7 ways to boost your law firm’s cybersecurity

Law firms are still prime targets for cybercrime, and for understandable reasons: the wealth of client information managed, along with valuable intellectual property (IP) and other confidential or proprietary data, are highly appealing to threat actors.

In 2022 alone, the American Bar Association found that 27% of surveyed firms experienced some form of cyberattack, a two percent increase over the previous year. Yet only 42% have developed and maintained an incident response plan.

Statistics in the UK aren’t much more reassuring, with 75% of firms in 2020 reporting they had been targeted. 78% of top law firms still say they're extremely or somewhat concerned about cybersecurity. Especially concerning is IBM's report that a data breach in the UK costs, on average, GBP 3.9 million.

A recent report from the UK's National Cyber Security Centre (NCSC) warns that law firms are "particularly attractive targets to attackers" because of their large cash transfers and the sensitive information they often handle.

It’s clear that cybersecurity should be a priority for law firms. Here are seven law firm cybersecurity best practices to help you strengthen your defenses and stay ahead of today’s biggest threats.

1. Build cyber situational awareness

Lawyers spend years studying the intricacies of the law. This knowledge is vital when you represent your clients and lets you proactively look out for their interests.

Your first step toward stronger cybersecurity also starts with knowledge. Building cyber situational awareness (CSA) is critical, including knowledge of your IT systems, threats targeting them, and how to respond to those threats. Robust CSA can help identify immediate risks to your firm, so you can mitigate them and improve your security.

Once you better understand your IT environment's potential threats, you can identify and address cyber risks before they affect your operations. While no two threat surfaces are identical, they'll share common elements, like:

• Devices like laptops, desktop computers, and smartphones
• Software and applications on these devices
• Removable data storage like USB drives
• Smart devices like security cameras and speaker systems
• Cloud-based software-as-a-service (SaaS) deployments
• Publicly available information online

Achieving CSA is all about developing a big-picture perspective that will help you proactively approach your organization’s security.

2. Strengthen passwords and use MFA

Strong, complex passwords are the first line of defense against an attacker. A good password prevents bad actors from accessing your accounts and stealing sensitive data about your clients and operations.

Consider all the services and systems that firms like yours rely on daily, like DropBox, DocuSign, and Clio—and don't forget your bespoke systems for managing cases and billing. If an attacker had the credentials for any of these systems, they could access a lot of valuable data.

Passwords should ideally include a unique combination of upper and lowercase letters, numbers, and keyboard symbols. Another idea is to use a hard-to-guess passphrase that also incorporates those elements. Some additional tips to strengthen your password, which Google suggests, include:

• Use a memorable lyric from a song or poem.
• Make an abbreviation from the first letter of each word in a sentence.
• Avoid passwords people could guess by checking easily accessible information, like your social media profile.
• Try using a series of words that are meaningful to you.

The definitive cyber security guide for law firms: Top tips to protect your practice

Learn more about the biggest cyber attacks on your law firm, plus what experts say are the best practices to strengthen your defence.

Download now

But many people still rely on simple passwords because they're easy to remember. In some cases, people also reuse passwords across multiple accounts, meaning if an attacker were to learn one set of credentials, they could use them to access the victim's valuable information across various platforms.

A 2022 password analysis by NordPass found that the most common passwords in the UK are "password," "123456," and "guest." What's more, 83% of the most popular passwords take less than one second to crack. The ease of cracking these passwords is a significant reason for the 233% increase since 2021 in breaches that exposed user credentials.

Even though we all know strong passwords are essential for good cybersecurity, too many of us still pick weak ones. There's a simple reason for this: strong passwords are often complex and hard to remember. Therefore, to get people to use stronger passwords, make it more convenient for them. For example, a password manager can automate password creation, storage, and security, so users don't need to think about it.

Multi-factor authentication (MFA) is another good option, adding another layer of defense. When MFA is enabled, users must provide two different authentication factors to sign into an account. These factors include combinations of:

• Unique passwords, passphrases, or personal identification numbers
• Hard tokens like USB keys or soft tokens like SMS messages or an authenticator app
• A unique biometric characteristic, like a fingerprint

If you enable MFA, even if an attacker has your password, they don’t have the keys to the kingdom. They’ll still need other credentials to get access to an account. Today, MFA is the standard way to protect your password.

The next step after MFA would be passwordless authentication, only using the secondary factors of MFA. This bypasses the need for passwords and eliminates password breaches. Biometric data like facial and fingerprint recognition are the most promising options for passwordless authentication so far, as they're irreplicable. However, this implementation isn't fully attainable yet in today's complex business environments.

3. Back up your practice’s critical data

As previously mentioned, data and IP are critical to law firm operations. Bad actors use ransomware attacks to install malicious software that blocks access to computers or their data. They only return access in exchange for money.

Ransomware attacks are a significant concern for law firms everywhere. A single ransomware attack could render large amounts of information inaccessible.

For example, in June 2023, a ransomware attack on HWL Ebsworth, one of Australia's biggest law firms, led to the theft of 3.6 terabytes of information. The firm got an injunction to prevent the media or anyone else from discussing the information stolen, but we do know 1.1 terabytes of this data leaked online after HWL Ebsworth refused to pay the ransom. This included sensitive data from several Australian organizations:

• Fair Work Ombudsman
• Federal police
• Defence Department
• Home Affairs Department
• Prime Minister and Cabinet
• Services Australia

Making data like this unavailable to view can harm any firm. But you can ensure you still have access to your information despite a cyberattack by regularly backing up your data. It's essential to take the time to back up your data by copying it onto secure locations like:

• An external hard drive or other locations disconnected from your network
• A cloud-based or automated backup service

Routinely backing up data to a secure location ensures you can rapidly recover files and minimize downtime to get back to business as usual.

4. Patch and update your software regularly

Attackers are always looking for ways to get around your defences. Software and operating systems that haven’t been updated or that you need to patch can allow attackers to exploit vulnerabilities and access your systems and data.

Software updates generally optimize performance or fix a bug in your software or operating system. A patch is a little different, though. Patches are specific updates that address security vulnerabilities identified by the developer. Put simply, all patches are software updates, but not all software updates are patches.

Ensuring patches are applied as soon as they become available is critical to reducing security gaps, but patch management remains challenging for many organizations.

The UK’s Cyber Security Breaches Survey 2023 found that 66% of businesses do not have patch management policies. What’s more, businesses have reduced their controls and procedures for patch management policies by 8% in the last year.

A different 2023 report found that reported vulnerabilities have increased by 26.3% per year on average in the last five years. Breaches exploiting these vulnerabilities exposed more than 2.29 billion records between November 2021 and October 2022, totaling 257 terabytes of data.

Applying software updates and patches as soon as possible helps mitigate exploitable security gaps in your systems.

5. Use a virtual private network

Accessing your firm’s data over a shared internet connection can introduce additional risk. As companies have moved to remote or hybrid work formats, ensuring everyone accessing your firm's data is an employee or has permission is even harder. It's not feasible to log every employee's personal internet connection to identify them if they're working from home.

Moreover, many people like to work in coffee shops or other places with public hotspots. While convenient, these connections typically have minimal security measures, making them easy targets for attackers.

Employees logging in from public WiFi or home should use a virtual private network (VPN) to encrypt and secure their connection. VPNs mask your internet protocol (IP) address, keeping you safer when you use untrusted infrastructure. If your firm issues a business VPN, it can fully control the end-to-end encryption to ensure that only trusted users access its data.

This can protect you from eavesdropping by anyone else using the same WiFi network and tactics that target weak infrastructure, such as man-in-the-middle attacks or DNS poisoning.

You should use a VPN when you're:

• Using public Wi-Fi
• Travelling
• Accessing your firm’s network remotely
• Seeking continual privacy online

Remember, though, that a VPN isn’t a firewall. You have better privacy and security with a VPN, but it can't stop users from clicking on malicious websites or links like certain firewalls can.

There are several commercially available VPNs you can choose from, but regardless of the one you select, ensure it’s based in a friendly country and has nearby servers to minimize latency.

6. Invest in security awareness training

Three of the biggest cyber threats to law firms—ransomware, phishing, and business email compromise (BEC)—often rely on social engineering techniques to fool users into opening malicious links or files, or sharing their credentials. Attackers are quick to capitalize on global trends, like running phishing campaigns impersonating OpenAI and ChatGPT and asking for personal details under the pretense of completing registration.

In the UK, 83% of attacks on businesses are due to phishing, which remains a significant threat to the legal sector and represents the top attack type the NCSC warns about in 2023.

If successful, attackers have several options. They could:

• Steal intellectual property and demand a ransom to get it back
• Falsify communications to stage a BEC attack
• Redirect client payments to an account they control
• Sell your confidential information on a dark web marketplace

The tactics bad actors use in these attacks take advantage of busy teams, but ongoing security awareness training can prevent them. Learn to recognize the signs of social engineering threats like phishing and BEC, and take the time to educate your staff on what to do if they’re a target.

And while every law firm should understand how to recognize and react to social engineering scams, training should also cover other concerns.

Employees should learn about:

• Data privacy regulations
• Best practices for sharing data digitally
• How staff should respond to a cybersecurity incident

Ongoing education arms staff with the knowledge of how to spot phishing attempts, maintain the physical security of IT assets, and how data privacy regulations impact your operations. Delivering this regular training about law firm cybersecurity best practices for all staff can foster a strong culture of security within your organization.

Defending against attackers is a joint responsibility, and involving everyone can improve your firm's overall security.

7. Rely on advanced cybersecurity solutions

As most industries continue to undergo major technological changes—including the shift to remote and hybrid work and the advent of AI—it's become almost impossible for many organizations to manage their cybersecurity independently.

It's even more challenging if you're unsure which programs you need (an antivirus probably isn't enough anymore, despite what some vendors may have you believe) or don't have people who can research, onboard, and continuously manage the software.

Thankfully, managed detection and response (MDR) solutions have moved to the forefront, so cybersecurity experts can deliver the most advanced technology for your business and keep up with new potential risks and threats. They can monitor your services 24/7 and automate responses if they detect an issue, minimizing the damage an attack or breach could have on your business.

Protect your law firm with Covalence

As your industry becomes more digital and adopts more technology, the need for law firm cybersecurity will continue to rise. Following these tips will help you proactively protect your firm's and clients' sensitive data from ever-increasing threats.

Using one source of protection to identify and stop cyber attacks across your IT infrastructure will further strengthen your security. Field Effect’s Covalence is an easy-to-use platform that monitors, detects, and even responds to threats in real-time. Its simple reporting cuts the noise you'd otherwise get from too many alerts, helping you spot serious threats with the context you need so you can take action early.

Book a free demo to discover the peace of mind that Covalence can give you.