Cyber resilience describes your firm’s ability to keep calm and carry on among the tumult of continuous attempted breaches of your IT network, the threat of theft of client data, and computers not doing what they’re supposed to be doing.
It’s equally a disaster prevention plan and a disaster recovery plan. Should the worst happen, business still needs to carry on, clients still need to be served, meetings still need to be attended, and appointments in court still be met. And no-one outside the firm would be any the wiser about the challenges you’re currently facing.
Sprout IT examines the five biggest cyber resilience issues facing law firms and chambers in the UK today.
- Loss of access to data and documents
We all remember the WannaCry ransomware attacks on the NHS in Summer 2017. Cybercriminals triggered a program inside hundreds of thousands of computers around the world which threatened to destroy the data they stored unless they received the equivalent of around $300 in Bitcoin.
Legal firms are not immune. A worldwide solicitors’ practice was attacked with another ransomware program in 2017. After the firm had carried out their investigation into the actual program used to conduct the attack, they came to the conclusion (rightly) that it didn’t matter if they paid the ransom or not because that particular strain of malware would have corrupted the data anyway.
How can you make your firm cyber resilient? It’s having an encrypted cloud-based back-up to your IT network. When your firm has this, your IT team and your outside contractors can disinfect each terminal and the network of the malware after which they can restore your files securely and safely to your network.
- Keeping software and software plug-ins up to date
Nearly a fifth of companies still have one computer running Windows XP. Windows XP was launched in 2002 and deprecated (that is, Microsoft stopped providing support and security updates) in 2014. There may be 100 or more different software programmes and plug-ins installed across your network and its connected terminals and devices. You may only use 10 or 15 of them regularly.
Every time a program or plug-in is no longer supported by a vendor, cybercriminals know this and they will look for ways to get into your systems using these vulnerabilities.
How can you make your firm cyber resilient? Delete the programmes you no longer need. Replace the programs which are no longer supported with software which is still supported. Keep an inventory of everything installed across your network and on your devices and require your staff to seek permission from your IT team or outsourced IT provider to download and install new programs and plug-ins.
- Make sure that every device and terminal uses encryption
Across your network, an enormous amount of data will be uploaded and downloaded every day. Belgian researchers have recently discovered that WPA2, the protocol that powers most WiFi connections, can be broken into easily, even if a connection is protected with a password. A cybercriminal can hack into your network and download that traffic onto their own device – and it’s easy than you think.
More and more legal firm staff are working away from their desks using laptops and mobile devices to connect to your company computers. If these devices are lost or stolen, the data stored on them is vulnerable. Most professional cybercriminals can now access a password-protected devices within 10 minutes on 15% of occasions.
How can you make your firm cyber resilient? Encrypt everything – emails, data stored on your network, data transferred to and from the cloud, and more. Strongly encourage staff to use different usernames and passwords for different internet sites and email accounts. Upon the discovery of a breach, take the necessary steps under GDPR to inform the ICO and the client.
- Social engineering fraud
Research by cloud data intelligence firm OnDmarc revealed 45 cases of cyber theft by email in Q1 2017. In their estimation, only 1 of out of the UK’s top 100 legal firms had “sufficient measures” in place to protect against email fraud.
Social engineering fraud relies on cybercriminals gaining the trust of one of your members of staff or one of your clients to persuade them to do something that you would not want them to do. For example, one of your accounts team may be pressurised to make a payment to an unknown bank account to settle an invoice to a known supplier although they have never dealt with that particular contact before.
If you’re involved in conveyancing or any other type of activity that requires the transfer of a client’s money to your bank account, you and your client are at risk if your email system is intercepted and your client is given the wrong bank details into which to transfer the money.
How can you make your firm cyber resilient? Put procedures in place which inform everyone involved with your firm – staff, suppliers, and clients – about how payments are to be made. Strongly encourage a stakeholder to get in touch with someone in your firm if they are asked to do something that your policy specifically proscribes.
- Internal threats, accidental and deliberate
UK businesses lost more than £40m in 2016 as a result of frauds carried out by their own staff, reports City AM. That’s probably the tip of the iceberg. Most employees who steal from the company they work for are never found out. Others don’t steal money – they steal data to sell on the black market or to competitors (the recruitment industry is particularly rife with this).
Is your data securely stored on your network and do you control how it is displayed on users’ terminals? Do your terminals and connected devices accommodate removable media onto which your firm’s most vital and GDPR-sensitive data can be transferred? Did you know that removable media was one of the most common ways to spread viruses and malware from one device to another?
Are your staff compromising your ability to stay cybersafe by their use of the internet and email? If you don’t control what they download or run online either on their browser or email client, this is another major route in for cybercriminals.
How can you make your firm cyber resilient? Install software which monitors the transfer of data to and from removable media across the firm. You may even wish to consider banning it. Letting staff know how they can and cannot use internet and email with clear, understandable guidelines with penalties attached for a failure to adhere to the rules will remove much of the risk you’re facing as a firm.
The legal sector IT specialists
We work with solicitors’ practices and barristers’ chambers to provide bespoke, high-quality IT support, cloud, and consultancy services for the legal industry. Contact us by clicking here or find out more about our Cyber Resilience solutions.