In the first in our series of articles on ‘Law Firms: 6 Most Common IT Oversights’, we take a closer look at the problems and pain-points encountered by law firms and the technical and non-technical – surprisingly human – ways of solving those issues.
In fact, we find the main misconception made by law practices is that ‘it is not going to happen to me’. The assumption is that the top law firms are the ones being targeted by cybercriminals and that the smaller practices are not of interest to them.
Cybersecurity should always be thought of as when not if. By assuming that you are not a target, or that cyber attacks are something that only happen to large firms, you are sleepwalking towards disaster.
Research undertaken by the National Cyber Security Centre and The Law Society discovered that 82% of the country’s top legal firms are worried about cyber threats. However, it is a different story for SMEs, who assume they are too small to be a target and therefore do not have to worry. This could not be further from the truth.
In the last 12-month period, 40% of companies in the UK suffered some form of data breach or attack. In 2017, 60% of legal companies reported an information security issue – and with the introduction of GDPR in 2018, it is fair to assume the latest figures will be higher. That means your law firm has a greater than 1 in 2 chance of being hacked.
A further sobering fact is that breaches normally take around six months to find, so you may have been hacked already but don’t know it. When it comes to cyber attacks, always think in term of when, not if.
The 2018 report The Cyber Threat to UK Legal Sector produced by the National Cyber Security Centre and The Law Society concluded the cyber threats faced by the legal sector are:
Phishing emails are getting harder to spot as phishers try ever more sophisticated ways of fooling people into unwittingly introducing an infected link onto their system. For example, we’ve recently seen a huge number of phishing emails purporting to be from Microsoft. Once the hackers get into the system, they have the ability to monitor your business. This means, if you handle a property transaction or large investment, they can then take steps to divert payments to their own accounts.
What you can do – Introducing two-factor authentication gives your company an extra layer of protection against phishing attacks. Training your staff to spot phishing emails is also a vital element – it is estimated that human error accounts for an astonishing 95% of security breaches – we will cover this topic in the next article in this series.
If you think a cyber security breach will never happen to you, you are kidding yourself. Most cyber attacks are automated and are searching for vulnerabilities in any system. Even if your company’s data is not the target, a breach in your system may provide hackers with a doorway into another, larger company.
What you can do – The very least you need to do is adhere to Cyber Essentials good practice, ensuring you have firewalls, anti-virus software, password lockdowns, admin privileges, etc in place to reduce the chance of a data breach.
Ransomware is smuggled into an IT system by someone mistakenly opening a link which contains malicious coding. The ransomware encrypts and freezes your company’s data at the same time as issuing a message demanding money in return for its release. Of course, there is no guarantee that even if you did pay the ransom your data would be returned.
What you can do – To reduce the likelihood of ransomware being activated, you must control the software and applications you allow onto your system, train your staff to recognise potential malware and have a business continuity plan in place to bypass the hackers and retrieve data safely should an attack happen.
With the increased use of digital technology, if one of your suppliers becomes compromised, the hackers could then get into your system – and vice versa.
What you can do – Make sure your suppliers have adequate cybersecurity controls to lessen the risk of their systems becoming infected.
If you would like to gain a better understanding of how hackers are targeting your company and the measures you can take to minimise the risk of a cyber attack, sign up for our newsletter, keep an eye on our events calendar, or contact us to book an appointment.
In Part Two of our series on ‘Law Firms: 6 Most Common IT Oversights’, we will look at the importance of training your staff to recognise fake emails and links. As mentioned earlier, with human error accounting for 95% of security breaches, staff awareness is a vital defence against a cyber attack.