9 in 10 of Britain’s biggest legal firms are at a heightened risk of being a victim of a cyberattack resulting in the loss of confidential customer data, according to a recent report in the Telegraph.
Firms are particularly at risk of having their email addresses or website spoofed. The Solicitors’ Regulation Authority also reported than cybercrime cost clients £731,250 of their money in the first six months of last year.
Cybersecurity has become a major priority for many legal firms in recent years. Legal firms and their IT managers are now engaged in an escalating arms race against each other.
There is no 100% perfect defence against cybercrime because, according to the latest statistics, nearly 9 out of 10 successful cyberattacks relied upon human failings rather than technical failings. Legal cybersecurity experts, including those working here Sprout IT, strongly impress the need on partners and senior management to strengthen both their human and technical firewalls to best protect their firms.
But what opportunities exist for legal firms to quickly and easily amend their working practices to, first, lessen the chances of a successful attack taking place and, second, deprive cybercriminals of access to the data they’re seeking in the first place?
1. Be sure of the data you need to keep, ditch the data you don’t
GDPR sets out six principles for the processing of personal data. In particular, personal data collection and retention should be limited, relevant, and adequate to the purposes for which it needs processing. Also, personal data should only be kept for the time period required for the purposes for which it is needed.
If you have not done so again since the introduction of GDPR, you may substantially reduce the amount of data you hold on individuals for which your firm has no particular use itself but which may still be of value to cyberattackers by carrying out this task again and doing so on a regular basis.
You would also benefit from taking the same approach to your commercial clients whose data is not likely to be covered by GDPR. Some hackers are employed specifically to hack competitors’ computer systems and the computer systems of their suppliers (including the law firms they work with).
2. Use a password management system
The number of people and companies using easy-to-guess passwords which are therefore vulnerable to cyberattackers is still surprisingly high. So much so that there are now moves to ban easy to guess passwords on smartphones with Government also proposing the same for all items which can connect to a central hub.
We have recommended for years that clients install a password management system onto their networks and connected devices. A password management system generates the complex passwords required for users to access terminals, access databases, or connect to computer networks.
When in use, the password manager logs in automatically for each user - many systems can also be use to securely store password recovery questions. Password managers work across multiple devices and they can also be programmed to retrieve company payment details as and when required (according to a user’s permissions).
3. Audit and update software on your system
Over the years, the number of apps and programs downloaded to and deployed on an individual legal firm’s IT network grows. Concurrently, the number of apps and programs which are no longer updated or supported by their vendors left on legal firms’ IT systems also grows.
When apps and programs are first released, every possible care is taken by vendors to protect their customers against vulnerabilities which could compromise the security of their networks. Sometimes, these vulnerabilities are missed and, sometimes, a workaround that was not envisaged by the programmers is found by bad actors.
To protect users, patches and updates to apps and programs are released by software vendors to continue to provide users with the highest level of protection possible. When updates are released, many hackers will then study and understand these vulnerabilities with a view to finding computer systems which have not downloaded the patch or upgrade yet.
In the USA, the Equifax hack, which resulted in up to 143 million Americans having their personal information compromised, was caused by a known vulnerability. The vendor released a patch to fix vulnerability two months before the attack. This was, in this case, the hackers’ only way in when they got into Equifax’s system.
You should perform an audit of every app or program used by your network and any other device connecting to the network (even including Wi-Fi routers and card payment terminals) to give your practice the best chance of avoiding this type of attack. Download updates where available and delete programs which are no longer supported.
4. Use encryption…everywhere
Encryption uses encoding to scramble information which can only then be unscrambled by someone else with the correct key. You choose who you give the keys to and you can also decommission any issued keys.
Encryption not only allows you to make secure the data you want to send to colleagues, clients, and contractors safe. Encryption can also be used by cloud and data-back up services in real-time so that you and your colleagues can change and manipulate the data when and where you need.
However, because the data is encrypted, anyone monitoring or downloading traffic to and from your system will be unable to understand what’s contained in the data because it is scrambled.
Longer-term data protection fixes for your legal firm
To speak with one of our team about continually improving the data protection regulation within your solicitors’ practice or barristers’ chambers, please call Sprout IT today on 020 7036 8530 or email us.