Attacks on your courtroom arguments? Those you can survive. Attacks on your witnesses’ credibility, ditto. Not so a cyberattack. A successful cyberattack can expose the contents of your computer systems — things like confidential client data, work product, financial records, account passwords, and everything else you have a consequential professional and legal obligation to safeguard. So what are the biggest law firm cyber risks?
Biggest Sources of Law Firm Cyber Risk
The criminals responsible for cyberattacks are numerous and their ranks are growing. Also expanding is the array of devious methods by which those bad actors can carry out their nefarious acts.
These methods consistently earn the top five spots on the list of cybercrook favorites:
There are evil computer wizards who spend their days electronically probing your online systems for exploitable weaknesses. When they discover one or more such vulnerabilities — bam! — they go right to work boring into them until they manage to open a virtual hole in your system. Then they take data unauthorized persons are never supposed to get their mitts on.
2. Phishing expeditions
Cyber-baddies who can’t hack hacking usually resort to trickery to gain illicit access to your systems. Phishing is just that, a trick. It involves sending you an email request that looks convincingly like it came from a legitimate source. A typical request is for privileged account details (passwords in particular).
3. Computer kidnapping
You’re minding your own business and go to open a program or file on your computer, only to discover that the system has been locked. A note then pops up on the screen to inform you that your system will remain locked until you pay a ransom. What’s happened is that somehow cyber-extortionists have infected your computer with a particular species of virus known as ransomware. If you pay the ransom, there’s no guarantee that your computer will be set free — or that the data within will be intact and usable in the event you do regain system control.
4. Malicious websites
Strewn about the internet are websites capable of infecting your computers with poisoned scripts that can hopelessly compromise the security of your data. Some of these sites are legitimate but have been corrupted, while others are malicious from the get-go but designed to appear safe for visiting. You can have the misfortune of encountering either of these types in the routine course of conducting legal research or just while innocently searching for goods and services.
5. Inside jobs
Your risk of confidential data being stolen or lost increases for a time whenever you fire an employee who had access to those data. Some who feel their dismissal was unjust may be tempted to seek revenge by putting sensitive information on an email blast to all the wrong people. Alternatively, they may try to profit from their heinousness by selling the data (and, trust me, there’ll be no short supply of ready buyers from the underworld).
7 Things You Can Do to Lower Law Firm Cyber Risk
The methods above are merely the top favorite ways cyber crooks could sink their hooks into your data. There are many more. Had I included a sixth, it would have been that cybercriminals like to lay in wait for you to slip up and inadvertently roll out the welcome mat for them.
Thieves are counting on your distractibility or ignorance. Fortunately, there are things you can do to reduce your risk. I have seven recommendations:
- Initiate a cybersecurity awareness training program. The importance of providing cybersecurity awareness training cannot be overstated. It can empower your employees to avoid threats of all types — even the really diabolic ones. The goal of this training is not merely to educate your team concerning potential security threats but also to encourage a change in behavior (thereby reducing the risk that human error will pave the way for a successful cyberattack). The training is more likely to take hold if it’s delivered at regular intervals and in bite-size pieces. It’ll also help if you make the training fun and easy.
- Provide instruction in spotting phishing attempts. Teach your team to recognize phishing and the many forms it can take. Then test their ability to identify scam emails. Train some more if they still have trouble separating fake from real emails. Or, better yet, set up automated phishing defenses — done right, these can detect and block up to 99% of sophisticated phishing emails before they reach employee inboxes. Automated defenses can also provide detailed reports showing each employee’s record of success in thwarting phishing attempts.
- Establish IT security policies. These serve as a road map to help you and your team navigate data management, including the protection of confidentiality, integrity and availability. Mainly, though, they boost your ability to take a bite out of cybercrime and to prevent technical glitches from creating major disruptions. The most common security policies cover disaster recovery planning, acceptable use criteria, and password construction guidelines.
- Monitor the “dark web.” The aptly named dark web is a hive of scum and villainy. It’s where stolen passwords (and a whole lot more) end up and are sold to the highest bidder. Because it’s such a dangerous place (and inaccessible via conventional browsers), you should use a dark-web scanning service to make sure none of your email addresses, passwords or other sensitive data have found their way to this online den of thieves. Once identified, your first action will be to change all passwords currently on the dark web. However, scanning can’t be a one-time proposition — it must be done continually if it’s to let you respond immediately to threats and prevent breaches.
- Build a team-based password vault. Storing key passwords in a password vault will encourage everyone in your office to practice good hygiene for the strong passwords you create. Speaking of strong passwords, the surest and simplest way to create them is with the aid of a password generator. (It is a program that automatically assembles a long random string of very difficult-to-crack alphanumeric characters.) You should also include in your password vault security best practices such as multifactor authentications, no sharing of passwords, and making sure passwords are never sent via email — not even that ONE time — or put on paper and then left out in plain view atop employee desks.
- Proactively monitor, maintain and patch your computers. It’s always better to deal with security risks early on while they’re still small rather than later when they turn huge and cause massive woe. Indeed, a Voke Media survey found that 80% of companies hit by a data breach said they could have prevented it had they only hardened their systems by installing updates and security patches in a timely way. That’s something you too need to be doing, but if you don’t have IT staff trained to monitor, maintain and patch your computers, you will find it advantageous to entrust those tasks to a reputable outside service. This will save you time and greatly reduce the potential for installation errors (those that cause data losses, file corruption or even system crashes).
- Always back up your emails and documents. Backing up safeguards your critical data against human error, illegitimate deletion, programmatic errors, malicious insiders, malware and hackers. Cloud-to-cloud SaaS backup is ideal — especially if it’s fully automated, HIPAA compliant, running nonstop in the background and employing multiple layers of operational and physical security. These layers should include SOC 2 compliance, application-level authentication of SaaS system access, strong encryption, intrusion detection, compartmentalized access to production servers, and certifications for third parties, privacy, and compliance matters.
It’s All About Protection
Not to put too fine a point on it, but you and your law firm are prime targets for cybercriminals. They want what you’ve got — and what you’ve got is incalculably valuable data.
They’re determined to get that data by outright theft or cunning subterfuge. You, in response, need to be at least as determined to stop them. Implement cybersecurity policies to protect your clients and to protect yourself.
Even if you’ve already been the victim of a cyberattack, you still need to put cybersecurity policies in place. Why? Because criminals usually like to return to the scene of the crime for a second bite at the apple. What you must do is make sure that upon their return, they find you sitting behind fortress walls rather than inside a grass hut.
The greatest possible protection of your data is the name of the game.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.