That’s how often an attempted attack was happening on businesses in 2020, proving it to be the busiest year on record for cyber-attacks.
For the legal sector, the threat isn’t any smaller but instead magnified – as in the world of cyber targets, law firms are still considered ‘soft’ and a natural target of cyber criminals.
Not only do they deal with so much confidential material, ranging from personal data, to large financial transactions and the personal affairs of high-profile clients; but they often lack in sophisticated cyber security infrastructure and fall victim to simple cyber mistakes, both due to lack of technical knowledge in firms.
If you’re a serious legal professional, there’s no doubt you’ve seen or read about the risks of cyber-crime firsthand. As a result, you will most definitely understand the importance of maintaining public and client trust in your firm. But where do you start?
We have pulled on our expertise in the cyber security landscape and our own experience of working with the legal sector to compile these six cyber security tips for law firms.
1. Train your entire team
Human error is the primary cause of 95 percent of cyber security breaches. To put it another way, if human error was able to be fully eliminated, 19 out of every 20 cyber breaches could be avoided!
That’s why ensuring your entire team – from the founding partners to the receptionist – are educated on and practice the greatest level of cybersecurity care, awareness and diligence is the best protection to cyber incidents. Take time to arrange regular training on confidentiality issues and how to avoid a data breach, as well as provide everyone with policies that outline key “do’s and don’ts” in cyber security.
Remember – you are only as strong as your weakest link. You can have the best technology money can buy, but if it isn't backed up by good governance, it will fail.
2. Beware of BYOD
Although beneficial in many respects, Bring Your Own Device (BYOD) can be problematic if adequate security precautions are not taken. Indeed, it may allow greater flexibility to employees in their working patterns and mean they work with the devices they feel most comfortable with but failing to consider cyber security vulnerabilities could be a very costly mistake.
Devices which are not regularly updated are easily exploited by a cyber-criminal. Even though most law firms update internal software, infrastructure, and malware protections, the same cannot be guaranteed for employee devices.
To combat the issue, firms should have a specific BYOD policy in place regulating how those devices are to be used, and what control the law firm would have over the devices. They should also look to advanced tools like Remote Connection Software (RDS) as these allow employee devices to be used, but don’t risk the possibility of their personal data having to be deleted should a device become lost or stolen. This is because IT departments can remotely ‘wipe’ devices when using such a solution, thus also ensuring the sensitive data of a firm doesn’t reach the wrong hands.
3. Encrypt, encrypt & encrypt
Researchers have found encryption to be the least used security feature in law firms. This discovery is surprising considering encryption is a comparatively simple, yet effective cyber risk management tool. For instance, lost and stolen devices are one of the top reasons surrounding data breaches in the legal sector. If a computer or device is encrypted, the information on these will not be accessible even if one were to be lost or stolen.
If you want to keep your law firm’s data secure, you’ll need to encrypt everything though – not just devices. That includes anything from laptops and mobiles, to email communications and any data stored in the cloud or on local servers.
4. Have a strict password policy
When it comes to a firm’s technology, no security procedure is more crucial than having strong passwords – and enforcing a strict password policy is the way to do that. Your systems should be set up to ensure passwords are a minimum of 12 characters that contain both upper- and lower-case letters, as well as numbers and symbols. Passwords should also be changed regularly and not repeated.
The good news is, implementing this is also the most inexpensive!
The trouble many firms find however is that managing multiple complex passwords is a tall order for one person. In fact, it is virtually impossible for anyone to remember a unique input for every protected site, and as writing passwords down is not recommended, they question what the answer is.
Password managers are the safest and most efficient way to manage the security of multiple accounts – especially for those within the legal sector – and security experts agree. When using one, you can keep track of all your unique passwords, but must only remember one complex master password for the password manager. Many of the options available today will even generate strong passwords for users.
5. Vet vendors rigorously
It is not uncommon for lawyers to frequently outsource work to third-party vendors. For example, in the form of e-discovery, legal research, copying, IT and other non-legal services. Unfortunately, vendors have been identified as a weak link in some cyber incidents where hackers strike.
With the above in mind, firms should assess the vendors they are looking to select, including their cyber security protocols, insurance policy and controlling contracts. Understand where the vendor will store confidential data – international storage may present problems – and whether they are transporting or analysing data. Examine the indemnification clauses and provisions that outline who is responsible for paying in the case of a data breach.
6. If all else fails, be prepared
You can never be 100% cyber secure. Even firms with the best technology and protections available remain at risk to a breach or disaster. To prepare for the possibility, law firms should have a business recovery plan in place and like fire drills, practise cyber drills to ensure it is effective. These will enact the procedures you have set out in real action and then help identify where gaps in your current plan are.
Moreover, given the potentially damaging impacts of a successful attack, cyber liability insurance coverage is recommended. This can help to cover the costs related to an attack, such as regularity fines, notification expenditures, loss of income and other expenses. It may mean the difference between a law firm surviving a data breach relatively unscathed, or not surviving at all.
Conclusion
In short, cyber crime is a very real problem for law firms that is unfortunately, only getting worse. Clients are aware of this, which is why excellent data security is increasingly being looked at when selecting legal counsel. Additionally, specific legal and ethical obligations mean law firms are required to make efforts that provide appropriate protection for sensitive data. Failure to do so can have far reaching legal, financial and reputational repercussions.
Implementing the tips listed in this blog is the first step in reducing the risk posed on your firm. But it’s worth remembering that securing your law firm against cyber crime is not a one-off task. The security threat landscape is forever changing, so all risk management activities around cyber security in your firm should be reviewed and updated continually to ensure maximum protection.
The entrust IT Group have over 15 years if experience working with law firms of various shapes and sizes. That means we are acutely aware of the kind of threats they face and what solutions will best keep them protected. We work closely with each firm before implementation of these to ensure we find the best array of products and to ensure they fix specific requirements. What’s more – all European customer data is stored in UK based data centres, each with their own ISO 27001 certification, and will never leave UK shores. Therefore, you have complete peace of mind that you are adhering to regulations and rules of your industry.
If you’re ready to discuss ways in which the entrust IT Group can help your firm stay protected, please do not hesitate to get in touch.
Alternatively, you can download our FREE guide for staying safe online. Estimated read time – 5 mins!
