October is Cybersecurity Awareness Month, which is a great time to remind law firms of the very real risk of phishing, email compromise, and other cyberattacks. 

At OBLIC, we help Ohio lawyers safeguard client information and implement plans to stabilize your practice if a breach occurs. This article covers three tips to help reduce your firm’s risk:
✅ Use multi-factor authentication for all logins
✅ Train staff on spotting phishing emails
✅ Clean up and redact personal identifiers from digital files 

1. Multi-Factor Authentication or Two-Factor Authentication is an added layer of security that you can set up when logging into a website or application. “Multi-Factor Authentication” means that an additional action is required when logging in to a website or application to “authenticate” or prove that the person accessing the account is the true account holder. This additional step may involve entering a verification code received via mobile phone or email or approving a push notification on a registered mobile device. For example, you might log in to your Google account from your desktop using your username and password, and then also receive a push notification to your mobile device to verify your access.  With Multi-Factor Authentication in place, if your username and password are stolen, the attacker still would not be able to access your accounts because the hackers could not verify the log in. When using Multi-Factor Authentication, remember to only verify the log in when you are accessing your account. There have been increasing reports of flooding a victim with a stream of authentication requests, a tactic to try to get a target to just authorize the log in. Contact your IT professionals directly if there is ever a question about whether an authentication request is genuine. And finally, ensure you’re using long, unique, and regularly-changed passwords across your accounts and logins.
2. Firms should deploy cybersecurity and AI training for all attorneys and staff to prepare for and protect against tech crime and misconduct. Firm cybersecurity protocols based on “Zero Trust” principles should be set and enforced, including multi-factor authentication for all account log-ins and out-of-band authentication (like a phone call to a verified number) for wire transfer instructions and other financial transactions. Common social engineering scams target law firms to facilitate fraudulent check transactions, and compromise of firm email addresses can lead to cybercriminals attempting to defraud your clients with fake invoices. Train every level of law firm staff on these risks, how to identify them, and how to protect against them. 
3. Minimize digital data by clearing out old files, unused accounts, and outdated applications from your digital footprint. Sensitive information included in firm records includes personally identifiable information like names, social security numbers, and dates of birth; financial information like credit card numbers and payroll data, and confidential information like strategic business documents, medical records, and trade secrets. Whether stored in hard copy or digital format, this type of data should be managed and destroyed according to a formal file retention policy. While attorneys often err on the side of over-retention, destruction of outdated information is just as critical as retention. Limiting the amount of sensitive data you store is a vital way to reduce the potential impact of a cybersecurity breach. Read more about why digital file clean-up is good for your firm here. 

Finally, don’t forget cyber breach insurance. This important risk management tool can protect your firm in the event of an attack. Learn more by contacting Ohio Bar Insurance Agent Danna Blackburn at 614-572-0627 or [email protected]. 

More cybersecurity resources from OBLIC are available on our Loss Prevention webpages. As always, if you have any questions, we’re here to help. 

This information is made available solely for loss prevention purposes, which may include claim prevention techniques designed to minimize the likelihood of incurring a claim for legal malpractice. This information does not establish, report, or create the standard of care for attorneys. The material is not a complete analysis of the topic and should not be construed as providing legal advice. Please conduct your own appropriate legal research in this area. If you have questions about this email’s content and are an OBLIC policyholder, please contact us using the information above.