Insight:

Is Your Law Firm Website at Risk? 4 Essential Steps to Cyber Security

Law Firm Website Security

Do you manage a law firm website? Are you being held hostage by your web vendor?  Do you even know? Is your IT department actively involved in supporting your website? If things go wrong, who is left to figure out and manage getting it fixed?  Do you know what changes are being made to your website, when and what the contingency is if things go wrong?  Who has access to your Content Management System (CMS) and who has direct access to your server files (FTP) and what rights do they have to both?  How do you share login credentials? Have you emailed a new user their ID and password?  Do you even know who hosts your site?

If you are in an Administration function or have responsibility for marketing at your firm then you probably have some of these issues.  You may even find yourself in a position where you are considered the internal resource who should manage all these aspects of your website. “The website is marketing and it has nothing to do with us”, is often an opinion expressed by other functions or departments.

Most law firms outsource the development and technical maintenance of their website to a vendor which makes sense and is very practical on a lot of levels.  However, every law firm I have worked with lately seems to have very loose controls around how they manage the architecture and security aspects of that site. This usually means that they have given the “keys to the kingdom” to an outside source and are left scrambling when things go wrong.  Typically they find themselves locked into a particular website vendor as control has been relinquished to them and they make everything seem somewhat mysterious.  The old analogy “knowledge is power” is practiced by many agencies to keep you locked-in and held hostage as a client, and in most cases their clients don’t even know that they are essentially victims of a type of “Stockholm Syndrome”.

Maybe it’s because of my experience at JPMorganChase, building Online Banking, that I know security is paramount. Apart from the obvious issue of bad guys getting access to bank accounts, if our security was compromised all the hard work to convert customers online could be destroyed in one stroke and our brand badly bruised.

So what you should be doing to mitigate this situation and your firms risk?

Step #1 – Perform a Technical Audit of Your Law Firm Website

Well first let’s deal with knowing what platforms and services support your site.  In conjunction with your IT department, you should do an inventory to determine the following:

  • What company do you use to manage your domain registration and is your company profile up-to-date so they know who to contact when it is going to expire?
  • Who is your hosting company and do they recognize you as their client?
  • Do you have a monitoring service to let you know when your site goes down and help you protect or clean the website from malware and hacking attacks?
  • What CMS are you on and do you know all the users and their roles?
  • Are the CMS, and any plugins, running the latest version?
  • Do you have Google Analytics and Google Webmaster accounts?
  • Do you have firm social media accounts and who has access?
  • To what other services do you subscribe in order to support your website?

While determining what accounts you have, you should also inventory who has access to them or is authorized to speak to an outside vendor, e.g. your host.

Step #2 -Transfer Technical Management of the Website to Your IT Department

Once this audit is complete your IT Department should either ensure that existing IT Policies are applied to the administration of your website or come up with new ones.

Typically, on an ongoing basis, I recommend the marketing department, or those holding this function, should only be responsible for adding new content to your website.  All other technical support needs should be managed by your IT department.  They can do this either directly or by ensuring they have active service level agreements and policies in place with your various vendors and acting as the focal point to manage any changes, issues or updates.

In some cases this assignment of roles may be  resisted by your IT Department as their experience is more than likely focused on supporting a LAN/WAN environment.  However, being “techies”, with a little training it won’t take much for them to get up to speed and they might even enjoy developing a stronger relationship with the website.

Step #3 – Have an ID and Password Management Policy

There is plenty of advice out there on how to construct “Strong” user ID’s and password and so I’m not going to repeat that advice here.  However, what I don’t often see is advice on how to share or administer those ID’s and Passwords.  I can’t tell you how many times I have been emailed the ID and Password to a law firm’s CMS or the FTP login credentials. If your email is compromised, or the person you sent credentials to have their email compromised, then bad guys will have the “keys to your kingdom”. You only have to look to the recent hacking of Sony for an example of the impact this can have. In the Sony case ID’s and Passwords were stored, unencrypted in word documents by employees of the company. This made it very easy for the hackers to gain deeper access into the company’s systems and files, making off with 40GB of data and causing significant damage to internal computer systems.

The best approach from a security standpoint is to share credentials in an offline manner, e.g. face-to-face or over the phone.  If you must share the information electronically then split up the ID and Password and send them via two different methods, e.g. the ID via email and the password via SMS text message or voice-mail.  This way the two credentials are divided up and it would be harder to discover or recombine them as a hacker. Never store them unencrypted, on paper in your desk drawer or on post-it note under your keyboard!

In addition, if you have to give an ID and Password to an outside vendor, or to someone who only needs temporary access to make an update or fix a problem, once they are finished that password should be changed locking them out of the system.  If they need access again, just give them the new password and repeat the process.  It’s not unheard of for a disgruntled employee to mess with a website and by allowing vendors to have unfettered access you just increase this risk by adding their employee’s to the mix.

Step #4 – Manage Your Site Updates and Perform Regular Backups

Before any technical changes or updates are made to your website your IT department should be involved in understanding and documenting what these updates entail, when they will be performed (I prefer weekends), and what the contingency plan is if things go pear-shaped.

This last point leads us to ensuring that your site is backed up.  Not just before you make a major change (and also just after) but also on a daily basis.  If you don’t have an automatic backup system, you don’t have a backup.

If you follow these basic steps then your firm will be well on its way to being more empowered in the overall management of its website and less dependent on outside vendors.  If the responsibility is shared internally within the company those fulfilling the Marketing function will be able to focus more on what they do best and might even gain an ally in the IT department when looking to obtain a budget to improve your law firm website.

If you follow these basic steps then your firm website will be well on its way to being more secure.  You will be more empowered in the overall management of the site and less dependent on outside vendors. If the responsibility is shared internally within the company those fulfilling the Marketing function will be able to focus more on what they do best and might even gain an ally in the IT department when looking to obtain a budget to improve your law firm website.

Start the New Year by putting your technical house in order, keeping security be top of mind. If you need someone to take a look at your website and perform a technical or client usability audit, feel free to contact me at robertfoley@fsquaredmarketing.com or checkout our other website & digital services.

As always share your experiences and tips in the comments section below.

Print
Share

Related Insights

I'd like to find out more...
Contact Us
I need help with...
fSquared Marketing

fSquared Marketing