If we read out to you a list of solicitors’ practices and barristers’ chambers, we’re certain that, upon hearing one of their names, you would know almost instantly whether they had been victims of a successful cybersecurity attack in the past or not.
The fact that you remember that they’ve been attacked means that you know how the seriousness of it – and how important it is for any legal firm to protect the personal data of its clients and its employees and that you know the damage that such breaches cause.
The loss of reputation and trust in a legal firm affects its ability to retain its existing clients as well as in attracting new ones. Taking cybersecurity seriously is an investment in the future of your firm and in your employees. Changing culture within any organisation is difficult but leaders and principals within law firms now understand better than ever that they only need to be wrong once about cybersecurity to suffer the consequences.
Involve everyone at your firm
GDPR looms large over every business sector and it has done since its introduction in May 2018. It looms particularly large for legal firms because GDPR imposes on them (and every other company) a demand to keep their clients’ personal data safe. In the main, the sector is getting it right even though 8% of the data breaches reported to the ICO between July and September 2018 involved law firms (source: ICO).
GDPR and cybersecurity is everyone’s business within a solicitors’ practice or barristers’ chambers. It does not matter if someone is a leader within the firm or at the most junior rank – a substantial fine and loss of reputation caused by a data breach will affect a firm’s ability to keep its clients and, in the worst cases, even its very viability.
Only 14% of legal firms’ senior management teams have participated in crisis management training in the previous 12 months (source: PwC). Many management teams, partly through financial constraints and the current skill shortage of contractors with advanced cybersecurity skills, put too much responsibility on their IT teams without providing them with the budget or the personnel they need to do the job effectively.
All culture and operational changes are difficult to devise, enact, and enforce – check out my colleague Ian Bernhardt’s advice and thoughts on the subject in this article on our site.
A culture of password security
In January 2018, 1,159,687 email addresses from top 500 UK legal firms on the Dark Web - an average of 2,000 a firm (source: RepKnight). 80% of the email addresses discovered also contained information on those email addresses’ passwords.
The fact that the data leak also contained passwords in a readable format made the incident doubly-worrying. Far too many of us, whether we’re in the legal sector or not, use the same password to access multiple electronic networks ranging from social media sites to work log-ins to online banking.
The release of email addresses and passwords into the public domain presents a direct threat to the security of your IT systems and the sensitive data stored on it. A sophisticated-enough cyber attacker may spoof email addresses at your firm with the intent of committing CEO fraud, invoice fraud, or conveyancing fraud.
Encourage the use of password protection software by your staff or, better still, invest in multi factor authentication.
Deleting unused or unwanted software
The infamous WannaCry attack on the NHS was made possible because too many of the autonomous bodies that make up the NHS had not updated the software on their system or they had failed to delete software that was unused, unwanted, or had been deprecated by the vendor.
Cybersecurity is, in effect, an ongoing battle of sophistication between two rival camps – those people who want to steal your clients’ data and those companies who want to protect it. The battle is nearly always finely balanced and there is a lot of information sharing between companies whose purpose it is to protect their customers against online fraud and data breaches.
Software manufacturers constantly update their software to patch up previously unknown vulnerabilities however, after a while, these updates stop. When the updates stop, your network and all the computers and other devices attached to it become potential hosts for ransomware and other malicious programs because the level of systemwide protection is compromised by these deprecated programs.
Make sure you know exactly what you have installed, whether anyone is still using these programs, and whether they receive regular security patches from their vendors.
Encryption of all data, sensitive or not, should be hard-programmed into your network and other devices. Encryption, defined in its simplest form, scrambles up your data so that it can’t be read unless there is a key to reassemble it back to its original form. Without those keys, the chances of a hacker being able to reassemble your data is minimal even if they circumvent your company’s IT security.
You should ensure that data sent to and from an off-site server, such as a private cloud, is encrypted because the number of attacks and sophistication thereof on cloud services is rising as is the sophistication of those attacks.
More and more, legal professionals are out of the office visiting clients onsite. As part of this travel, many will use wifi connections in airports, libraries, and cafes. However, the majority of free Wi-Fi networks are unsecured. All of the data your staff transmit and receive across a wifi connection (via email, internet searches, etc.) has no built-in encryption or security protection.
Many cybersecurity breaches occur because of network spoofing – this is when criminals establish fake access points that look like genuine wi-fi networks in high traffic public places using names like “Free Airport Wi-Fi” or “Library_Guest” to encourage people to connect.
You should make sure to set rules on what information your staff can access remotely over wifi connections and whether or not they can access services requiring a username and a password on these devices. If they have the same username and password on your firm’s network as they do for their Amazon account, your network security is at severe risk of compromise.
Cybersecurity, the legal sector, and Sprout IT
Sprout IT provides high quality legal IT support, cloud & consultancy for the legal industry, 24/7 service, 365 days. We work with solicitors’ practices and barristers’ chambers on the planning, implementation, ongoing development, and company-wide participation in all matters pertaining to cybersecurity.
To speak with one of our team about cybersecurity and your legal firm, please call us today on 020 7036 8530 or you can email us.