Starting a Law Practice? Begin With the Right Focus on IT & IT Security

After law school and over the years, I have had a number of friends that decided to start their own practices or branch off on their own. Since, I’ve been in the IT industry for 25+ years they come to me for advice on how to get started with IT security and the right infrastructure. Knowing that they will eventually expand, they don’t have to spend time fixing their IT infrastructure before hiring someone new. For someone with enough business to hire another employee, the amount of time it can take to correct mistakes in infrastructure can be an overwhelming and unnecessary burden. Here are some ideas to help you now that will make the transition from a solo practice to a full-fledged law firm a much lighter burden.

Phones

I’m writing this in the middle of a pandemic, but I don’t think that changes my opinion. We use RingCentral for phones. They are easy to set up and configure. They can be plugged in anywhere there is an Internet connection. They allow you to sound like a large firm, but on a small budget. With the ability to make and receive phone calls from your mobile phone, you are no longer giving your mobile phone number out to clients. You’ll have every feature of an Enterprise solution, and you only pay per user.

Files

You’ve got a lot of choices here, but more importantly you need to decide on what data needs to be separated from other users. You will have financial data, client data, operational data, and human resources data and every employee that you will hire in the future does not need access to all of it. So, separate it now. We use and recommend a tool we call SyncedTool for storing files. It works a lot like OneDrive, but allows you to share and track easily with clients, and employees. It keeps backups in the cloud, and leaves a copy on your local computer. If you accidentally delete a file, it stores it in a recycle bin and allows you to recover it up to a year later. You can also back up the entire file store to an external drive manually if you’re really feeling paranoid.

You can also use SharePoint (part of the office 365 solution suite). The only difficulty we run into is tracking, controlling access, and monitoring security. It becomes a full-time job, and it’s not easy. It’s always easier to move into SharePoint at a later point versus starting off that way. We have a tool that will push all data into SharePoint and keep it synchronized until you’re ready to make the switch.

The useful part of both of these tools is that they are both web-based. So, if I need to pull the file but I don’t have access to my computer, I can download the file just by logging onto my website.

Finances

QuickBooks online. Two years ago, we were recommending against it. Effective January of this year, we recommend QuickBooks online over the desktop version. Especially if you’re just starting up, you don’t have the time to effectively train yourself on how best to use QuickBooks desktop edition. QuickBooks online provides a quick and easy solution, that’s easy to manage. We also recommend using QuickBooks online because you can set up your employees payroll that way. It makes it super easy when hiring file all the necessary paperwork.

Backups

Yes, you need backups. Yes, you need multiple backups. You need to back up Office 365, your local computer, your email, SharePoint, synced tool, and any other location that data resides. You need to test your back ups regularly to make sure they work. We typically do this by subscribing to a service that takes care of this for you and can be easily verified that it’s working.

Security

We can talk about this for hours, and usually do, but the long and short of it is that you need to take security seriously. The professional rules of conduct require that you take steps to protect client data, and very few take it seriously. We have written procedures and policies that govern IT security, data security, and regulatory compliance. Security can be a full-time job, but is more cost-effective to let someone else handle the security and let you practice law. We have seen an amazing false sense of security when it comes to protecting client data.

Lock it down. You need to make sure that you are using multi factor authentication. Do you need to use a spam filtering service, not just the one built into Microsoft Office 365. You need to use a password manager (we LOVE Myki). You need to be encrypting your local drives on your laptops. When you’re encrypting those drives, you need to make sure that you are backing up the recovery keys. Pay the extra money for the Microsoft Azure P1 service. This allows you to lock down your office 365 account by geographic area and other criteria. We highly recommend setting up anti-fishing/anti-spoofing software. These systems may seem redundant, but they are not. They are designed to make it easier for you to spot malicious attempts against your network.

You will also need to set up methods and procedures for preventing data loss and tracking data sharing. Without doing so, it is likely you won’t even know that your data has been stolen until it’s all been stolen. You will need to set up alerts when any type of access privilege is used as well.

Encryption. Encryption. Encryption. Get used to sending encrypted messages. If you’re not sending email that is encrypted, you might as well just post your messages to Facebook. For other users of office 365, the process is seamless. We recommend using the web version of Outlook to most of our clients now, because we like it better, but also because it’s so much easier to send and receive encrypted messages.

If you don’t have a company that has set up mobile device management for you, you need to make sure that your mobile devices are backed up to the cloud and can be remotely wiped. We get multiple calls a year about phones being stolen that are now a potential security risk, especially since the authentication device for getting into email and client data is the mobile phone.

If this seems like a lot, it is and I’m barely scratching the surface.

Hardware

I have written several articles on hardware over the past few years. Feel free to go look them up. The executive summary is simple: don’t buy the cheapest, don’t buy the most expensive. The most value to be had is right in the middle. By the 24/7 onsite 3-year warranty. Swap out your equipment when the warranty is up. Yes, even if it runs fine. I don’t care who you buy it from, so long as it meets the current standards. Buy commercial grade equipment. Buying the home grade stuff you find at box stores will always cost you more in the long run.

Compliance

Attorneys tend to brush off regulatory compliance regarding client data. It’s not that your law firm is subject to particular regulation (other than the professional rules of conduct). It’s that your clients’ data may be subject to industry regulation. For many clients, especially corporations, not complying with those regulations may be a deal breaker. It also may be preventing you from expanding your business, as more and more clients require that their vendors also be subject to the same data security standards. What that means is there is currently an opportunity for you to be ahead of the curve on data security and use it as a means to market yourself and your law firm. It is much easier for you, the sole practitioner, to comply with data regulations when you’re starting off than it is for a firm with 15 years of data and 60 attorneys. Over the next decade, as the regulations expand and their adoption in other states continues, it will become mandatory and then the opportunity cost will be high.

There are companies like ours that offer compliance as a service, to help you set up the initial security and then help you maintain that security, help you develop policies and procedures that allow you to continue to remain compliant, and can even help you become certified as compliant either under ISO, NIST, HIPAA, or the GDPR.

Training

All the security is great, but if nobody follows the guidelines, or understands how the security works, there is still a gaping hole in your security infrastructure. There’s no way around it. You have to learn about security. If you sign up with the security vendor make sure that your training is included. This usually means monthly meetings with the security vendor, video training, email training, webinars, and individual training as well.

Antivirus/Antimalware

Sophos or Cylance. We like them both. They both work well. They are next generation in point detection and response. Stay away from the free stuff! One of the most notable breaches in history occurred on machines that were using the free version of antimalware software.

Costs and Conclusion

There is a lot of work to be done. If you’re looking for security and IT infrastructure and you want to do it right from the start, it’s not going to be cheap. It will certainly be less costly than the alternative later on. What we advise our clients to do now, is build it into the cost of servicing the client. You are taking serious and legitimate steps to make sure that their data is secure. That is your selling point. It’s what sets you apart from other law firms, so use it to your advantage. Soon enough, taking these steps won’t distinguish you from any other and it will just be a cost to bear.