Just like any other organizations, law firms are not immune to cyber attacks. Law firms are a prime target for hackers because they deal with sensitive and valuable information. Just recently, the firm of Grubman Shire Meiselas & Sacks, law firm to celebrities such as Elton John and Madonna, suffered a breach. As of May 12, its website has been shut down and the hackers are demanding a ransom. Below are the top 5 cyber security threats your law firm could be facing and how to remedy those threats
1. Lack of In-House Security Expert or External Security Partner
Aside from the large law firms, many don’t have a Chief Information Security Officer (CISO). While you may not want to hire an entire cyber security team, having a CISO can help to build out a cyber security plan. Once a CISO is in place, they can focus on putting together a team, most likely with a Managed Security Services Provider (MSSP), which will ensure compliance with data privacy laws, and help prevent data theft.
2. Lack of Security Policy and Procedures
This is key for any organization, but particularly for law firms. Lawyers have access to privileged and confidential information, and so there need to be policies in place as to who can access that data and how it is stored. Policies around access, devices, records management and retention, passwords and working from home are all important parts of securing your firm. In addition, procedures surrounding how staff can report suspicious activity or emails are important, as well as having a plan in case a breach does occur. Questions that need to be asked include, who does the breach get reported to, can we restore our data from back ups, and was anything stolen?
3. Improper Encryption and Storage of Data
Just like the second point, how records are stored and archived are very important for law firms. If your firm lost or couldn’t access this data, what would happen? Ask yourself these questions. Are there data back-ups? Where are they kept, and can you restore from these should the data ever be corrupted? Is the data encrypted, so that even if it were stolen, it would be useless to someone from outside? Considering COVID-19, is the connection lawyers and staff are using from home also encrypted?
4. Lack of Cyber Awareness Training
Cyber awareness training is important for everyone in a firm, from lawyers to support workers. Social engineering ploys based on COVID-19 are also on the rise. Social engineering is used by attackers to gain information, money, or access to protected systems by tricking legitimate users. Phishing email scams use social engineering in this way. In Italy, a targeted email phishing campaign, hit over 10% of all organizations with the aim of exploiting concerns over the growing cluster of infections in the country. The user who clicked on the attachment in this particular scam unwittingly downloaded malware onto their computers. In some cases, phishing emails will try to impersonate a partner asking someone to pay a false invoice or wire money to a foreign bank account. Ensuring everyone in your firm is trained to spot these types of scams can help prevent malware and ransomware, as well as save your organization downtime and money.
5. Regular Patching Not Done
For many lawyers, it may be annoying to update software frequently. The reason cyber security experts want you to update systems regularly is because many of these updates address security threats and vulnerabilities. Back to my first point, having someone with cyber security expertise overseeing the process of regular patching and updating of systems can help prevent a breach. For some systems, it is easy to turn on regular updates. For some legacy systems, there may be issues with compatibility. The big Equifax breach from a few years ago was due to an unpatched system. In their case, the system that needed patching required more effort since they needed to check compatibility. The problem in the Equifax case, was they never got around to it. Law firms cannot afford to have the same type of fallout from a breach that Equifax had, so ensuring that you have the ability to test and apply patches is key.
If this list seems daunting, don’t worry, Uzado is here to help. As a trusted MSSP, Uzado can help your firm address all of its security needs, including implementing security policies and procedures, breach readiness plans, cyber awareness training and vulnerability remediation. Contact us today.