicable. Remove fallible human beings from this task. Use software to automate the installations. If you use a managed service provider, the provider should be able to schedule the updates and minimize disruption to your practice. System reboots can be performed during idle periods. Update your mobile devices, too.
  5. Encryption. Enable and use encryption. Encryption protects confidential data from unauthorized access. The ability to encrypt your Windows computer using BitLocker is included for no additional cost in the professional versions of Windows 10 and Windows 11. However, it is not enabled by default. Enable BitLocker to protect your Windows computer. Apple users have the File Vault encryption available for free in the macOS. Like BitLocker, it is not enabled by default. Use encrypted connections when transferring data via a network. Use https connections for websites and an encrypted connection such as a virtual private network for remote connections.
  6. Mobile devices. Lock your mobile devices. Mobile devices hold a lot of sensitive data. Merely configuring a lock code for the device will encrypt the contents. Use a password instead of a PIN to lock your device as it is more secure. Lock the device after a period of inactivity and configure the “Find My” type function to allow remote wiping.
  7. Backup. Schedule backups to run several times a day. Backing up your data is a critical function. Good backups will allow you to recover your data should it be targeted in a ransomware attack. Have at least one local backup and one in the cloud—encrypted with a user-controlled encryption key. Local backup appliances are very affordable.
  8. Network security practices. Improve security practices. Firewalls are a requirement, but what about other security technologies? Many lawyers are unaware of their ethical responsibility to monitor for a data breach. Intrusion protection systems (IPS) and intrusion detection systems (IDS) will meet this obligation. You can have the IDS/IPS capability for a few hundred dollars a year by adding it to your Cisco Meraki license. If you are not familiar with the Meraki product line, it is a very affordable network security device that scales from the solo/small firm all the way up to large entities.
  9. Third-party vendors and service providers. Manage third-party vendors and service providers. Most services are already in the cloud. This means that the data are more secure than if you held them on your own on-premises equipment. Entrusting data to the cloud means you need to understand the risks and considerations for ensuring security. Make sure you read the “terms of service” for the cloud provider. What is the provider responsible for? What will it do in the event of a security incident? Data should be encrypted with a key that you control. The vendor should have zero knowledge concerning your data.
  10. New technologies. Keep up with new technologies. An important recent development is the security information and event management (SIEM) platform. A SIEM is a software solution that analyzes massive amounts of data from various devices and services you use into a single platform. The data are analyzed in real time to identify suspicious activity that may indicate a cyber event. The data from computer logs, firewall logs, cloud services, etc. are far too voluminous for a human being to review in an efficient and timely manner.

There is no “set it and forget it” when it comes to securing confidential information. These tips constitute a good starting point.

Sharon D. Nelson, Esquire, is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the American Bar Association. She can be reached at snelson@senseient.com. John W. Simek is vice president of Sensei Enterprises Inc. He is a certified information systems security professional, certified ethical hacker, and a nationally known expert in the area of digital forensics. He and Nelson provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia, firm. He can be reached at jsimek@senseient.com.

© 2024 Sensei Enterprises, Inc. This article, in full or in part, may not be copied, reprinted, or distributed without the written consent of Sensei Enterprises, which may be obtained by writing Sharon D. Nelson, Esq.