Alternatives to Blogs
Blogs are a great place to share information with your potential client base, and your firm should definitely have at least one... but let's face it, everyone is blogging these days, and it's easy for yours to get lost in the mix. Instead of making your blog your primary or only marketing channel, consider using multiple platforms to post useful information that potential clients can visit.
For instance, posting on Quora may give you an additional audience for your content. Quora is a platform for the public to post and answer questions - and topics range from "ways to optimize divorce settlements" to "ways to catch a leprechaun" (yes, seriously). Answering questions from a professional profile in Quora builds your web presence and sets you apart as an expert in the field. Do some research as to what your client pool is reading, where and what their interests are (check out the Google Analytics section below), and start posting information in those channels.
Track Your Marketing
We recommend using tools like MailChimp, Squarespace, Google Analytics, and Hootsuite to measure your marketing campaigns - and using your law practice management system to keep track of your marketing data.
MailChimp - MailChimp allows you to easily automate and send personalized emails to large groups of people. If you have a newsletter you want to share with your subscribers, you can use MailChimp to compose your message - then track the open rate and click rate to see who is engaging with your content.
Squarespace - Use Squarespace to build beautiful websites without learning a single line of code. It's easy to use, and includes a wide variety of design templates that you can choose from and customize to fit your business needs.
Google Analytics - Embed Google Analytics' tracking code into your website to receive demographic information about your visitors - including their location, age, interests, and gender.
Hootsuite - Don't have time to handwrite tweets and Facebook posts every day? Hootsuite can help you compose and schedule your posts en masse. Also, download the Hootsuite Suggestions app to repost and retweet others' content effortlessly.
MerusCase - The aforementioned tools will help you collect more marketing data - but where should you store it? Simplify your life by using the same secure and accessible platform you trust for storing client data: your law practice management system. MerusCase allows you to easily keep tabs on your marketing ventures, event calendar, growth goals, brand assets, marketing-related correspondence, and more. For tips on using MerusCase to market your law firm, check out this blog post!
Create Useful Content
Choose 5 cases that were beneficial for your firm (whether that means they were most profitable, or set your firm apart, or changed the course of your practice) and list the top issues in each case. For instance, if you're a family attorney, the issues may have been:
1. Whether the father has rights if he has been absent for x number of years
2. Whether the mother is entitled to child support payments if she did not demand them for several years
After you list out these issues, prepare a blog post or guest post on each topic, and promote them on social media. If your top clients were asking these questions, and you've helped resolve them, you can bet that other people have these questions and need your help as well. Multiply your success by helping other clients who have the same or similar issues, and use your past success to build your future.
Create Great Visuals
Lawyers are amazing with words (no, I'm not biased!). Analyzing the meaning of every single term you use in your documents, and carefully selecting the ones that could potentially win your argument.... that's pure art.
But what if you could channel that creative energy into explaining law to your potential clients - in a visual format? You can, and there are several ways to do this:
Infographics - Infographics are actually fairly easy to create. Use the issue list you created for your content piece (above) as a source of inspiration. For example, if your client is having a problem receiving child support, outline a few things they should keep in mind when receiving or trying to collect child support. Make a list and describe each point in a sentence or two. Then start creating your infographic.
The best resource (which we use religiously) is Canva. Click on the "infographic" template and get to work. Choose your favorite template that has catchy colors and start replacing the content with your own. It's that simple.
Post the content on your blog, in your social media, or in other channels that you know your potential clients are using. Even your personal Instagram or Facebook accounts can be great way to share your creation. Personalized content usually fares better than something coming from a company, so get to sharing.
Slideshows - Slideshare and Canva are great resources to publish slideshow presentations with relevant, easy-to-digest information for your target audience. A new feature from Canva allows you to publish directly from their platform, just like you would a regular web site. Best of all, there's no coding or technical troubleshooting involved. Simply prepare and post. Slideshare is easy as well: just compose your slides in Microsoft PowerPoint or Google Slides, and upload the document straight to Slideshare.
Three C's of Personalization
The term "innovation" has expanded to the legal industry. To stand out, lawyers have to be innovative in the way that they market their firms and solve their clients' problems. Here's one way you can be innovative and use modern marketing theories and methods to capture new clients: personalization.
Coffee Hour - Set up a weekly "coffee hour" at a local coffee shop and invite your blog/newsletter and social media followers there for a one-on-one session. It's a no-pressure, relaxed environment that will help you stand out from your competition. Make the consultation free, but follow it up with an email with the option to schedule a meeting and sign a retainer.
Chat Hour - Similar to the coffee hour, advertise a weekly "chat hour" on your site and social media, and allow people to anonymously ask you questions regarding their case. Again, make the consultation free, but follow it up with an email with the option to schedule a meeting and sign a retainer.
Calendar Invites - Allow your clients to schedule their consultation appointments directly from your website. Keep your availability visible and eliminate all barriers to them reaching you. This way, they can schedule their appointments based on their own availability and eliminate the hassle of back-and-forth calendar negotiations. Depending on what platform you use to build your site (or your website developer) calendars are pretty easy to implement. Simply look up "calendar widgets" and you'll find relevant information on their integration.
Earlier this year, Bob Ambrogi talked about security and how lawyers should be scared - and take the subject more seriously. He made mentions of a few noteable instances in which lawyers were hacked and had to pay penalties to recover data, or in which they were sued in a class action.
We looked into the issue and found one notable case where three men hacked into multiple US law firms, accessing the email accounts of lawyers helping companies with major business deals (including one involving Intel Corporation). They used the information they found to trade, and ended up making more than $4 million. Officials are now warning law firms to be careful and watch for similar incidents, since their servers hold valuable information for hackers.
To help lawyers improve their security measures and prevent a breach to their system, we went out and interviewed cyber security expert Mara Glasser, who graciously provided a breakdown of what "cyber security" means and how lawyers can take their protocols to the next level:
I. Can you tell us about your background and your experience with cyber security?
I currently work as a Senior Cyber Intelligence Analyst for a cyber security company called Q6 Cyber based out of Miami and Tel Aviv. My experience and specialization in cyber fraud/cyber crime allows me to help my clients gain visibility into their adversaries and secure data that may otherwise end up in the wrong hands.
Armed with this information, I am able to provide proactive recommendations and solutions so that organizations can better protect their assets. Prior to joining Q6 Cyber, I lived in Israel where I worked in the cyber security sector as a Cyber Intelligence Analyst alongside members of various intelligence communities as well as with the private sector. I have an MA in Security and Counter- Terrorism.
Q6 Cyber is a cybersecurity company based in Miami and Tel Aviv. The company provides a wide range of cutting-edge cybersecurity solutions and services, enabling organizations to effectively manage and dramatically reduce the risk and impact of cyber attacks.
The company is led by former U.S. intelligence officials (NSA, U.S. Secret Service). Q6 Cyber serves customers in the United States and internationally across multiple industries such as financial services, real estate, legal, retail, hospitality, logistics, and investment management.
II. What is “cyber security” in plain English?
Cyber Security is comprised of practices, processes, and technologies that are designed to defend networks, computers, data, and, in general, all assets from unauthorized access which can lead to attacks and damage.
III. How hard is it for someone to hack my computer or device?
It depends on a lot of different variables such as the level of sophistication of the threat actor involved, the user, the system, and the policies of the organization. All of these variables set a precedent of how secure or insecure you might be.
However, whether we want to believe it or not, we make it a lot easier for the “bad guys” to get into our computers/ devices when we lack knowledge in how to protect our assets.
Conduct Penetration Tests
Starting at an organizational level, we at Q6 Cyber recommend that organizations conduct penetration tests. This is the testing of computer systems, networks, and web applications to find vulnerabilities that an attacker can exploit or take advantage of. Penetration tests are conducted remotely and do not require physical access to your premises. Every organization is unique and so the penetration test service is tailored to meet your needs.
When Q6 conducts these tests, we generally gain access through applications and devices that are not properly configured, often with default passwords still in place. Systems that are not kept up to date with security patches are generally easier to compromise than fully updated ones. When a user reuses the same password for all of their personal and work accounts, there is a higher chance that the user will be compromised.
With all of the recent data breaches, an attacker can get information to learn a user’s password to attempt to take over their account(s). The next most commonly successful attacks are those based on social engineering - such as phishing. In such cases, an attacker acts as a legitimate company/or person and attempts to get users to click on malicious links and trigger malicious software, which enables the attacker to gain entry. Basically, from these few examples, users can be their own worst enemy.
IV. What are some precautions I can take to protect my computer / device?
I think the preliminary step is to understand the controls that you have put into place; however, there are also some general practices that can help to reduce the chance of compromising your system and account credentials.
Keep Your System Software Up to Date
First, and one of the most overlooked items, is to keep your system software up to date - and do NOT run any pirated software. Secondly, I cannot emphasize enough the importance of having a strong, unique password, which makes it smore difficult for an attacker to compromise your system.
With data breaches such that targeted LinkedIn, Yahoo, and other websites occurring more frequently, an attacker looking to compromise a user or organization can build a list of common passwords from these breaches that can substantially increase their chances of success.
Create Strong, Unique Passwords
According to the 2016 Verizon Data Breach Investigations Report: “Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords.” I suggest using a long pass phrase (ex: a few words combined from your favorite song), and using a password manager that has the ability to generate and store passwords for you.
Use 2-Factor Authentication
Additionally, I suggest using a 2-factor authentication process wherever possible to help reduce the chances of a compromise. It is important to understand and to clarify that those 2-factor authentications using SMS are no longer recommended by NIST (National Institute of Standards and Technology).
Instead, find a 2-factor authentication that uses a secure token such as RSA ID, or an application such as Google Authenticator (I use this for many of my online accounts). Other recommendations include locking screensavers for your portable devices, to help protect unauthorized people from using the device when left idle.
Remotely Wipe Lost or Compromised Portable Devices
We also recommend that organizations implement systems that allow them to remotely wipe a lost or compromised portable device to ensure that it is no longer able to connect to the organization’s systems. The key to all of this is to have a comprehensive series of overlapping security controls combined with strong monitoring, so that if something is to happen, it is noticed and resolved quickly.
Lawyers hold a lot of personal information about their clients on their personal devices. What precautions would you recommend for them to protect their client data?
Implement Strong Access Controls
Similar to the recommendations above, lawyers need to look at all of the different ways that client information can be compromised, and ensure there are overlapping controls in place. The bulk of client data should be stored in a well-secured, centralized location with strong access controls that limit a user’s visibility to only the required clients.
Limit Storing Client Data to Current Projects Only
The amount of client data stored on an attorney’s personal device should be limited to current projects, in order to minimize the risk of compromise or loss. Ideally, they should always use encrypted emails to communicate to clients and share client data. When this is not possible, Q6 Cyber recommends that users share files through systems that perform strong authentication (such as 2-factor authentication) and have role-based access controls, such as Microsoft’s SharePoint, OneDrive, or Google Drive, rather than through an unencrypted email.
Train Your Employees
Lastly, it is always recommended that organizations hold a company policy training session. This is used to inform and educate employees on company policies about security protocols and other security matters, such as what to look for when opening a suspicious email.
V. In your professional opinion, is it safer to store information in the cloud or on your personal device?
Move to the Cloud
I would say that data stored on the cloud is not infallible, but overall, is more secure than storing data on your personal device. Each presents different challenges and both need comprehensive security controls in order to fully protect sensitive information.
For example, a user storing data in a cloud-based system which is only protected with a simple password that is the same as the other passwords the user used on LinkedIn or other websites is not safer just because it is in the cloud.
Another risk with storing data only on your personal device is one Q6 has received calls from the offices of medical professionals and lawyers due to one of their office machines being infected with Ransomware. This malicious software is designed by an attacker to block access to a computer system (files included) until you pay the requested sum of money.
Have Regular Backups of All Your Data
The issue at hand lies here, even if you pay the ransom and receive your data, the attacker has your valuable data in hand. If you do happen to have sensitive data on your device always password protect the data. Also, having regular backups of all of your data is highly recommended.
However, data stored on a personal laptop that does not have the latest security updates installed, and which is used to conduct a wide variety of personal business, is at high risk for being compromised by malware - which would consequently put all of the sensitive client data stored on the computer at risk.
The data on the cloud servers are encrypted, which makes hacking a formidable task for criminals. Another benefit with storing your data on the cloud is the ease of access. Today, we don’t have to be in the office in order to be efficient and get work done. We can be on opposite ends of the world and access the data needed if stored in a secure cloud location. Not to mention, that this is probably the most cost-effective method of sharing data.
VI. What are some tips for lawyers to protect the data they store in the cloud?
The risk of physical compromise for data stored in a cloud service is relatively low, but the risk of compromise due to poor authentication controls is relatively high. Users are overwhelmed with password requirements and in order to be productive they have a small number of password variations that are regularly used (and reused across multiple accounts).
Support Single Sign-On if Possible
Attackers know this and, to no surprise, exploit it. We recommend turning on 2-factor authentication whenever possible. Also, if your organization is able to support single sign-on (SSO), this should be used whenever possible in order to minimize password burden on the user.
The SSO works when a user logs in to one client and is then signed in to other clients automatically regardless of the platform or domain by used by the user. For example, when logging into your gmail account you are simultaneously also logged into your Youtube account. SSO performs one strong authentication of the user and passes that authentication to the various systems that the user needs to access.
"In addition to authentication, users should be vigilant about with whom they share files and folders. Only those with a legitimate reason to have files and folders containing sensitive information should be able to access them at any given time."
Finally, when shopping around for an appropriate cloud service, make sure that the service supports the latest TLS encryption and uses HSTS (HTTP Strict Transport Security) to minimize the chances of the data being compromised while in transit. The likelihood of an attacker breaking into an Amazon Web Services or a Google Data Center and stealing a hard drive is incredibly small.
As mentioned above, the data compromised through cloud services is almost exclusively done via weak user passwords, misconfigured access controls, or bugs in the software that provides access to the data.
VII. Why should lawyers take this seriously? Have there been important or notable hacks recently that can illustrate the seriousness of the situation?
We hear this a lot: “It won’t happen to me”... well hopefully it won’t, but most likely it will at one point or another. Recently, it was publicized that over 1 billion Yahoo user accounts had been compromised. The security industry cannot stress enough the issue of password reuse.
Imagine a criminal who has access to the over-1-billion user accounts now likely has your compromised email address and password. Think of how many of your accounts (bank, Dropbox, etc.) that you may use the same password for. For all of these, the criminal can potentially also have access.
It is no secret that law firms are a prime target, as they hold a lot of sensitive data. Earlier in 2016, 11.5 million leaked documents known as the Panama Papers were made public. These leaked documents detailed financial and attorney-client information belonging to wealthy individuals and public officials. The victim of the breach was Panamanian law firm Mossack Fonseca. This breach not only may have financial repercussions, but also can affect an organization’s brand reputation.
VIII. Thank you Mara! As a closing thought, is security better today than it was, say, a year or five years ago? What are providers doing to ensure security for their customers?
As technology advances, so does the sophistication of cyber attacks and the threat actors involved. Hacktivists, cyber criminals, and state-sponsored groups have remained one step ahead. I would say currently, a big challenge that can be traced back to the user is one which I would call “human vulnerability.”
Attackers have increased their method of social engineering attacks, crafting highly targeted phishing attacks that entice users to click on malicious links. Organizations not only have to worry about the threat of cyber attacks but also disgruntled employees that are involved with releasing sensitive data and engaging in malicious activities with the data.
I believe that security starts at an organizational level with that organization putting proper security controls in place and making sure that their employees understand proper protocols. A penetration test is a good starting indicator on how secure an organization really is.
I am a big believer in company training sessions that help employees visualize and learn about what to do and what not to do. Clarifying exactly which 2-factor authentication to use, what internal password policies to follow, and what different types of social engineering attacks exist, can help to prevent and deter a compromise that can have consequences far beyond financial.
Lastly, an individual should always use proper security protocols - such as using strong passwords, not reusing passwords across accounts, and using a 2-factor authentication whenever possible.