When it comes to email security in law firms, there are several different elements to consider. This is not restricted to the cybersecurity and technical side of the issue, because a huge amount of data breaches feature some form of human error.
Last year The Law Society reported that data breaches are the biggest threats faced by British law firms, which are a very attractive target for cybercriminals. Shockingly, law firms remain unprepared, failing to implement cybersecurity best practice. It’s little surprise then that, in 2017, a reported £11m of client money was stolen as a result of cyber fraud. Therefore, all email best practice must include user training.
What can law firms do to tighten email security?
There are a number of technical measures you can take to improve your firm’s email security. As an initial filter, multi-factor authentication is becoming much more frequently used and adds an extra layer of security when staff log into their emails. An additional layer is needed, as entering your password on its own can be subject to a brute force attack using recycled passwords. Hackers work on the assumption that people use the same password across most or all of their accounts; once they have the password from an insecure account, they can use it to obtain access to the user’s other accounts. Having multi-factor authentication will help prevent them gaining entry.
A second step is to filter emails in order to reduce the number of malicious emails that get to the user. Office 365 offers tools for this, and solutions like Mimecast have become de facto in the legal sector. All emails are redirected via a Mimecast server that checks they are safe before the user is allowed to open them. While it is not foolproof, it does mitigate the possibility of users doing something they should not. Emails are also redirected via Mimecast when they are sent out, which minimises the risk of users accidentally or maliciously sending out data they should not, such as credit card strings, passport numbers, etc.
In Office 365, you can encrypt emails with protection measures, so some emails can only be forwarded internally, old email copy is automatically removed, etc. It can also be programmed to prevent users from sharing their screen, so it is harder for them to transfer confidential information.
The use of technology is only one aspect of email security. User education is a key part. In 2019, 90% of UK data breaches were ascribed to human error – an increase on the previous two years, which indicates we all have a lot to learn.
You must therefore hold regular, robust training sessions with users in order to educate them about what they should and should not be doing. For example, they shouldn’t be clicking on a link and adding credentials without questioning the source – a breach that has become too frequent an occurrence. Users need to be taught to be more wary about such links – a safer solution would be for users to go direct to the relevant website to enter the data, rather than click through a link.
Users often know the principles of email security, but if they are busy, could be caught unawares. This is why frequent training is necessary in order to reinforce the message and keep email security in mind.