More than usernames and passwords
Every password created is not random. It is generated by your brain. This means the string of numbers and letter used is not spontaneously created. It is created due to past inspiration or influences. Whether it be a subconsciously correlating to something surrounding the individual or not, it is not random. Most passwords created originate from something generic and predictable; a date, a distant relatives name, an address, a pet’s name, teachers name etc. For all intense and purposes using solely a password opens up risk through phishing attacks or hacks, especially with 51% of people reusing their ‘favourite’ passwords.
Using Multi-Factor Authentication adds an extra layer of security. It is not just using a username and password to log into your computer or onto your secure servers. It removes the human element of a username and password. Using a Multi-Factor Authentication solution involves using another device to validate it is actually you who is accessing the information.
Protecting your computer’s information isn’t just a recommendation. It is an ethical obligation under the duty of Legal Professional Privileged/Attorney-Client confidentiality and using a Multi-Factor Authentication solution is a step in the right direction to ensure security of your data, both yours and your clients.
As we all know, law firms operate on reputation. When is becomes needed for an individual to be legally represented or require legal advice, they turn to a firm that has the best reputation. If a hack was to occur and your information was leaked, such as private information about your clients (bank detail, passport numbers, addresses, sensitive information etc), this would result in a lack of faith from both your current clients and the world.
According to a study conducted in the US and the EU, 72% of people would “boycott” a company if a hack occurred which resulted in the loss of their data and 50% would take their business elsewhere to companies that ensured protection of their data was taken seriously.
Ultimately using Multi-Factor Authentication prevents this lack of faith from occurring. It would significantly reduce the risk of a data breach caused by stolen credentials. Now you would require further authentication to validate the individual.
Under GDPR guidelines it stresses that companies should implement suitable methods of protecting their data and their client’s data, especially if that information contains sensitive information.
Whilst there is always a threat of sensitive information being exposed or leaked, a Multi-Factor Authentication solution can reduce this risk by preventing the wrong person from getting access to the sensitive information.
If a company is found not complying with GDPR guidelines it can result in some rather large financial penalties. These costs vary, it can either be €20,000,000 or 4% of total worldwide annual turnover of the preceding financial year “whichever is higher”.
As I am sure you are aware, such large costs may have a detrimental impact upon your business and potentially could result in bankruptcy if the costs are significant. So, having these precautions in place means that, even if you do suffer a hack, you have put in precautions to prevent data breaches which will mean you will not be liable for penalties.
Data breaches are everyday occurrences
Cast your mind back to 2017. It was an interesting time; Trump had just been elected as president, the UK triggered Article 50 and North Korea confirmed nuclear weapons testing. However, behind all of this I’m sure you will remember that DLA Piper, one of the largest international law firms, was brought to a halt after receiving a ransomware attack. The computers were rendered unusable and a statement which told them all their files had been encrypted and would only be accessible if they sent $300 worth of bitcoin (per computer) to a certain address was displayed on the screen in blood like red writing.
I wish I could tell you that this is a rare occurrence, that hackers don’t often target law firms and that you do not need to worry about it, but I am afraid I cannot. In fact, there has been, according to figures from the National Cyber Security Centre, a 20% rise in cyber-attacks on law firms.
Organisations suffer from cyber attacks all the time; it is a common occurrence. Think about the amount of times you receive a junk email of someone claiming to be someone they are not trying to get access to your credentials. My personal favourite has to be someone claiming to be ‘Winnie Mandela’ asking for money for her husbands (Nelson Mandela) medical treatment, almost a good few years after he had passed away.
A lot of the time hackers are not just there to steal information they also try to change information and more. In a law firm if the information of a secure document is changed that could be quite detrimental to a lot of things. Furthermore, hackers target companies that have ‘sensitive’ information and are ‘easily’ acquirable and unfortunately most law firms are seen as a “weak link” when it comes to IT security.
Sure, you can be the Skadden’s or the Baker McKenzie’s of the world and have the best in house IT departments ensuring everything is at a high standard and therefore it doesn’t happen. But for the medium to smaller firms this is a luxury one cannot afford.
I’m not saying that Multi-Factor Authentication will prevent every breach, but it will reduce the risk of breaches through phishing attacks or stolen credentials, giving you and your clients ease of mind that precautions are in place to prevent this.
Great user experience
One would naturally assume that having multiple authentication factors on a different device would make accessing accounts a more tedious process. Adding one more lock would increase the time to unlock the safe. However, with the added security layer of modern Multi-Factor Authentication, companies have the ability to utilise more advanced logging in options, such as Single Sign-On.
Multi-Factor Authentication is not what it used to be. It has evolved beyond the bulky tokens with the ever-changing code. The struggle with these hardware tokens is tedious. Having to type in your code before it changed, only to discover that you got the number wrong and having to repeat the process. Or even worse, not being able to find your token and now need a new one.
Modern Multi-Factor Authentication is much simpler. Instead of being one hardware token, there are multiple options and devices. You can use your mobile devices through a push notification (simply swiping up), biometrics of your mobile device (fingerprint), SMS text. For those who are operating in remote locations with lack of mobile network signals, or not wanting to use a mobile device, we can use a Yubikey. Of course, for the mobile devices the code method of validating yourself is still an option, as part of the app, but why would you take the more difficult route. Over the years Multi-Factor Authentication has made securing your date and reducing risk of data breaches a far simpler option.
Not only would this improve loyalty from your customers seeing that you take their data seriously and have precautions in place but it would also improve productivity.
Whilst I have already spoken about GDPR compliance, reputational risk and many more factors above; however, the most important of all is that any lawyer must uphold the SRA Code of Conduct.
I have spoken about the benefits of reducing data breaches above but not in the context surrounding the Solicitors Code of Conduct. The Code of Conduct states that “you provide services to your clients in a manner which protects their interests in their matter”. In other words, no matter their position, it is your duty to always put your clients and do whatever within your power to assist them to the best of your abilities (legally speaking of course).
In this sense it could almost be argued that not implementing basic IT Security measures such as MFA, is not putting your client’s best interests at heart. Furthermore, according to IB7.1 “Safekeeping documents and assets entrusted to the firm” is a necessity to show you are complying with the basic 10 principals that “embody the key ethical requirements on firms and individuals who are involved in the provision of legal services”.
By Kishan Thaker
Sales Executive, Securience
 Kacy Zurkus, ‘Google Survey Finds Two in Three Users Reuse Passwords’ (infosecurity group, 5 February 2019) < https://www.infosecurity-magazine.com/news/google-survey-finds-two-users/> accessed 18 September 2019
 Jeff Carpenter ‘Multifactor Authentication is a Must for Keeping Your GDPR Advantage’ (Crossmatch, 20 November 2018) <https://blog.crossmatch.com/authentication/mfa-gdpr-competitive-advantage/> accessed 18 September 2019
 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 , art 12, art 22, art 23 & art 30
 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 , art 83
 Randhir Shinde, ‘Hackers Took £11 Million From Law Firms’ Last Year, Time To Take Action’ (Law Monthly, 10 September 2018) < https://www.lawyer-monthly.com/2018/09/hackers-took-11-million-from-law-firms-last-year-time-to-take-action/> accessed 19 September 2019
 Chloe Smith, ‘M&A hack attack on 48 elite law firms” (The Law Society Gazette, 4 April 2016) <https://www.lawgazette.co.uk/practice/manda-hack-attack-on-48-elite-law-firms/5054524.article> accessed 19 September 2019
 SRA, ‘SRA Handbook – Code of Conduct’ (Solicitors Regulation Authority, 6 December 2018) <https://www.sra.org.uk/solicitors/handbook/code/part2/rule1/> accessed 01 October 2019
 SRA, ‘SRA Handbook – Code of Conduct’ (Solicitors Regulation Authority, 6 December 2018) <https://www.sra.org.uk/solicitors/handbook/code/part3/> accessed 01 October 2019
 SRA, ‘SRA Handbook – Principals’ (Solicitors Regulation Authority, 17 June 2011) <https://www.sra.org.uk/solicitors/handbook/handbookprinciples/> accessed 01 October 2019