- 16th May 2022
- Posted by: Mark Dodds
- Category: Legal, Professional Services, ransomware, Security, Strategy
Mitigation against cyber crime, i.e. effective cyber security practices, is something that you need to be constantly vigilant about. This is especially true of certain sectors given the type and volume of personal data they manage: the legal sector is one of these. A recent review conducted by the Solicitors Regulation Authority (SRA) explored how the profession is currently faring.
A summary of what the SRA found
The review was conducted with 40 legal firms looking at five key areas:
- Cyber-attacks – type, volume and impact of attacks.
- People – support and training provided to staff.
- Technology – controls firms have in place.
- Support – support used by the firms.
- Reporting – whether reporting requirements were met.
One of the most striking findings was the overall financial loss suffered by the firms’ clients as a result of successful cyber attacks (23), which was in excess of £4m. While £3.6m was successfully claimed against insurance policies, there was still £400k that firms had to repay directly. The review then explored whether the firms introduced new and/or changed their mitigation approaches after a cyber attack and, crucially, how much those measures cost. In 62% of these cases, the cost of mitigation was less than the initial loss incurred by the firm.
What you can do to improve your cyber security in your legal firm
Fortunately there are several things that you can do to improve your cyber security. We recommend starting with these measures:
Implement multi factor authentication (MFA)
According to IBM, theft of login credentials has become the leading cause of data breaches across the world. As the use of cloud-based software increases, these login details can allow for multiple types of attacks on company networks therefore not using MFA leaves your legal firm at a higher risk of a successful cyber-attack. Implementing MFA can reduce fraudulent login attempts by a staggering 99.9%.
Monitor the use of shadow IT
By shadow IT, we mean the use of cloud applications for business data by employees in your legal practice that haven’t been approved or you’re not aware of. This allows companies at risk for many reasons including:
- Data may be used in a non-secure application
- Data isn’t included in company backup strategies
- If the employee leaves, the data could be lost
- The app being used might not meet company compliance requirements
Employees often begin doing this because they’re trying to fill a gap in their workflow and are unaware of the risks involved. It’s important to have cloud use policies in place that spell out for employees the applications that can and cannot be used for work.
Use more than just antivirus software
Irrespective of the size of your firm, relying solely on antivirus software is not enough to keep you protected: many threats don’t use a malicious file at all. Phishing emails will contain commands sent to legitimate PC systems that aren’t flagged as a virus or malware. Phishing also overwhelmingly uses links these days rather than file attachments to send users to malicious sites. Those links won’t get caught by simple antivirus solutions.
You need to have a multi-layered strategy in place that includes things like:
- Next-gen antivirus – uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented.
- Next-gen firewall – a network security device that provides capabilities beyond a traditional, stateful firewall. It includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.
- Email filtering – monitors both inbound and outbound email traffic. Inbound filtering sorts emails into different categories including spam, malware, adult, bulk, virus, impostor, suspicious links, and others. Outbound filtering uses the same process of scanning messages from users before delivering any potentially harmful messages to other organisations.
- Domain Name System (DNS) filtering – blocks malicious or forbidden websites and applications at the DNS level so that they cannot be loaded on user devices.
- Automated application and cloud security policies – a system of policies, processes, and controls that enable enterprises to protect applications and data in collaborative cloud environments.
- Cloud access monitoring – a method of reviewing, observing, and managing the operational workflow in a cloud-based IT infrastructure.
Use device management
With the rise in remote working, device management e.g. for smartphones or computers used for business has become all the more important. If you’re not managing security or data access for all the endpoints (company and employee-owned) in your business, you’re at a higher risk of a data breach.
If you don’t have one already, it’s time to put a device management application in place, like Intune in Microsoft 365.
Provide adequate training for employees
95% of cybersecurity breaches are caused by human error. Employee IT security awareness training should be done throughout the year rather than just annually or during an onboarding process. The more you keep cyber security at the forefront of your staff’s minds, the better equipped they’ll be to identify phishing attacks and follow safe data handling procedures. We’d recommend using a mix of following to inbed a culture of cyber security:
- Short training videos.
- IT security posters.
- Team training sessions.
- Cybersecurity tips in company news.
Complete Cyber Essentials
Cyber Essentials is an effective, Government backed scheme that will help you to protect your law firm against a whole range of the most common cyber-attacks. These come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked.
Reading through this might had made you feel more nervous about understanding of cyber security or whether the measures you have in place are sufficiently robust.
Don’t be – we can help you so feel free to get in touch.