Remote Work and Cybersecurity in the Legal Industry: What to Know
The COVID-19 pandemic changed many aspects of how businesses operate, remote work being one of the most significant. At the outbreak’s peak, 71% of American workers telecommuted at least part-time, 62% of whom rarely worked remotely before. This shift has impacted many industries, but the legal sector faces more disruption than most.
Legal work rarely happened over telecommunication services before the COVID-19 pandemic. Now, more than 80% of law firms have transitioned to working remotely some or all of the time. Consultations and court hearings now regularly take place over teleconferencing software, which has produced mixed results.
On the one hand, remote work has made it easier for a broader range of people to access legal services. On the other, this transition has exacerbated the industry’s privacy concerns and generated new ones.
Growing Security Concerns Amid Remote Work
Remote work in the legal industry presents some significant challenges. Attorney/client privilege is far more challenging to ensure when not meeting in person. A closed door can stop others from listening in to a private in-person conversation, but virtual meeting rooms face far more vulnerabilities, many requiring highly technical solutions.
Using remote work software can also affect a firm’s legal liability. A growing number of states are introducing data privacy legislation that could affect how organizations utilize digital communication tools. Information as sensitive as legal documentation will likely fall under higher standards under these expanding laws.
Like in other industries, remote work also makes it more difficult to ensure cybersecurity across a firm. Workers using their own devices on their networks may have insufficient anti-malware software or be more vulnerable to phishing attempts. Breaches in the industry are also costly: One firm calculated that it lost millions of dollars in business from a ransomware attack in 2017.
How the Legal Industry Can Remain Secure
While remote work does make cybersecurity in the legal industry more challenging, it doesn’t make it impossible. Law firms can take several steps to remain secure while working from home. Here are a few of the most important.
1. Employee Training
As in other industries, perhaps the most critical measure is to create and enforce a cybersecurity policy. Employees may be experts in the law but may not know much about security, leading to internal threats due to a simple lack of cybersecurity knowledge. Training workers about good cyber hygiene will prevent many successful attacks.
The ability to recognize a phishing attempt is a crucial area to emphasize in employee training. Password management is another, especially as workers use them more often to remotely access sensitive documents. When employees understand how these issues can lead to such destructive outcomes, they’ll be more likely to follow best practices.
2. User Authentication Controls
Another important step for cybersecurity in the legal industry is to use tighter authentication measures. In remote legal work, ensuring that people who try to access sensitive documents are who they say they are is crucial. A simple username and password combination isn’t sufficient when dealing with highly sensitive legal information.
Firms should adopt digital signature services to enable secure remote signing. Look for tools that use certificate-based authentication measures to confirm people are who they claim to be. When law professionals can’t be physically present to verify someone’s identity, these measures are essential.
Similarly, law firms should require multi-factor authentication (MFA) to access any cloud servers they may use. A 2020 study revealed less than 50% of firms use MFA, making this a point of needed improvement for the industry.
3. Encryption
Encryption is a recommended step for any industry, but it’s essential for law firms. Professionals in this industry must encrypt all their documents at rest and in transit to uphold the industry’s privacy needs. Similarly, encrypted emails are a must to maintain attorney/client confidentiality while working remotely.
Since the law industry now relies on videoconferencing software for many sensitive proceedings, it must ensure these services offer strong encryption. During the height of the pandemic, “Zoom bombing,” instances where actors interrupt and disrupt Zoom calls, affected at least one virtual court case, highlighting the importance of encrypted calls.
Zoom has since rolled out end-to-end encryption after these scandals, but it’s not on by default. Law firms and courts must remember to enable this feature for all remote legal proceedings and client meetings. Similar controls, like adding registration and requiring authentication, can also help keep calls private.
4. Incident Response Planning
Finally, the legal industry must adopt a standard of forming cybersecurity incident response plans. Before the prevalence of remote work in the sector, this was a less pressing or at least less prominent concern. Now that they face new threats amid remote work, incident response plans are essential.
Having a plan in place to mitigate the damage from a cyberattack may also help minimize a firm’s liability. Without a written cybersecurity plan, clients whose details are compromised in an attack may say the firm didn’t take the proper steps to ensure their privacy.
Remote Work Brings Challenges and Opportunities
Remote work can make legal services more accessible for people who may have difficulty attending in-person meetings. It may also improve productivity, and given these benefits, the legal industry will likely continue to enable remote work. If that’s the case, it must adopt higher cybersecurity standards.
As helpful as remote work can be, it brings several cybersecurity risks. Law firms and government agencies must follow these steps to remain safe amid this shift.
About the Author: Devin Partida is a cybersecurity and data privacy writer whose work is regularly featured on Yahoo! Finance, Entrepreneur, AT&T’s cybersecurity blog, and other well-known industry publications. She is also the Editor-in-Chief of ReHack.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.