Legal firms often deal with client's private and personal information - information that clients expect firms are guarding with their biggest and scariest security systems. But this is worryingly inaccurate and more often than not, legal firms are risking everything with a lack of security budget, processes and training.
Your client’s data is valuable, not just to them, but to you as well. The privacy and integrity of their data is what assures you continue being trusted by your clients. Once the data is lost or stolen, your customers will lose trust in your services and may go elsewhere. Cybersecurity needs to be treated with as much value as the services you offer and as part of the package for your clients.
Know Your Enemy – Common Threats Facing the Legal Sector
Cyber-attacks are varied and involve a number of possibilities, including:
- Ransomware – attackers seize control of your systems and files until you pay a ransom to get control back.
- DDoS attack - your systems are put to a halt by overloading them.
- Data theft – attackers access your customer data and sell it online.
- Man-in-the-middle attack – a hacker alters communications between two-parties without being detected.
- Phishing – an attacker will pose as someone trustworthy in order to gain sensitive information such as usernames or bank details.
- Password attack – your password has been compromised and an attacker can gain access to your accounts.
- Viruses, worms and bots – these are little snippets of code that get embedded into your systems and used for malicious purposes, such as corrupting your system, stealing data, or spreading malware.
What’s really worrying about this is not just the variety of cyber-attacks that can take place, but the fact that most cyber-attacks can happen without you even knowing about it. So it’s not just a question of prevention, but ability to see it when it does happen. Let’s go through the top tactics your legal firm should be implementing in its cybersecurity strategy today.
Implement Employee Training Programs
I wanted to start with one of the most important steps for cybersecurity in ANY company – employee training. It may seem counter-intuitive to be approaching cybersecurity outside of the IT department, but your weakest link is in fact, your own members of staff. The International Legal Technology Association (ILTA) conducted a study which found that 60.9% of professionals employed by law firms believe that human error is the most significant risk to their law firm’s cybersecurity.
We recommend you train your employees on the following risks:
- Falling for phishing emails
- Handling customer data
- Sending sensitive information via email
- Password management
This includes having an employee policy around cybersecurity practices and making sure that as soon as someone is on-boarded they are given this training.
Enable Two-Factor Authentication
Passwords are notoriously unreliable – they can be cracked with brute force and are subject to employee laziness (reusing passwords, using easy to guess passwords, writing them down, losing them and more). Imagine a hacker steals or cracks an employee’s password and then hacks into the back-end of your systems. They now have control of and access to everything that employee does. In order to stop this from happening, you need to implement stronger authentication methods, such as adding a second factor.
There are a number of ways you can do this but the umbrella term is called ‘Two-Factor Authentication’. This adds another step after entering your password. This other step could be:
- Adding your fingerprint.
- Inserting a smart card or token containing an identity credential into your computer.
- Having a code or push notification sent to your phone, commonly referred to as a one-time password (OTP).
- Verifying your identity using a Digital Certificate, also known as ‘Client Authentication’.
The type of authentication that will suit your business is really something that should be approached on a case-by-case basis.
Make Sure Your Software Is up to Date
Every IT system in your business, whether you are using different internet browsers, desktop apps or operating systems, will have potential vulnerabilities. New vulnerabilities are being found every day and the only way to avoid being caught in the middle of these, is to keep your software up-to-date.
It helps for your IT department to control all computers from one centralized system (possibly in the cloud), so updates can be pushed out to all computers at once instead of IT teams going to each computer individually.
Sadly, with these kind of updates, it’s the companies themselves who are required to release the updates and patch their vulnerabilities, so the best strategy for protecting yourself is to have your IT department keep an eye on possible vulnerabilities in the news.
Know Your Server Security Options
When you imagine all of your virtual company data sitting somewhere up in a castle, locked away and secured by a dragon, what you’re imagining is the server. Your servers manage multiple applications and programs that your law firm is using every day. Without them, you would not be able to function online.
That being said, this life blood of a machine, that you probably harbor more than one of in your IT department, has its own very technical need for security. Different kinds of servers will have different sets of configurations and rules that they will need to follow in order to be secure. To give you the basics:
- Encryption – your server should have a Digital Certificate too. You want to ensure that the server can identify itself as a trusted appliance, so when you or your programs connect to that server, the data in encrypted and decrypted at a server level.
- VPN’s and private networks – creating private networks is a way to secure connections between remote computers or servers. Initial set-up of a VPN is a bit of work but it’s worth it for the increased security.
- Service auditing – any server management should involve regular audits. The process involves looking up what services are running in your infrastructure. This process allows you to re-configure your firewall with greater accuracy because you know the service running, the port they are using for communication and the protocols that they accept. The more services running on start-up, the more ground for an attacker to gain access to your systems.
- Intrusion detection/firewalls – by using file auditing and intrusion detection (a piece of software that monitors what goes in and out of your local networks), you can check any sudden changes to your system that may appear suspicious and make updates to the firewall which controls what services are exposed to your network.
- Isolated execution environment – in order to keep your servers secure, it helps to isolate execution environments. This separation forces a clear path of communication that you can monitor from several individual components and ensure access is limited to an intruder or attacker.
Use SSL/TLS on Your Public Website
If you collect data submissions on your website (e.g. a portal for clients to log into, a company contact form, any kind of payment collection), you need to encrypt that communication with a SSL/TLS Certificate. Using SSL/TLS will keep that information safe from eavesdroppers and protect it as it's transmitted from your client's browser to your server.
SSL/TLS offers benefits besides encryption though, so even if you aren't collecting data on your site, you should still consider implementing it:
- Assure site visitors that the server/site they're connected to is actually your site and not an imposter's site - this is most commonly associated with phishing attempts (e.g. imposter banking sites asking for account details), but applies to all content providers and sites in general (e.g. news sites, Wikipedia). Without an SSL/TLS Certificate identifying your site, there's no way to know if the site is actually yours or imposters.
- Ensure the data that is requested or submitted is what is actually delivered - Unencrypted traffic can be intercepted to replace normal requests (e.g. software downloads, video views) with malicious files.
Consider S/MIME for Email Security
Encryption isn't just important for servers; you can also encrypt your email communications. If you would like to understand the difference, visit this previous blog on the difference between encrypting emails and encrypting mail servers. Encrypting emails using S/MIME ensures only intended recipients can access the contents. This means even if hackers intercepted the email in transit, or gained access to your mail server, they still wouldn't be able to read them.
S/MIME also allows you to digitally sign emails, which can help counteract the growing risk of phishing attacks and Business Email Compromise by verifying message origin and making it easier to spot spoofed emails.
Incident Response Plan
Last but not least is the all-important incident response plan. The fact of the matter is, no matter what you do to prevent the possibility of a cyber-attack in your business, there is still a chance a hacker might find a crack and slip through.
An incident response plan is a guide to employees of your organization (mainly your IT Department), on how to respond to the attack, saving a lot of time, money and resources because everyone is aware of what they need to do to minimize impact of the attack.
Our Chief Technology Officer, Simon Wood previously wrote an entire blog post which shared the steps you need to take in incident response. Make sure you have all of these detailed in a document and someone who is going to manage the response.
Cybersecurity Isn’t Easy
If you’ve made it to the end of this post without your head exploding, you know that cybersecurity for any company is not an easy task, but it remains a top priority for companies that hold sensitive customer or client information.
One way to make all of this easier for your IT department is to consider PKI-based solutions, which would cover off on many of the topics discussed above – emails, internal servers, public websites, mobile devices and more. Management tools and automation technologies simplify deployments and ease administration burdens, so solutions can be efficiently rolled out and IT can move onto other projects.