Legal Supplier

Why small firms and sole practitioners need IT security

By AdvocateDaily.com Staff

For small law firms and sole practitioners, information technology (IT) services are not only affordable but a critical part of protecting sensitive data and complying with Canadian privacy law requirements, says Shawn Coffey, owner of CPI Networks, a company that helps legal businesses address IT concerns.

“Law firms use technology to be successful and to do their work and sometimes, it’s beyond the ability of a sole practitioner or a small firm to make sure it's operating properly, that they understand all the technology and ensure it’s effective for their business,” he tells AdvocateDaily.com.

A proactive approach to IT is best for small firms, however, the realization that these services are necessary only comes for some after they have been targeted by cybercriminals.

Many firms, says Coffey, do not understand the possible threats brought by the bigger-scale attacks of ransomware and the potential for lost trust funds.

“I don’t think they ever believe that can happen to them as a small firm and yet, they are being targeted,” says Coffey, whose company often works with law firms that range in size from one to 20 lawyers.

“There’s a great amount of work that goes into protecting businesses from cyberthreats, malware, and phishing attacks, and certainly law firms are being targeted. They have a lot of very specific private information on individuals, which is of value to these hackers and criminals who are out there looking to steal identities and get this data.

“Law firms also have access to a large amount of funds in trust accounts. If they can trick a lawyer into revealing their login information, there could be millions in trust accounts that are vulnerable. So, these firms, at some point, realize that they are being targeted and attacked, and come to the realization that cybersecurity is not something they can do themselves any longer.”

After they have been attacked, says Coffey, “There is no other way to retrieve your data than to pay the ransom and hope that the criminals will honour their deal and give you the encryption key so you can get your data back, or you will have to restore it from a cloud backup offsite.”

A preferable option, he says, is for small firms to prevent these problems before they begin.

“It’s about getting the right business class emails in place that have virus and spam protection and getting proper firewalls in place. It’s about storing your data in a secure manner and making sure on a daily basis that the antivirus and all of these other security devices are functioning. And then it's vital to get your data off into a managed cloud backup hosted in Canada, of course, which is compliant with the Law Society of Ontario’s (LSO) privacy requirements.”

Another key consideration for law firms are the requirements to keep sensitive client data private, subject to Canadian law, he says.

“I don’t think that smaller firms are aware that they’re technically not meeting Canadian law privacy requirements if using something like DropBox or OneDrive. When they’re doing that, they’re taking their data and putting it on U.S. servers, compared to OneDrive for Business that is hosted by Microsoft in a Canadian datacentre for Canadian customers. If there’s anything in there that contains the private information of individuals, they’re technically breaking their lawyer/client confidentiality obligations.

“It should not be stored on foreign servers, subject to foreign laws like the U.S. Patriot Act. Many Canadian IT companies are hosting email backups and services on U.S. servers for most of their clients — and that is fine if they’re not subject to requirements of privacy. But lawyers are, under the LSO.”

As Coffey says, he has been called upon many times by the LSO during the audit process to help explain who has access to a firm’s data and where it is stored.

Although some small firms or sole practitioners may think hiring professional IT services is beyond their scope as a startup, a flat-fee option can help new practices prioritize their online security, and have access to a help desk for IT-related issues. For those who aren’t ready to commit to having a full-time IT partner, on-demand services at an hourly rate are also available.

“Unfortunately, the call, when it comes afterward, is way more expensive than it would be on a preventative, flat-fee basis. It’s almost like insurance.”

Ideally, says Coffey, small law firms should be looking at their IT needs the day they open.

“They need help choosing equipment for phone systems, computers, laptops, and desktops that maybe have encrypted hard drives in them to ensure privacy and security, as well as when working remotely, and they have sensitive data starting day one that has to be backed up and protected.

“We try to truly become the IT department, the same as we would think of it in a larger firm, but for smaller firms.”

Ultimately, he says, firms should also carefully evaluate the cost-benefit of any technology they are considering to implement — the fact that the tools have to give them value as a small business for the money they're investing. An IT manager can help with this process, he adds.

“Anytime you’re looking towards the tech world, you should be seeking technology that’s proven, and for a partner who understands it and how it relates to your business.”