·  Legal News, Analysis, & Commentary

News & Politics

Five Ways to Mitigate Cybersecurity Threats in Law Firms

— August 21, 2018

Let’s be honest, law firms are an obvious target for cyber-attacks. They aren’t renowned for having spectacular cybersecurity capabilities. They have lots of busy employees who can be duped into opening malicious links or attachments.

Let’s be honest, law firms are an obvious target for cyber-attacks. They aren’t renowned for having spectacular cybersecurity capabilities. They have lots of busy employees who can be duped into opening malicious links or attachments.

Most importantly, law firms work with highly sensitive and valuable data. Not only is this data a tempting target for cybercriminals to steal, it also makes law firms highly susceptible to ransomware, as they have almost no choice but to pay up if they are unfortunate enough to be infected.

If you work for a law firm and need help to stay ahead of cybercriminals, here are five steps you can take to mitigate common cyber threats.

Take a Risk-Based Approach

If you attend a security convention, it’s easy to come away believing your firm needs the latest world-class security technologies right now. But in reality, trying to run before you can walk is a surefire way to leave your organization vulnerable.

Before you do anything, it’s essential that you develop an understanding of your law firm’s specific threat profile.

What does that mean? Simply put, you need to know how and where you’re most likely to be attacked.

And that’s not nearly as hard as it might sound. Unless you’re dealing with seriously high-profile cases, you’re unlikely to be targeted by hacktivists or state-sponsored hackers. Instead, it’s far more likely that you’ll be targeted with common, profit-oriented attacks like ransomware, BEC scams, phishing, and so on.

So, before you start allocating resources, take some time to research the most common threats in your industry and geographical area. Once you have a good grasp of where you need to beef up security, then you can start allocating resources.

Exercise Good Cyber Hygiene

No matter where you are in the world, who your clients are, or how large your firm is, there are some security measures that simply cannot be skipped. Here are some of the top contenders:

Vulnerability management — Did you know a huge proportion of breaches could be averted if only the organizations targeted had applied the latest security patches? In fact, most of the time when an organization is breached, the relevant patch had already been available for months. All it takes is a good vulnerability scanner and a solid, consistent patching process, so get this checked off right away.

Security policies — Many organizations take the easy way out on security policy, but I urge you not to. Writing strong policy documents will force you to identify the most common and important security incidents, and consider how to avert and/or respond to them.

User access levels — Most organizations have almost no control over user access levels, and as a result, when breaches occur they are far worse than they might otherwise have been. As a rule, a user should only have access to documents and functionality that they absolutely need in order to perform their job role. Yes, that means more work for your IT department, because they’ll need to grant additional access from time to time. But trust me, it’s worth it.

Address Common Breach Scenarios

Once you’ve ticked off the basics, it’s time to consider technical solutions to some of the most common breach scenarios.

For instance, did you know that lost and stolen devices are still a leading cause of data breach? It might not grab many headlines anymore, but users at law firms often need to take laptops and mobile devices off-site, and naturally, sometimes they go missing.

Computer keyboard with combination lock; image by TheDigitalWay, via Pixabay, CC0.
Computer keyboard with combination lock; image by TheDigitalWay, via Pixabay, CC0.

But this has an easy solution: Encrypt all laptops and mobile devices.

Will they still go missing? Sure. Will there be serious consequences when they do? Probably not.

Other simple fixes include:

  • Blocking access to certain types of web pages
  • Adding advertisement blockers to your browsing software
  • Installing spam and content filters
  • Preventing users from installing software without input from your IT department

Take User Training Seriously

OK, here’s the elephant in the room. Almost half of all data breaches contain a phishing or social engineering component. That means no matter how hard you try, cybercriminals will target your users and try to trick them into compromising your firm’s security.

Even worse, there is nothing you can do to completely protect your users from these threats. Some social engineering attacks will reach your users, whether they come in the form of phishing emails or through SMS messages, phone calls, voicemail, or social media.

So, what can you do? Just one thing: Train your users to identify and report social engineering attacks.

And believe it or not, this can be done. If your training is frequent, engaging, and gives users an opportunity to practice the skills they are developing, an average user really can learn to spot and report a high proportion of incoming social engineering attacks.

It takes time, of course, for users to develop these skills, so don’t expect any miracles overnight. But if you’re consistent, and you take user training seriously, this is one of the most important steps you can take in the fight to reduce cyber risk.

Invest in Additional Security Resources Consciously

Let’s say you’ve done everything else on this list, and you still have some resources left unallocated.

Firstly, well done. If you’ve taken the advice above to heart, you’re already well ahead of 99 percent of your competitors.

But if you really want to take things to the next level, what comes next?

Is it threat intelligence? Or a next-generation firewall? Or an outsourced security operations service? Or… any one of a thousand other things?

Well here’s the thing. I can’t answer that for you. The only sensible way to allocate your security resources once the basics have been covered is to conduct a thorough risk assessment, and make conscious, informed investment decisions based on the results.

Quite honestly, it doesn’t matter what the latest industry buzzwords or breakthrough technologies are. What matters is your firm, and how it’s most likely to be targeted.

So, don’t be swayed by clever marketing or scare tactics. Do the work, find out what’s available that meets your specific needs, and invest your resources wisely.

Join the conversation!