The personal, private, and commercially sensitive information stored on legal firms’ internal and external networks is of enormous value to the criminal community. Hiscox has reported that in excess of 55% of UK law firms have had to defend themselves against at least one cyber-attack in the past 12 months (source: Legal Futures).
Remote working poses a particular threat and I'd like to share the eight most effective ways for legal professionals out of the office to defend themselves and the data on their devices.
Device software and protection
Each device used by members of staff (especially if you had a BYOD policy within your firm) should be equipped with the latest firewall technology, web filtering software, anti-virus applications, and device encryption. Encryption is particularly important because, if your device is compromised, then client data will still be safe.
You should also ensure that the programs and apps on all connected devices are the very latest versions thereof and that any program or app no longer updated by the software vendor is removed and replaced.
Avoid public Wi-Fi networks
Wi-Fi is not safe – full stop. “’All wifi networks’ are vulnerable to hacking, security expert discovers” according to a report in the Guardian back in 2017. We’ve already written about this subject on the Sprout IT blog and we invite you to read the article in full – “Cyber-resilience – the 6 biggest threats right now for legal”.
Never connect by Bluetooth or to unsecured W-Fi. If possible, do your work over a 4G or a 5G connection which are virtually impossible to hack into.
If you can’t get a 4G or a 5G signal, use a Virtual Private Network to connect to office networks or to cloud servers. VPNs encrypt both incoming and outgoing traffic and they offer an additional layer of security to the transmission of information between your device and your office (or cloud network).
You may wish to connect to your VPN first before you connect to Wi-Fi – any gap between connecting to Wi-Fi and to VPN may be exploitable by a cyber-hacker.
We have written extensively on our blog previously about password security and how hackers can reliably use statistical chance to hack into a user’s device. You should ideally use a password manager – we would recommend LastPass, Sticky Password, Dashlane, or KeePass.
Alternatively, you could use Multi-Factor Authentication (MFA) instead. The easiest way to describe MFA is that it’s the way that, when you try to log into your Google account on a new device, how Google asks for your password and then it asks you to verify that it’s you by sending a message that needs confirmation to your mobile phone.
Sprout IT offers MFA as part of our range of services to solicitors’ practices and barristers’ chambers. MFA (including our version of it) is quick, intuitive, and easy to use.
Use secure cloud-based services
Even if you’re using encryption software on your device backed up by the encryption offered by your VPN, you should still use cloud-based services which have in-built encryption to download, upload, and manipulate data when you’re on the move.
Erase unneeded data
Once the work you’re undertaking for a client has been completed, legal professionals should erase all unnecessary private and privileged data on that client and their case. If this is something you’re not sure how to do, you should enlist the help of your IT support staff to do so.
And even though the level of encryption provided these days is almost unbeatable, the important word in this sentence is “almost”. No human system is ever infallible so you need to make sure that any client data is also removed from any external media storage. In an ideal world, you would not use external media storage at all to completely eliminate the risk.
Never leave devices unattended
Apologies, we know that this is obvious but leaving devices unattended exposes them to the risk of either theft or your forgetting to take them when you leave wherever you are. Still, “at least 1,000 government laptops and flash drives [were] reported missing” between May 2015 and December 2016 so, every now and again, a gentle nudge to keep your devices with you at all times when out the office never does any professional any harm in the long run.
Train and share best practice
Your practice or chambers is only as strong as your weakest link – and your weakest link will always be a human being. That weakness will be caused by ignorance of recommended procedures, a lack of understanding of the importance of cybersecurity, being under pressure, and a combination of some or all of them.
Cybersecurity within a legal firm stops at the top. It needs to become engrained in your overall working culture and its importance has to be understood by staff members. Cybersecurity is a principle and a set of practices which you introduce to your firm and to your employees. And, after the time it has been introduced, both staff and equipment need to be monitored for weakness and the appropriate remedy issued on discovery.
Be cyberaware with Sprout IT
Sprout IT provides high quality legal IT support, cloud & consultancy for the legal industry, 24/7 service, 365 days. We have been promoting data security and utilising the best cyber resilience technology and techniques since we began.
We believe in building and testing the most suitable technology products and solutions for each of our clients. We’re able to assist you in training your staff and in the germination and cultivation of cybersecurity as a culture within your practice.
To speak with one of our team about protection for your solicitors’ practice or barristers’ chambers against the growing threat of targeted cyberattacks, please call Sprout IT today on 020 7036 8530 or email us.