Law firms continue to be major targets for cyber criminals, and for good reason: the wealth of client information managed, not to mention valuable intellectual property (IP) and other confidential or proprietary data, are all extremely appealing prizes.
In 2020 alone, the American Bar Association found that 29% of surveyed firms experienced some form of cyber attack, a three percent increase over the previous year. Yet only 34% have developed and maintained an incident response plan.
Statistics in the United Kingdom aren’t much more reassuring, with 75% of firms reporting they had been a target.
It’s clear that cyber security should be a priority for law firms. Here are 7 cyber security best practices to help you strengthen your defences and stay ahead of today’s biggest threats.
1. Build cyber situational awareness
Lawyers spend years studying and learning the intricacies of law. This knowledge is vital when representing your clients and allows you to proactively look out for their interests.
Your first step towards stronger cyber security also starts with knowledge. Building cyber situational awareness (CSA) — this includes the combined knowledge of your IT systems, the threats targeting them, and how to respond to those threats — is critical and can help identify immediate risks to your firm, allowing you to mitigate them and improve your security.
With a better understanding of your IT environment threat surface, you’ll be able to identify and address cyber risks before they can impact operations. While no two threat surfaces are exactly alike, they share common elements, including: laptops, desktop computers, and smartphones; the software these devices use; removable data storage, such as USB drives; smart devices, such as security cameras and speaker systems; cloud-based Software-as-a-Service deployments; and even publicly available information on the internet.
Achieving CSA is all about developing a big-picture perspective that will help you take a proactive approach to your organization’s security.
2. Strengthen passwords and use multi-factor authentication
Strong complex passwords are the first line of defence against an attacker, preventing them from gaining access to your accounts and stealing sensitive information and data about your clients and operations. Consider all the services and systems firms like yours rely on daily such as DropBox, DocuSign, and Clio, not to mention bespoke systems for managing cases and billing. If an attacker had a set of credentials for any one of these systems, they could gain access to a lot of valuable data.
Ideally, passwords should include a unique combination of upper and lowercase letters, numbers, and several keyboard symbols, or alternatively a hard-to-guess passphrase that incorporates those elements as well. But many still rely on easy-to-remember passwords, and in some cases, reuse these across multiple accounts. If an attacker were to learn one set of credentials, they could try using them elsewhere to see what doors they open.
A 2019 breach analysis by the United Kingdom’s National Cyber Security Centre found that over 23 million victim accounts used “123456” as a password. Other contenders for worst possible password include “password,” “123456789,” “qwerty,” and even “111111.”
These weak passwords are usually the result of users choosing convenience over security. There’s a simple reason for that: sophisticated passwords are difficult to remember and manage. Using a password manager can automate the creation, storage, and security of passwords.
Multi-factor authentication (MFA) adds another layer of defence. When MFA is enabled, users need to provide two different authentication factors to sign into an account. These factors include combinations of:
- Unique passwords, passphrases, or personal identification numbers.
- Hard tokens like USB keys or soft tokens like SMS messages or an authenticator app.
- A unique biometric characteristic, like a fingerprint.
With MFA enabled, even if an attacker has your password, they don’t have the keys to the kingdom. They’ll still need other credentials to get access to an account.
3. Back up your practice’s critical data
As we’ve mentioned above, data and IP are critical to law firm operations. Ransomware attacks — where attackers install malicious software that block access to computers or the data on them, offering to return access in exchange for payment — are a major concern for law firms everywhere. A single ransomware attack could render large amounts of information inaccessible.
For example, in 2020, cyber criminals successfully hacked Grubman Shires Meiselas & Sacks and stole 756 gigabytes of confidential data, ransoming it for $42 million before putting it up for auction on the black market. A successful attack could render this information inaccessible, which is why regular backups are key.
Taking the time to back up your data by copying and storing it on an external hard drive, or another secure location that is disconnected from your network or using a cloud-based or automated backup service, can ensure your information is still accessible in the event of a cyber attack.
Routinely backing up data to a secure location ensures you can rapidly recover files and resume operations with minimal downtime.
4. Patch and update your software regularly
Attackers are always looking for ways to circumvent your defences. Software and operating systems that haven’t been updated, or that require patching, can enable attackers to exploit vulnerabilities and gain access to your systems and data.
Software updates are sets of changes applied to a piece of software or an operating system, most often to optimize performance or fix a bug in how that software works. A patch is a little different, though. Patches are specific updates that address security vulnerabilities identified by the developer.
Put simply, all patches are software updates, but not all software updates are patches.
Ensuring patches are applied as soon as they become available is a critical step to reducing security gaps, but patch management still remains a challenge for many organizations. The UK’s Cyber Security Breaches Survey 2021 found that only 43% of businesses have policies or procedures in place to ensure patches are completed. What’s more, a 2019 report found that nearly 60% of data breaches involved unpatched vulnerabilities.
Applying software updates and patches as soon as possible can help mitigate the risks associated with out-of-date systems and technology.
5. Use a virtual private network
Accessing your firm’s data over a shared internet connection can introduce additional risk. Public hotspots, while convenient, typically have minimal security measures which means they’re also easy targets for attackers.
If you must use public Wi-Fi, a virtual private network (VPN) can encrypt and secure your connection by masking your internet protocol (IP) address when using untrusted infrastructure. This can protect you from eavesdropping by anyone else using the same Wi-Fi network, as well as tactics that target weak infrastructure, such as man-in-the-middle attacks or DNS poisoning.
When should you use a VPN?
- When you’re using public Wi-Fi
- When you’re travelling
- When you need to access your firm’s network remotely
- When you want continual privacy on the internet
It should be noted that a VPN isn’t a firewall, though. VPNs offer improved privacy and security but cannot stop users from clicking on malicious websites or links the way certain firewalls can.
There are several commercially available VPNs you can choose from, but regardless of what one you select, ensure it’s based in a friendly country and has nearby servers to minimize latency.
6. Invest in security awareness training
Three of the biggest cyber threats to law firms — ransomware, phishing, and business email compromise (BEC) — often rely on social engineering techniques to fool users into opening malicious links or files, or sharing their credentials. Phishing in particular has been a major threat for the legal sector, representing the top attack type detected by the NCSC in 2018.
If successful, attackers can then steal IP and demand a ransom to get it back; they can falsify communications to stage a BEC attack, redirecting client payments to an account they control; or sell your confidential information on a dark web marketplace.
The tactics used in these attacks take advantage of busy, distracted teams, but they can be prevented with ongoing security awareness training. Learn to recognize the signs of social engineering threats like phishing and BEC and take the time to educate staff on what they should do if they’re targeted.
And while every law firm should understand how to recognize and react to social engineering scams, training should also cover other concerns such as data privacy regulations, best practices for sharing data digitally, and how staff should respond to a cyber security incident.
Delivering ongoing education about cyber security best practices for all staff — covering everything from how to spot phishing attempts and maintaining physical security of IT assets to how data privacy regulations impact your operations — can foster a strong culture of security within your organization. Defending against attackers is a shared responsibility and getting everyone involved can improve your overall security posture.
7. Take a proactive approach to cyber security
Threat surfaces everywhere are expanding as organizations add more users, software, and technology to their networks. Each new connection, device, or application puts your firm’s confidential data and IP at risk.
Understanding your threats and how to respond — key principles of CSA — are critical steps to protecting your firm.
That’s why taking a proactive approach matters. Aim for a complete, end-to-end defence that enables you to identify suspicious activity early and take the right actions to stop the threat.
It’s easier than you think.
Field Effect’s Covalence solution is an easy-to-use platform to detect, monitor, and respond to threats — designed for businesses of all sizes and managed by a team of experts 24/7. Get started today.
Want to stay up to date on cyber security risks and tips, webinar invites, and more? Sign up for our newsletter below.